--- /dev/null
+{{ if eq .Values.istioVersion 1.2 }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: istios.istio.banzaicloud.io
+ labels:
+ controller-tools.k8s.io: "1.0"
+ app.kubernetes.io/name: {{ include "istio-operator.name" . }}
+ helm.sh/chart: {{ include "istio-operator.chart" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ app.kubernetes.io/managed-by: {{ .Release.Service }}
+ app.kubernetes.io/version: {{ .Chart.AppVersion }}
+ app.kubernetes.io/component: operator
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .status.Status
+ description: Status of the resource
+ name: Status
+ type: string
+ - JSONPath: .status.ErrorMessage
+ description: Error message
+ name: Error
+ type: string
+ - JSONPath: .status.GatewayAddress
+ description: Ingress gateways of the resource
+ name: Gateways
+ type: string
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: istio.banzaicloud.io
+ names:
+ kind: Istio
+ plural: istios
+ scope: Namespaced
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ autoInjectionNamespaces:
+ description: List of namespaces to label with sidecar auto injection
+ enabled
+ items:
+ type: string
+ type: array
+ citadel:
+ description: Citadel configuration options
+ properties:
+ affinity:
+ type: object
+ caSecretName:
+ type: string
+ enabled:
+ type: boolean
+ healthCheck:
+ description: Enable health checking on the Citadel CSR signing API.
+ https://istio.io/docs/tasks/security/health-check/
+ type: boolean
+ image:
+ type: string
+ maxWorkloadCertTTL:
+ description: Citadel uses a flag max-workload-cert-ttl to control
+ the maximum lifetime for Istio certificates issued to workloads.
+ The default value is 90 days. If workload-cert-ttl on Citadel
+ or node agent is greater than max-workload-cert-ttl, Citadel will
+ fail issuing the certificate.
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ workloadCertTTL:
+ description: For the workloads running in Kubernetes, the lifetime
+ of their Istio certificates is controlled by the workload-cert-ttl
+ flag on Citadel. The default value is 90 days. This value should
+ be no greater than max-workload-cert-ttl of Citadel.
+ type: string
+ type: object
+ controlPlaneSecurityEnabled:
+ description: ControlPlaneSecurityEnabled control plane services are
+ communicating through mTLS
+ type: boolean
+ defaultConfigVisibility:
+ description: Set the default set of namespaces to which services, service
+ entries, virtual services, destination rules should be exported to
+ type: string
+ defaultPodDisruptionBudget:
+ description: Enable pod disruption budget for the control plane, which
+ is used to ensure Istio control plane components are gradually upgraded
+ or recovered
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ defaultResources:
+ description: DefaultResources are applied for all Istio components by
+ default, can be overridden for each component
+ type: object
+ excludeIPRanges:
+ description: ExcludeIPRanges the range where not to capture egress traffic
+ type: string
+ galley:
+ description: Galley configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ gateways:
+ description: Gateways configuration options
+ properties:
+ egress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ enabled:
+ type: boolean
+ ingress:
+ properties:
+ affinity:
+ type: object
+ applicationPorts:
+ type: string
+ enabled:
+ type: boolean
+ loadBalancerIP:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ ports:
+ items:
+ type: object
+ type: array
+ replicaCount:
+ format: int32
+ type: integer
+ requestedNetworkView:
+ type: string
+ resources:
+ type: object
+ sds:
+ properties:
+ enabled:
+ type: boolean
+ image:
+ type: string
+ resources:
+ type: object
+ type: object
+ serviceAnnotations:
+ type: object
+ serviceLabels:
+ type: object
+ serviceType:
+ enum:
+ - ClusterIP
+ - NodePort
+ - LoadBalancer
+ type: string
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ type: object
+ imagePullPolicy:
+ description: ImagePullPolicy describes a policy for if/when to pull
+ a container image
+ enum:
+ - Always
+ - Never
+ - IfNotPresent
+ type: string
+ includeIPRanges:
+ description: IncludeIPRanges the range where to capture egress traffic
+ type: string
+ istioCoreDNS:
+ description: Istio CoreDNS provides DNS resolution for services in multi
+ mesh setups
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ pluginImage:
+ type: string
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ localityLB:
+ description: Locality based load balancing distribution or failover
+ settings.
