1 {{ if eq .Values.istioVersion 1.2 }}
2 apiVersion: apiextensions.k8s.io/v1beta1
3 kind: CustomResourceDefinition
5 name: istios.istio.banzaicloud.io
7 controller-tools.k8s.io: "1.0"
8 app.kubernetes.io/name: {{ include "istio-operator.name" . }}
9 helm.sh/chart: {{ include "istio-operator.chart" . }}
10 app.kubernetes.io/instance: {{ .Release.Name }}
11 app.kubernetes.io/managed-by: {{ .Release.Service }}
12 app.kubernetes.io/version: {{ .Chart.AppVersion }}
13 app.kubernetes.io/component: operator
15 additionalPrinterColumns:
16 - JSONPath: .status.Status
17 description: Status of the resource
20 - JSONPath: .status.ErrorMessage
21 description: Error message
24 - JSONPath: .status.GatewayAddress
25 description: Ingress gateways of the resource
28 - JSONPath: .metadata.creationTimestamp
31 group: istio.banzaicloud.io
42 description: 'APIVersion defines the versioned schema of this representation
43 of an object. Servers should convert recognized schemas to the latest
44 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
47 description: 'Kind is a string value representing the REST resource this
48 object represents. Servers may infer this from the endpoint the client
49 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
55 autoInjectionNamespaces:
56 description: List of namespaces to label with sidecar auto injection
62 description: Citadel configuration options
71 description: Enable health checking on the Citadel CSR signing API.
72 https://istio.io/docs/tasks/security/health-check/
77 description: Citadel uses a flag max-workload-cert-ttl to control
78 the maximum lifetime for Istio certificates issued to workloads.
79 The default value is 90 days. If workload-cert-ttl on Citadel
80 or node agent is greater than max-workload-cert-ttl, Citadel will
81 fail issuing the certificate.
92 description: For the workloads running in Kubernetes, the lifetime
93 of their Istio certificates is controlled by the workload-cert-ttl
94 flag on Citadel. The default value is 90 days. This value should
95 be no greater than max-workload-cert-ttl of Citadel.
98 controlPlaneSecurityEnabled:
99 description: ControlPlaneSecurityEnabled control plane services are
100 communicating through mTLS
102 defaultConfigVisibility:
103 description: Set the default set of namespaces to which services, service
104 entries, virtual services, destination rules should be exported to
106 defaultPodDisruptionBudget:
107 description: Enable pod disruption budget for the control plane, which
108 is used to ensure Istio control plane components are gradually upgraded
115 description: DefaultResources are applied for all Istio components by
116 default, can be overridden for each component
119 description: ExcludeIPRanges the range where not to capture egress traffic
122 description: Galley configuration options
143 description: Gateways configuration options
170 requestedNetworkView:
225 requestedNetworkView:
255 description: ImagePullPolicy describes a policy for if/when to pull
263 description: IncludeIPRanges the range where to capture egress traffic
266 description: Istio CoreDNS provides DNS resolution for services in multi
290 description: Locality based load balancing distribution or failover
294 description: 'Optional: only one of distribute or failover can be
295 set. Explicitly specify loadbalancing weight across different
296 zones and geographical locations. Refer to [Locality weighted
297 load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
298 If empty, the locality weight is set according to the endpoints
303 description: Originating locality, '/' separated, e.g. 'region/zone'.
306 description: Map of upstream localities to traffic distribution
307 weights. The sum of all weights should be == 100. Any locality
308 not assigned a weight will receive no traffic.
313 description: If set to true, locality based load balancing will
317 description: 'Optional: only failover or distribute can be set.
318 Explicitly specify the region traffic will land on when endpoints
319 in local region becomes unhealthy. Should be used together with
320 OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
321 specified, this will not take effect.'
325 description: Originating region.
328 description: Destination region the traffic will fail over
329 to when endpoints in the 'from' region becomes unhealthy.
335 description: If set to true, the pilot and citadel mtls will be exposed
336 on the ingress gateway also the remote istios will be connected through
340 description: Mixer configuration options
355 description: Turn it on if you use mixer that supports multi cluster
371 description: MTLS enables or disables global mTLS
374 description: Set to true to connect two or more meshes via their respective
375 ingressgateway services when workloads in each cluster cannot directly
376 talk to one another. All meshes should be using Istio mTLS and must
377 have a shared root CA for this model to work.
