{{ if eq .Values.istioVersion "1.1" }} apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: istios.istio.banzaicloud.io labels: controller-tools.k8s.io: "1.0" app.kubernetes.io/name: {{ include "istio-operator.name" . }} helm.sh/chart: {{ include "istio-operator.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: operator spec: additionalPrinterColumns: - JSONPath: .status.Status description: Status of the resource name: Status type: string - JSONPath: .status.ErrorMessage description: Error message name: Error type: string - JSONPath: .status.GatewayAddress description: Ingress gateways of the resource name: Gateways type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: istio.banzaicloud.io names: kind: Istio plural: istios scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: autoInjectionNamespaces: description: List of namespaces to label with sidecar auto injection enabled items: type: string type: array citadel: description: Citadel configuration options properties: affinity: type: object caSecretName: type: string enabled: type: boolean image: type: string nodeSelector: type: object resources: type: object tolerations: items: type: object type: array type: object controlPlaneSecurityEnabled: description: ControlPlaneSecurityEnabled control plane services are communicating through mTLS type: boolean defaultConfigVisibility: description: Set the default set of namespaces to which services, service entries, virtual services, destination rules should be exported to type: string defaultPodDisruptionBudget: description: Enable pod disruption budget for the control plane, which is used to ensure Istio control plane components are gradually upgraded or recovered properties: enabled: type: boolean type: object defaultResources: description: DefaultResources are applied for all Istio components by default, can be overridden for each component type: object excludeIPRanges: description: ExcludeIPRanges the range where not to capture egress traffic type: string galley: description: Galley configuration options properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object gateways: description: Gateways configuration options properties: egress: properties: affinity: type: object applicationPorts: type: string enabled: type: boolean loadBalancerIP: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object ports: items: type: object type: array replicaCount: format: int32 type: integer requestedNetworkView: type: string resources: type: object sds: properties: enabled: type: boolean image: type: string resources: type: object type: object serviceAnnotations: type: object serviceLabels: type: object serviceType: enum: - ClusterIP - NodePort - LoadBalancer type: string tolerations: items: type: object type: array type: object enabled: type: boolean ingress: properties: affinity: type: object applicationPorts: type: string enabled: type: boolean loadBalancerIP: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object ports: items: type: object type: array replicaCount: format: int32 type: integer requestedNetworkView: type: string resources: type: object sds: properties: enabled: type: boolean image: type: string resources: type: object type: object serviceAnnotations: type: object serviceLabels: type: object serviceType: enum: - ClusterIP - NodePort - LoadBalancer type: string tolerations: items: type: object type: array type: object type: object imagePullPolicy: description: ImagePullPolicy describes a policy for if/when to pull a container image enum: - Always - Never - IfNotPresent type: string includeIPRanges: description: IncludeIPRanges the range where to capture egress traffic type: string istioCoreDNS: description: Istio CoreDNS provides DNS resolution for services in multi mesh setups properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object pluginImage: type: string replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object meshExpansion: description: If set to true, the pilot and citadel mtls will be exposed on the ingress gateway also the remote istios will be connected through gateways type: boolean mixer: description: Mixer configuration options properties: affinity: type: object enabled: type: boolean image: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object tolerations: items: type: object type: array type: object mtls: description: MTLS enables or disables global mTLS type: boolean multiMesh: description: Set to true to connect two or more meshes via their respective ingressgateway services when workloads in each cluster cannot directly talk to one another. All meshes should be using Istio mTLS and must have a shared root CA for this model to work. type: boolean nodeAgent: description: NodeAgent configuration options properties: affinity: type: object enabled: type: boolean image: type: string nodeSelector: type: object resources: type: object tolerations: items: type: object type: array type: object outboundTrafficPolicy: description: Set the default behavior of the sidecar for handling outbound traffic from the application (ALLOW_ANY or REGISTRY_ONLY) properties: mode: enum: - ALLOW_ANY - REGISTRY_ONLY type: string type: object pilot: description: Pilot configuration options properties: affinity: type: object enabled: type: boolean image: type: string maxReplicas: format: int32 type: integer minReplicas: format: int32 type: integer nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object sidecar: type: boolean tolerations: items: type: object type: array traceSampling: format: float type: number type: object proxy: description: Proxy configuration options properties: enableCoreDump: description: If set, newly injected sidecars will have core dumps enabled. type: boolean image: type: string privileged: description: If set to true, istio-proxy container will have privileged securityContext type: boolean resources: type: object type: object proxyInit: description: Proxy Init configuration options properties: image: type: string type: object sds: description: If SDS is configured, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates properties: enabled: description: If set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. type: boolean udsPath: description: Unix Domain Socket through which envoy communicates with NodeAgent SDS to get key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. type: string useNormalJwt: description: If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) and pass to sds server, which will be used to request key/cert eventually this flag is ignored if UseTrustworthyJwt is set type: boolean useTrustworthyJwt: description: 'If set to true, Istio will inject volumes mount for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which will be used to generate key/cert eventually. (prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected)' type: boolean type: object sidecarInjector: description: SidecarInjector configuration options properties: affinity: type: object autoInjectionPolicyEnabled: description: This controls the 'policy' in the sidecar injector type: boolean enabled: type: boolean image: type: string init: properties: resources: type: object type: object initCNIConfiguration: properties: affinity: type: object binDir: description: Must be the same as the environment’s --cni-bin-dir setting (kubelet parameter) type: string confDir: description: Must be the same as the environment’s --cni-conf-dir setting (kubelet parameter) type: string enabled: description: If true, the privileged initContainer istio-init is not needed to perform the traffic redirect settings for the istio-proxy type: boolean excludeNamespaces: description: List of namespaces to exclude from Istio pod check items: type: string type: array image: type: string logLevel: description: Logging level for CNI binary type: string type: object nodeSelector: type: object replicaCount: format: int32 type: integer resources: type: object rewriteAppHTTPProbe: description: If true, sidecar injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled. type: boolean tolerations: items: type: object type: array type: object tracing: description: Configuration for each of the supported tracers properties: datadog: properties: address: description: Host:Port for submitting traces to the Datadog agent. pattern: ^[^\:]+:[0-9]{1,5}$ type: string type: object enabled: type: boolean lightstep: properties: accessToken: description: required for sending data to the pool type: string address: description: the : of the satellite pool pattern: ^[^\:]+:[0-9]{1,5}$ type: string cacertPath: description: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. type: string secure: description: specifies whether data should be sent with TLS type: boolean type: object tracer: enum: - zipkin - lightstep - datadog type: string zipkin: properties: address: description: Host:Port for reporting trace data in zipkin format. If not specified, will default to zipkin service (port 9411) in the same namespace as the other istio components. pattern: ^[^\:]+:[0-9]{1,5}$ type: string type: object type: object useMCP: description: Use the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires galley. type: boolean version: description: Contains the intended Istio version pattern: ^1.1 type: string watchAdapterCRDs: description: Whether or not to establish watches for adapter-specific CRDs type: boolean watchOneNamespace: description: Whether to restrict the applications namespace the controller manages type: boolean required: - version - mtls type: object status: type: object version: v1beta1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] {{- end }}