+++ /dev/null
-{{ if eq .Values.istioVersion 1.2 }}
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: istios.istio.banzaicloud.io
- labels:
- controller-tools.k8s.io: "1.0"
- app.kubernetes.io/name: {{ include "istio-operator.name" . }}
- helm.sh/chart: {{ include "istio-operator.chart" . }}
- app.kubernetes.io/instance: {{ .Release.Name }}
- app.kubernetes.io/managed-by: {{ .Release.Service }}
- app.kubernetes.io/version: {{ .Chart.AppVersion }}
- app.kubernetes.io/component: operator
-spec:
- additionalPrinterColumns:
- - JSONPath: .status.Status
- description: Status of the resource
- name: Status
- type: string
- - JSONPath: .status.ErrorMessage
- description: Error message
- name: Error
- type: string
- - JSONPath: .status.GatewayAddress
- description: Ingress gateways of the resource
- name: Gateways
- type: string
- - JSONPath: .metadata.creationTimestamp
- name: Age
- type: date
- group: istio.banzaicloud.io
- names:
- kind: Istio
- plural: istios
- scope: Namespaced
- subresources:
- status: {}
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- autoInjectionNamespaces:
- description: List of namespaces to label with sidecar auto injection
- enabled
- items:
- type: string
- type: array
- citadel:
- description: Citadel configuration options
- properties:
- affinity:
- type: object
- caSecretName:
- type: string
- enabled:
- type: boolean
- healthCheck:
- description: Enable health checking on the Citadel CSR signing API.
- https://istio.io/docs/tasks/security/health-check/
- type: boolean
- image:
- type: string
- maxWorkloadCertTTL:
- description: Citadel uses a flag max-workload-cert-ttl to control
- the maximum lifetime for Istio certificates issued to workloads.
- The default value is 90 days. If workload-cert-ttl on Citadel
- or node agent is greater than max-workload-cert-ttl, Citadel will
- fail issuing the certificate.
- type: string
- nodeSelector:
- type: object
- resources:
- type: object
- tolerations:
- items:
- type: object
- type: array
- workloadCertTTL:
- description: For the workloads running in Kubernetes, the lifetime
- of their Istio certificates is controlled by the workload-cert-ttl
- flag on Citadel. The default value is 90 days. This value should
- be no greater than max-workload-cert-ttl of Citadel.
- type: string
- type: object
- controlPlaneSecurityEnabled:
- description: ControlPlaneSecurityEnabled control plane services are
- communicating through mTLS
- type: boolean
- defaultConfigVisibility:
- description: Set the default set of namespaces to which services, service
- entries, virtual services, destination rules should be exported to
- type: string
- defaultPodDisruptionBudget:
- description: Enable pod disruption budget for the control plane, which
- is used to ensure Istio control plane components are gradually upgraded
- or recovered
- properties:
- enabled:
- type: boolean
- type: object
- defaultResources:
- description: DefaultResources are applied for all Istio components by
- default, can be overridden for each component
- type: object
- excludeIPRanges:
- description: ExcludeIPRanges the range where not to capture egress traffic
- type: string
- galley:
- description: Galley configuration options
- properties:
- affinity:
- type: object
- enabled:
- type: boolean
- image:
- type: string
- nodeSelector:
- type: object
- replicaCount:
- format: int32
- type: integer
- resources:
- type: object
- tolerations:
- items:
- type: object
- type: array
- type: object
- gateways:
- description: Gateways configuration options
- properties:
- egress:
- properties:
- affinity:
- type: object
- applicationPorts:
- type: string
- enabled:
- type: boolean
- loadBalancerIP:
- type: string
- maxReplicas:
- format: int32
- type: integer
- minReplicas:
- format: int32
- type: integer
- nodeSelector:
- type: object
- ports:
- items:
- type: object
- type: array
- replicaCount:
- format: int32
- type: integer
- requestedNetworkView:
- type: string
- resources:
- type: object
- sds:
- properties:
- enabled:
- type: boolean
- image:
- type: string
- resources:
- type: object
- type: object
- serviceAnnotations:
- type: object
- serviceLabels:
- type: object
- serviceType:
- enum:
- - ClusterIP
- - NodePort
- - LoadBalancer
- type: string
- tolerations:
- items:
- type: object
- type: array
- type: object
- enabled:
- type: boolean
- ingress:
- properties:
- affinity:
- type: object
- applicationPorts:
- type: string
- enabled:
- type: boolean
- loadBalancerIP:
- type: string
- maxReplicas:
- format: int32
- type: integer
- minReplicas:
- format: int32
- type: integer
- nodeSelector:
- type: object
- ports:
- items:
- type: object
- type: array
- replicaCount:
- format: int32
- type: integer
- requestedNetworkView:
- type: string
- resources:
- type: object
- sds:
- properties:
- enabled:
- type: boolean
- image:
- type: string
- resources:
- type: object
- type: object
- serviceAnnotations:
- type: object
- serviceLabels:
- type: object
- serviceType:
- enum:
- - ClusterIP
- - NodePort
- - LoadBalancer
- type: string
- tolerations:
- items:
- type: object
- type: array
- type: object
- type: object
- imagePullPolicy:
- description: ImagePullPolicy describes a policy for if/when to pull
- a container image
- enum:
- - Always
- - Never
- - IfNotPresent
- type: string
- includeIPRanges:
- description: IncludeIPRanges the range where to capture egress traffic
- type: string
- istioCoreDNS:
- description: Istio CoreDNS provides DNS resolution for services in multi
- mesh setups
- properties:
- affinity:
- type: object
- enabled:
- type: boolean
- image:
- type: string
- nodeSelector:
- type: object
- pluginImage:
- type: string
- replicaCount:
- format: int32
- type: integer
- resources:
- type: object
- tolerations:
- items:
- type: object
- type: array
- type: object
- localityLB:
- description: Locality based load balancing distribution or failover
- settings.
