1 {{ if eq .Values.istioVersion 1.2 }}
2 apiVersion: apiextensions.k8s.io/v1beta1
3 kind: CustomResourceDefinition
5 name: remoteistios.istio.banzaicloud.io
7 controller-tools.k8s.io: "1.0"
8 app.kubernetes.io/name: {{ include "istio-operator.name" . }}
9 helm.sh/chart: {{ include "istio-operator.chart" . }}
10 app.kubernetes.io/instance: {{ .Release.Name }}
11 app.kubernetes.io/managed-by: {{ .Release.Service }}
12 app.kubernetes.io/version: {{ .Chart.AppVersion }}
13 app.kubernetes.io/component: operator
15 additionalPrinterColumns:
16 - JSONPath: .status.Status
17 description: Status of the resource
20 - JSONPath: .status.ErrorMessage
21 description: Error message
24 - JSONPath: .status.GatewayAddress
25 description: Ingress gateways of the resource
28 - JSONPath: .metadata.creationTimestamp
31 group: istio.banzaicloud.io
42 description: 'APIVersion defines the versioned schema of this representation
43 of an object. Servers should convert recognized schemas to the latest
44 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
47 description: 'Kind is a string value representing the REST resource this
48 object represents. Servers may infer this from the endpoint the client
49 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
55 autoInjectionNamespaces:
56 description: List of namespaces to label with sidecar auto injection
62 description: Citadel configuration options
71 description: Enable health checking on the Citadel CSR signing API.
72 https://istio.io/docs/tasks/security/health-check/
77 description: Citadel uses a flag max-workload-cert-ttl to control
78 the maximum lifetime for Istio certificates issued to workloads.
79 The default value is 90 days. If workload-cert-ttl on Citadel
80 or node agent is greater than max-workload-cert-ttl, Citadel will
81 fail issuing the certificate.
92 description: For the workloads running in Kubernetes, the lifetime
93 of their Istio certificates is controlled by the workload-cert-ttl
94 flag on Citadel. The default value is 90 days. This value should
95 be no greater than max-workload-cert-ttl of Citadel.
99 description: DefaultResources are applied for all Istio components by
100 default, can be overridden for each component
103 description: EnabledServices the Istio component services replicated
124 description: ExcludeIPRanges the range where not to capture egress traffic
127 description: IncludeIPRanges the range where to capture egress traffic
130 description: Proxy configuration options
133 description: Per Component log level for proxy, applies to gateways
134 and sidecars. If a component level is not set, then the "LogLevel"
135 will be used. If left empty, "misc:error" is used.
138 description: Configure the DNS refresh rate for Envoy cluster of
139 type STRICT_DNS This must be given it terms of seconds. For example,
140 300s is valid but 5m is invalid.
141 pattern: ^[0-9]{1,5}s$
144 description: If set, newly injected sidecars will have core dumps
150 description: 'Log level for proxy, applies to gateways and sidecars.
151 If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
162 description: If set to true, istio-proxy container will have privileged
169 description: Proxy Init configuration options
175 description: SidecarInjector configuration options
179 alwaysInjectSelector:
180 description: 'AlwaysInjectSelector: Forces the injection on pods
181 whose labels match this selector. It''s an array of label selectors,
182 that will be OR''ed, meaning we will iterate over it and stop
187 autoInjectionPolicyEnabled:
188 description: This controls the 'policy' in the sidecar injector
190 enableNamespacesByDefault:
191 description: This controls whether the webhook looks for namespaces
192 for injection enabled or disabled
203 initCNIConfiguration:
208 description: Must be the same as the environment’s --cni-bin-dir
209 setting (kubelet parameter)
212 description: Must be the same as the environment’s --cni-conf-dir
213 setting (kubelet parameter)
216 description: If true, the privileged initContainer istio-init
217 is not needed to perform the traffic redirect settings for
221 description: List of namespaces to exclude from Istio pod check
228 description: Logging level for CNI binary
232 description: 'NeverInjectSelector: Refuses the injection on pods
233 whose labels match this selector. It''s an array of label selectors,
234 that will be OR''ed, meaning we will iterate over it and stop
235 at the first match Takes precedence over AlwaysInjectSelector.'
247 description: If true, sidecar injector will rewrite PodSpec for
248 liveness health check to redirect request to sidecar. This makes
249 liveness check work even when mTLS is enabled.