{{ if eq .Values.istioVersion 1.2 }} apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: istios.istio.banzaicloud.io labels: controller-tools.k8s.io: "1.0" app.kubernetes.io/name: {{ include "istio-operator.name" . }} helm.sh/chart: {{ include "istio-operator.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: operator spec: additionalPrinterColumns: - JSONPath: .status.Status description: Status of the resource name: Status type: string - JSONPath: .status.ErrorMessage description: Error message name: Error type: string - JSONPath: .status.GatewayAddress description: Ingress gateways of the resource name: Gateways type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: istio.banzaicloud.io names: kind: Istio plural: istios scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: autoInjectionNamespaces: description: List of namespaces to label with sidecar auto injection enabled items: type: string type: array citadel: description: Citadel configuration options properties: affinity: type: object caSecretName: type: string enabled: type: boolean healthCheck: description: Enable health checking on the Citadel CSR signing API. https://istio.io/docs/tasks/security/health-check/ type: boolean image: type: string maxWorkloadCertTTL: description: Citadel uses a flag max-workload-cert-ttl to control the maximum lifetime for Istio certificates issued to workloads. The default value is 90 days. If workload-cert-ttl on Citadel or node agent is greater than max-workload-cert-ttl, Citadel will fail issuing the certificate. type: string nodeSelector: type: object resources: type: object tolerations: items: type: object type: array workloadCertTTL: description: For the workloads running in Kubernetes, the lifetime of their Istio certificates is controlled by the workload-cert-ttl flag on Citadel. The default value is 90 days. This value should be no greater than max-workload-cert-ttl of Citadel. type: string type: object controlPlaneSecurityEnabled: description: ControlPlaneSecurityEnabled control plane services are communicating through mTLS type: boolean defaultConfigVisibility: description: Set the default set of namespaces to which services, service entries, virtual services, destination rules should be exported to type: string defaultPodDisruptionBudget: description: Enable pod disruption budget for the control plane, which is used to ensure Istio control plane components are gradually upgraded or recovered properties: enabled: type: boolean type: object defaultResources: description: DefaultResources are applied for all Istio components by default, can be overridden for each component type: object excludeIPRanges: description: ExcludeIPRanges the range where not to capture egress traffic type: string galley: description: Galley configuration options properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object gateways: description: Gateways configuration options properties: egress: properties: affinity: type: object applicationPorts: type: string enabled: type: boolean loadBalancerIP: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object ports: items: type: object type: array replicaCount: format: int32 type: integer requestedNetworkView: type: string resources: type: object sds: properties: enabled: type: boolean image: type: string resources: type: object type: object serviceAnnotations: type: object serviceLabels: type: object serviceType: enum: - ClusterIP - NodePort - LoadBalancer type: string tolerations: items: type: object type: array type: object enabled: type: boolean ingress: properties: affinity: type: object applicationPorts: type: string enabled: type: boolean loadBalancerIP: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object ports: items: type: object type: array replicaCount: format: int32 type: integer requestedNetworkView: type: string resources: type: object sds: properties: enabled: type: boolean image: type: string resources: type: object type: object serviceAnnotations: type: object serviceLabels: type: object serviceType: enum: - ClusterIP - NodePort - LoadBalancer type: string tolerations: items: type: object type: array type: object type: object imagePullPolicy: description: ImagePullPolicy describes a policy for if/when to pull a container image enum: - Always - Never - IfNotPresent type: string includeIPRanges: description: IncludeIPRanges the range where to capture egress traffic type: string istioCoreDNS: description: Istio CoreDNS provides DNS resolution for services in multi mesh setups properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object pluginImage: type: string replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object localityLB: description: Locality based load balancing distribution or failover settings. properties: distribute: description: 'Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.' items: properties: from: description: Originating locality, '/' separated, e.g. 'region/zone'. type: string to: description: Map of upstream localities to traffic distribution weights. The sum of all weights should be == 100. Any locality not assigned a weight will receive no traffic. type: object type: object type: array enabled: description: If set to true, locality based load balancing will be enabled type: boolean failover: description: 'Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.' items: properties: from: description: Originating region. type: string to: description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy. type: string type: object type: array type: object meshExpansion: description: If set to true, the pilot and citadel mtls will be exposed on the ingress gateway also the remote istios will be connected through gateways type: boolean mixer: description: Mixer configuration options properties: affinity: type: object enabled: type: boolean image: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer multiClusterSupport: description: Turn it on if you use mixer that supports multi cluster telemetry type: boolean nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object mtls: description: MTLS enables or disables global mTLS type: boolean multiMesh: description: Set