- properties:
- distribute:
- description: 'Optional: only one of distribute or failover can be
- set. Explicitly specify loadbalancing weight across different
- zones and geographical locations. Refer to [Locality weighted
- load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
- If empty, the locality weight is set according to the endpoints
- number within it.'
- items:
- properties:
- from:
- description: Originating locality, '/' separated, e.g. 'region/zone'.
- type: string
- to:
- description: Map of upstream localities to traffic distribution
- weights. The sum of all weights should be == 100. Any locality
- not assigned a weight will receive no traffic.
- type: object
- type: object
- type: array
- enabled:
- description: If set to true, locality based load balancing will
- be enabled
- type: boolean
- failover:
- description: 'Optional: only failover or distribute can be set.
- Explicitly specify the region traffic will land on when endpoints
- in local region becomes unhealthy. Should be used together with
- OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
- specified, this will not take effect.'
- items:
- properties:
- from:
- description: Originating region.
- type: string
- to:
- description: Destination region the traffic will fail over
- to when endpoints in the 'from' region becomes unhealthy.
- type: string
- type: object
- type: array
- type: object
- meshExpansion:
- description: If set to true, the pilot and citadel mtls will be exposed
- on the ingress gateway also the remote istios will be connected through
- gateways
- type: boolean
- mixer:
- description: Mixer configuration options
- properties:
- affinity:
- type: object
- enabled:
- type: boolean
- image:
- type: string
- maxReplicas:
- format: int32
- type: integer
- minReplicas:
- format: int32
- type: integer
- multiClusterSupport:
- description: Turn it on if you use mixer that supports multi cluster
- telemetry
- type: boolean
- nodeSelector:
- type: object
- replicaCount:
- format: int32
- type: integer
- resources:
- type: object
- tolerations:
- items:
- type: object
- type: array
- type: object
- mtls:
- description: MTLS enables or disables global mTLS
- type: boolean
- multiMesh:
- description: Set to true to connect two or more meshes via their respective
- ingressgateway services when workloads in each cluster cannot directly
- talk to one another. All meshes should be using Istio mTLS and must
- have a shared root CA for this model to work.
- type: boolean
- nodeAgent:
- description: NodeAgent configuration options
- properties:
- affinity:
- type: object
- enabled:
- type: boolean
- image:
- type: string
- nodeSelector:
- type: object
- resources:
- type: object
- tolerations:
- items:
- type: object
- type: array
- type: object
- outboundTrafficPolicy:
- description: Set the default behavior of the sidecar for handling outbound
- traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
- properties:
- mode:
- enum:
- - ALLOW_ANY
- - REGISTRY_ONLY
- type: string
- type: object
- pilot:
- description: Pilot configuration options
- properties:
- affinity:
- type: object
- enabled:
- type: boolean
- image:
- type: string
- maxReplicas:
- format: int32
- type: integer
- minReplicas:
- format: int32
- type: integer
- nodeSelector:
- type: object
- replicaCount:
- format: int32
- type: integer
- resources:
- type: object
- sidecar:
- type: boolean
- tolerations:
- items:
- type: object
- type: array
- traceSampling:
- format: float
- type: number
- type: object
- proxy:
- description: Proxy configuration options
- properties:
- componentLogLevel:
- description: Per Component log level for proxy, applies to gateways
- and sidecars. If a component level is not set, then the "LogLevel"
- will be used. If left empty, "misc:error" is used.
- type: string
- dnsRefreshRate:
- description: Configure the DNS refresh rate for Envoy cluster of
- type STRICT_DNS This must be given it terms of seconds. For example,
- 300s is valid but 5m is invalid.
- pattern: ^[0-9]{1,5}s$
- type: string
- enableCoreDump:
- description: If set, newly injected sidecars will have core dumps
- enabled.
- type: boolean
- image:
- type: string
- logLevel:
- description: 'Log level for proxy, applies to gateways and sidecars.