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute or failover can be
+ set. Explicitly specify loadbalancing weight across different
+ zones and geographical locations. Refer to [Locality weighted
+ load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
+ If empty, the locality weight is set according to the endpoints
+ number within it.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated, e.g. 'region/zone'.
+ type: string
+ to:
+ description: Map of upstream localities to traffic distribution
+ weights. The sum of all weights should be == 100. Any locality
+ not assigned a weight will receive no traffic.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: If set to true, locality based load balancing will
+ be enabled
+ type: boolean
+ failover:
+ description: 'Optional: only failover or distribute can be set.
+ Explicitly specify the region traffic will land on when endpoints
+ in local region becomes unhealthy. Should be used together with
+ OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
+ specified, this will not take effect.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will fail over
+ to when endpoints in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ type: object
+ meshExpansion:
+ description: If set to true, the pilot and citadel mtls will be exposed
+ on the ingress gateway also the remote istios will be connected through
+ gateways
+ type: boolean
+ mixer:
+ description: Mixer configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ multiClusterSupport:
+ description: Turn it on if you use mixer that supports multi cluster
+ telemetry
+ type: boolean
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ mtls:
+ description: MTLS enables or disables global mTLS
+ type: boolean
+ multiMesh:
+ description: Set to true to connect two or more meshes via their respective
+ ingressgateway services when workloads in each cluster cannot directly
+ talk to one another. All meshes should be using Istio mTLS and must
+ have a shared root CA for this model to work.
+ type: boolean
+ nodeAgent:
+ description: NodeAgent configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ nodeSelector:
+ type: object
+ resources:
+ type: object
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling outbound
+ traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
+ properties:
+ mode:
+ enum:
+ - ALLOW_ANY
+ - REGISTRY_ONLY
+ type: string
+ type: object
+ pilot:
+ description: Pilot configuration options
+ properties:
+ affinity:
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ maxReplicas:
+ format: int32
+ type: integer
+ minReplicas:
+ format: int32
+ type: integer
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ sidecar:
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ traceSampling:
+ format: float
+ type: number
+ type: object
+ proxy:
+ description: Proxy configuration options
+ properties:
+ componentLogLevel:
+ description: Per Component log level for proxy, applies to gateways
+ and sidecars. If a component level is not set, then the "LogLevel"
+ will be used. If left empty, "misc:error" is used.
+ type: string
+ dnsRefreshRate:
+ description: Configure the DNS refresh rate for Envoy cluster of
+ type STRICT_DNS This must be given it terms of seconds. For example,
+ 300s is valid but 5m is invalid.
+ pattern: ^[0-9]{1,5}s$
+ type: string
+ enableCoreDump:
+ description: If set, newly injected sidecars will have core dumps
+ enabled.
+ type: boolean
+ image:
+ type: string
+ logLevel:
+ description: 'Log level for proxy, applies to gateways and sidecars.
+ If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
+ enum:
+ - trace
+ - debug
+ - info
+ - warning
+ - error
+ - critical
+ - "off"
+ type: string
+ privileged:
+ description: If set to true, istio-proxy container will have privileged
+ securityContext
+ type: boolean
+ resources:
+ type: object
+ type: object
+ proxyInit:
+ description: Proxy Init configuration options
+ properties:
+ image:
+ type: string
+ type: object
+ sds:
+ description: If SDS is configured, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead of
+ using K8S secrets to mount the certificates
+ properties:
+ customTokenDirectory:
+ type: string
+ enabled:
+ description: If set to true, mTLS certificates for the sidecars
+ will be distributed through the SecretDiscoveryService instead
+ of using K8S secrets to mount the certificates.
+ type: boolean
+ udsPath:
+ description: Unix Domain Socket through which envoy communicates
+ with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
+ files instead of SDS if set to empty.