380 description: NodeAgent configuration options
397 outboundTrafficPolicy:
398 description: Set the default behavior of the sidecar for handling outbound
399 traffic from the application (ALLOW_ANY or REGISTRY_ONLY)
408 description: Pilot configuration options
440 description: Proxy configuration options
443 description: Per Component log level for proxy, applies to gateways
444 and sidecars. If a component level is not set, then the "LogLevel"
445 will be used. If left empty, "misc:error" is used.
448 description: Configure the DNS refresh rate for Envoy cluster of
449 type STRICT_DNS This must be given it terms of seconds. For example,
450 300s is valid but 5m is invalid.
451 pattern: ^[0-9]{1,5}s$
454 description: If set, newly injected sidecars will have core dumps
460 description: 'Log level for proxy, applies to gateways and sidecars.
461 If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
472 description: If set to true, istio-proxy container will have privileged
479 description: Proxy Init configuration options
485 description: If SDS is configured, mTLS certificates for the sidecars
486 will be distributed through the SecretDiscoveryService instead of
487 using K8S secrets to mount the certificates
489 customTokenDirectory:
492 description: If set to true, mTLS certificates for the sidecars
493 will be distributed through the SecretDiscoveryService instead
494 of using K8S secrets to mount the certificates.
497 description: Unix Domain Socket through which envoy communicates
498 with NodeAgent SDS to get key/cert for mTLS. Use secret-mount
499 files instead of SDS if set to empty.
502 description: If set to true, envoy will fetch normal k8s service
503 account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
504 (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
505 and pass to sds server, which will be used to request key/cert
506 eventually this flag is ignored if UseTrustworthyJwt is set
509 description: 'If set to true, Istio will inject volumes mount for
510 k8s service account JWT, so that K8s API server mounts k8s service
511 account JWT to envoy container, which will be used to generate
512 key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)'
516 description: SidecarInjector configuration options
520 alwaysInjectSelector:
521 description: 'AlwaysInjectSelector: Forces the injection on pods
522 whose labels match this selector. It''s an array of label selectors,
523 that will be OR''ed, meaning we will iterate over it and stop
528 autoInjectionPolicyEnabled:
529 description: This controls the 'policy' in the sidecar injector
531 enableNamespacesByDefault:
532 description: This controls whether the webhook looks for namespaces
533 for injection enabled or disabled
544 initCNIConfiguration:
549 description: Must be the same as the environment’s --cni-bin-dir
550 setting (kubelet parameter)
553 description: Must be the same as the environment’s --cni-conf-dir
554 setting (kubelet parameter)
557 description: If true, the privileged initContainer istio-init
558 is not needed to perform the traffic redirect settings for
562 description: List of namespaces to exclude from Istio pod check
569 description: Logging level for CNI binary
573 description: 'NeverInjectSelector: Refuses the injection on pods
574 whose labels match this selector. It''s an array of label selectors,
575 that will be OR''ed, meaning we will iterate over it and stop
576 at the first match Takes precedence over AlwaysInjectSelector.'
588 description: If true, sidecar injector will rewrite PodSpec for
589 liveness health check to redirect request to sidecar. This makes
590 liveness check work even when mTLS is enabled.
598 description: Configuration for each of the supported tracers
603 description: Host:Port for submitting traces to the Datadog
605 pattern: ^[^\:]+:[0-9]{1,5}$
613 description: required for sending data to the pool
616 description: the <host>:<port> of the satellite pool
617 pattern: ^[^\:]+:[0-9]{1,5}$
620 description: the path to the file containing the cacert to use
621 when verifying TLS. If secure is true, this is required. If
622 a value is specified then a secret called "lightstep.cacert"
623 must be created in the destination namespace with the key
624 matching the base of the provided cacertPath and the value
625 being the cacert itself.
628 description: specifies whether data should be sent with TLS
640 description: Host:Port for reporting trace data in zipkin format.
641 If not specified, will default to zipkin service (port 9411)
642 in the same namespace as the other istio components.
643 pattern: ^[^\:]+:[0-9]{1,5}$
648 description: Use the Mesh Control Protocol (MCP) for configuring Mixer
649 and Pilot. Requires galley.
652 description: Contains the intended Istio version
656 description: Whether or not to establish watches for adapter-specific
660 description: Whether to restrict the applications namespace the controller