to true to connect two or more meshes via their respective ingressgateway services when workloads in each cluster cannot directly talk to one another. All meshes should be using Istio mTLS and must have a shared root CA for this model to work. type: boolean nodeAgent: description: NodeAgent configuration options properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object resources: type: object tolerations: items: type: object type: array type: object outboundTrafficPolicy: description: Set the default behavior of the sidecar for handling outbound traffic from the application (ALLOW_ANY or REGISTRY_ONLY) properties: mode: enum: - ALLOW_ANY - REGISTRY_ONLY type: string type: object pilot: description: Pilot configuration options properties: affinity: type: object enabled: type: boolean image: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object sidecar: type: boolean tolerations: items: type: object type: array traceSampling: format: float type: number type: object proxy: description: Proxy configuration options properties: componentLogLevel: description: Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the "LogLevel" will be used. If left empty, "misc:error" is used. type: string dnsRefreshRate: description: Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. pattern: ^[0-9]{1,5}s$ type: string enableCoreDump: description: If set, newly injected sidecars will have core dumps enabled. type: boolean image: type: string logLevel: description: 'Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off' enum: - trace - debug - info - warning - error - critical - "off" type: string privileged: description: If set to true, istio-proxy container will have privileged securityContext type: boolean resources: type: object type: object proxyInit: description: Proxy Init configuration options properties: image: type: string type: object sds: description: If SDS is configured, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates properties: customTokenDirectory: type: string enabled: description: If set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. type: boolean udsPath: description: Unix Domain Socket through which envoy communicates with NodeAgent SDS to get key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. type: string useNormalJwt: description: If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) and pass to sds server, which will be used to request key/cert eventually this flag is ignored if UseTrustworthyJwt is set type: boolean useTrustworthyJwt: description: 'If set to true, Istio will inject volumes mount for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which will be used to generate key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' type: boolean type: object sidecarInjector: description: SidecarInjector configuration options properties: affinity: type: object alwaysInjectSelector: description: 'AlwaysInjectSelector: Forces the injection on pods whose labels match this selector. It''s an array of label selectors, that will be OR''ed, meaning we will iterate over it and stop at the first match' items: type: object type: array autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean enableNamespacesByDefault: description: This controls whether the webhook looks for namespaces for injection enabled or disabled type: boolean enabled: type: boolean image: type: string init: properties: resources: type: object type: object initCNIConfiguration: properties: affinity: type: object binDir: description: Must be the same as the environment’s --cni-bin-dir setting (kubelet parameter) type: string confDir: description: Must be the same as the environment’s --cni-conf-dir setting (kubelet parameter) type: string enabled: description: If true, the privileged initContainer istio-init is not needed to perform the traffic redirect settings for the istio-proxy type: boolean excludeNamespaces: description: List of namespaces to exclude from Istio pod check items: type: string type: array image: type: string logLevel: description: Logging level for CNI binary type: string type: object neverInjectSelector: description: 'NeverInjectSelector: Refuses the injection on pods whose labels match this selector. It''s an array of label selectors, that will be OR''ed, meaning we will iterate over it and stop at the first match Takes precedence over AlwaysInjectSelector.' items: type: object type: array nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object rewriteAppHTTPProbe: description: If true, sidecar injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled. type: boolean tolerations: items: type: object type: array type: object tracing: description: Configuration for each of the supported tracers properties: datadog: properties: address: description: Host:Port for submitting traces to the Datadog agent. pattern: ^[^\:]+:[0-9]{1,5}$ type: string type: object enabled: type: boolean lightstep: properties: accessToken: description: required for sending data to the pool type: string address: description: the : of the satellite pool pattern: ^[^\:]+:[0-9]{1,5}$ type: string cacertPath: description: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. type: string secure: description: specifies whether data should be sent with TLS type: boolean type: object tracer: enum: - zipkin - lightstep - datadog type: string zipkin: properties: address: description: Host:Port for reporting trace data in zipkin format. If not specified, will default to zipkin service (port 9411) in the same namespace as the other istio components. pattern: ^[^\:]+:[0-9]{1,5}$ type: string type: object type: object useMCP: description: Use the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires galley. type: boolean version: description: Contains the intended Istio version pattern: ^1.2 type: string watchAdapterCRDs: description: Whether or not to establish watches for adapter-specific CRDs type: boolean watchOneNamespace: description: Whether to restrict the applications namespace the controller manages type: boolean required: - version - mtls type: object status: type: object version: v1beta1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] {{- end }}