- If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
- enum:
- - trace
- - debug
- - info
- - warning
- - error
- - critical
- - "off"
- type: string
- privileged:
- description: If set to true, istio-proxy container will have privileged
- securityContext
- type: boolean
- resources:
- type: object
- type: object
- proxyInit:
- description: Proxy Init configuration options
- properties:
- image:
- type: string
- type: object
- sds:
- description: If SDS is configured, mTLS certificates for the sidecars
- will be distributed through the SecretDiscoveryService instead of
- using K8S secrets to mount the certificates
- properties:
- customTokenDirectory:
- type: string
- enabled:
- description: If set to true, mTLS certificates for the sidecars
- will be distributed through the SecretDiscoveryService instead
- of using K8S secrets to mount the certificates.
- type: boolean
- udsPath:
- description: Unix Domain Socket through which envoy communicates
- with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
- files instead of SDS if set to empty.
- type: string
- useNormalJwt:
- description: If set to true, envoy will fetch normal k8s service
- account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
- (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
- and pass to sds server, which will be used to request key/cert
- eventually this flag is ignored if UseTrustworthyJwt is set
- type: boolean
- useTrustworthyJwt:
- description: 'If set to true, Istio will inject volumes mount for
- k8s service account JWT, so that K8s API server mounts k8s service
- account JWT to envoy container, which will be used to generate
- key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)'
- type: boolean
- type: object
- sidecarInjector:
- description: SidecarInjector configuration options
- properties:
- affinity:
- type: object
- alwaysInjectSelector:
- description: 'AlwaysInjectSelector: Forces the injection on pods
- whose labels match this selector. It''s an array of label selectors,
- that will be OR''ed, meaning we will iterate over it and stop
- at the first match'
- items:
- type: object
- type: array
- autoInjectionPolicyEnabled:
- description: This controls the 'policy' in the sidecar injector
- type: boolean
- enableNamespacesByDefault:
- description: This controls whether the webhook looks for namespaces
- for injection enabled or disabled
- type: boolean
- enabled:
- type: boolean
- image:
- type: string
- init:
- properties:
- resources:
- type: object
- type: object
- initCNIConfiguration:
- properties:
- affinity:
- type: object
- binDir:
- description: Must be the same as the environment’s --cni-bin-dir
- setting (kubelet parameter)
- type: string
- confDir:
- description: Must be the same as the environment’s --cni-conf-dir
- setting (kubelet parameter)
- type: string
- enabled:
- description: If true, the privileged initContainer istio-init
- is not needed to perform the traffic redirect settings for
- the istio-proxy
- type: boolean
- excludeNamespaces:
- description: List of namespaces to exclude from Istio pod check
- items:
- type: string
- type: array
- image:
- type: string
- logLevel:
- description: Logging level for CNI binary
- type: string
- type: object
- neverInjectSelector:
- description: 'NeverInjectSelector: Refuses the injection on pods
- whose labels match this selector. It''s an array of label selectors,
- that will be OR''ed, meaning we will iterate over it and stop
- at the first match Takes precedence over AlwaysInjectSelector.'
- items:
- type: object
- type: array
- nodeSelector:
- type: object
- replicaCount:
- format: int32
- type: integer
- resources:
- type: object
- rewriteAppHTTPProbe:
- description: If true, sidecar injector will rewrite PodSpec for
- liveness health check to redirect request to sidecar. This makes
- liveness check work even when mTLS is enabled.
- type: boolean
- tolerations:
- items:
- type: object
- type: array
- type: object
- tracing:
- description: Configuration for each of the supported tracers
- properties:
- datadog:
- properties:
- address:
- description: Host:Port for submitting traces to the Datadog
- agent.
- pattern: ^[^\:]+:[0-9]{1,5}$
- type: string
- type: object
- enabled:
- type: boolean
- lightstep:
- properties:
- accessToken:
- description: required for sending data to the pool
- type: string
- address:
- description: the <host>:<port> of the satellite pool
- pattern: ^[^\:]+:[0-9]{1,5}$
- type: string
- cacertPath:
- description: the path to the file containing the cacert to use
- when verifying TLS. If secure is true, this is required. If
- a value is specified then a secret called "lightstep.cacert"
- must be created in the destination namespace with the key
- matching the base of the provided cacertPath and the value
- being the cacert itself.
- type: string
- secure:
- description: specifies whether data should be sent with TLS
- type: boolean
- type: object
- tracer:
- enum:
- - zipkin
- - lightstep
- - datadog
- type: string
- zipkin:
- properties:
- address:
- description: Host:Port for reporting trace data in zipkin format.
- If not specified, will default to zipkin service (port 9411)
- in the same namespace as the other istio components.
- pattern: ^[^\:]+:[0-9]{1,5}$
- type: string
- type: object
- type: object
- useMCP:
- description: Use the Mesh Control Protocol (MCP) for configuring Mixer
- and Pilot. Requires galley.
- type: boolean
- version:
- description: Contains the intended Istio version
- pattern: ^1.2
- type: string
- watchAdapterCRDs:
- description: Whether or not to establish watches for adapter-specific
- CRDs
- type: boolean
- watchOneNamespace:
- description: Whether to restrict the applications namespace the controller
- manages
- type: boolean
- required:
- - version
- - mtls
- type: object
- status:
- type: object
- version: v1beta1
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
-{{- end }}