+ type: string
+ useNormalJwt:
+ description: If set to true, envoy will fetch normal k8s service
+ account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
+ (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
+ and pass to sds server, which will be used to request key/cert
+ eventually this flag is ignored if UseTrustworthyJwt is set
+ type: boolean
+ useTrustworthyJwt:
+ description: 'If set to true, Istio will inject volumes mount for
+ k8s service account JWT, so that K8s API server mounts k8s service
+ account JWT to envoy container, which will be used to generate
+ key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)'
+ type: boolean
+ type: object
+ sidecarInjector:
+ description: SidecarInjector configuration options
+ properties:
+ affinity:
+ type: object
+ alwaysInjectSelector:
+ description: 'AlwaysInjectSelector: Forces the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match'
+ items:
+ type: object
+ type: array
+ autoInjectionPolicyEnabled:
+ description: This controls the 'policy' in the sidecar injector
+ type: boolean
+ enableNamespacesByDefault:
+ description: This controls whether the webhook looks for namespaces
+ for injection enabled or disabled
+ type: boolean
+ enabled:
+ type: boolean
+ image:
+ type: string
+ init:
+ properties:
+ resources:
+ type: object
+ type: object
+ initCNIConfiguration:
+ properties:
+ affinity:
+ type: object
+ binDir:
+ description: Must be the same as the environment’s --cni-bin-dir
+ setting (kubelet parameter)
+ type: string
+ confDir:
+ description: Must be the same as the environment’s --cni-conf-dir
+ setting (kubelet parameter)
+ type: string
+ enabled:
+ description: If true, the privileged initContainer istio-init
+ is not needed to perform the traffic redirect settings for
+ the istio-proxy
+ type: boolean
+ excludeNamespaces:
+ description: List of namespaces to exclude from Istio pod check
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ logLevel:
+ description: Logging level for CNI binary
+ type: string
+ type: object
+ neverInjectSelector:
+ description: 'NeverInjectSelector: Refuses the injection on pods
+ whose labels match this selector. It''s an array of label selectors,
+ that will be OR''ed, meaning we will iterate over it and stop
+ at the first match Takes precedence over AlwaysInjectSelector.'
+ items:
+ type: object
+ type: array
+ nodeSelector:
+ type: object
+ replicaCount:
+ format: int32
+ type: integer
+ resources:
+ type: object
+ rewriteAppHTTPProbe:
+ description: If true, sidecar injector will rewrite PodSpec for
+ liveness health check to redirect request to sidecar. This makes
+ liveness check work even when mTLS is enabled.
+ type: boolean
+ tolerations:
+ items:
+ type: object
+ type: array
+ type: object
+ tracing:
+ description: Configuration for each of the supported tracers
+ properties:
+ datadog:
+ properties:
+ address:
+ description: Host:Port for submitting traces to the Datadog
+ agent.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ lightstep:
+ properties:
+ accessToken:
+ description: required for sending data to the pool
+ type: string
+ address:
+ description: the <host>:<port> of the satellite pool
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ cacertPath:
+ description: the path to the file containing the cacert to use
+ when verifying TLS. If secure is true, this is required. If
+ a value is specified then a secret called "lightstep.cacert"
+ must be created in the destination namespace with the key
+ matching the base of the provided cacertPath and the value
+ being the cacert itself.
+ type: string
+ secure:
+ description: specifies whether data should be sent with TLS
+ type: boolean
+ type: object
+ tracer:
+ enum:
+ - zipkin
+ - lightstep
+ - datadog
+ type: string
+ zipkin:
+ properties:
+ address:
+ description: Host:Port for reporting trace data in zipkin format.
+ If not specified, will default to zipkin service (port 9411)
+ in the same namespace as the other istio components.
+ pattern: ^[^\:]+:[0-9]{1,5}$
+ type: string
+ type: object
+ type: object
+ useMCP:
+ description: Use the Mesh Control Protocol (MCP) for configuring Mixer
+ and Pilot. Requires galley.
+ type: boolean
+ version:
+ description: Contains the intended Istio version
+ pattern: ^1.2
+ type: string
+ watchAdapterCRDs:
+ description: Whether or not to establish watches for adapter-specific
+ CRDs
+ type: boolean
+ watchOneNamespace:
+ description: Whether to restrict the applications namespace the controller
+ manages
+ type: boolean
+ required:
+ - version
+ - mtls
+ type: object
+ status:
+ type: object
+ version: v1beta1
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+{{- end }}
Code Review / demo.git / blobdiff