1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
|
{{ if eq .Values.istioVersion "1.3" }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: remoteistios.istio.banzaicloud.io
labels:
controller-tools.k8s.io: "1.0"
app.kubernetes.io/name: {{ include "istio-operator.name" . }}
helm.sh/chart: {{ include "istio-operator.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: operator
spec:
additionalPrinterColumns:
- JSONPath: .status.Status
description: Status of the resource
name: Status
type: string
- JSONPath: .status.ErrorMessage
description: Error message
name: Error
type: string
- JSONPath: .status.GatewayAddress
description: Ingress gateways of the resource
name: Gateways
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: istio.banzaicloud.io
names:
kind: RemoteIstio
plural: remoteistios
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
autoInjectionNamespaces:
description: List of namespaces to label with sidecar auto injection
enabled
items:
type: string
type: array
citadel:
description: Citadel configuration options
properties:
affinity:
type: object
caSecretName:
type: string
enableNamespacesByDefault:
description: 'Determines Citadel default behavior if the ca.istio.io/env
or ca.istio.io/override labels are not found on a given namespace. For
example: consider a namespace called "target", which has neither
the "ca.istio.io/env" nor the "ca.istio.io/override" namespace
labels. To decide whether or not to generate secrets for service
accounts created in this "target" namespace, Citadel will defer
to this option. If the value of this option is "true" in this
case, secrets will be generated for the "target" namespace. If
the value of this option is "false" Citadel will not generate
secrets upon service account creation.'
type: boolean
enabled:
type: boolean
healthCheck:
description: Enable health checking on the Citadel CSR signing API.
https://istio.io/docs/tasks/security/health-check/
type: boolean
image:
type: string
maxWorkloadCertTTL:
description: Citadel uses a flag max-workload-cert-ttl to control
the maximum lifetime for Istio certificates issued to workloads.
The default value is 90 days. If workload-cert-ttl on Citadel
or node agent is greater than max-workload-cert-ttl, Citadel will
fail issuing the certificate.
type: string
nodeSelector:
type: object
resources:
type: object
tolerations:
items:
type: object
type: array
workloadCertTTL:
description: For the workloads running in Kubernetes, the lifetime
of their Istio certificates is controlled by the workload-cert-ttl
flag on Citadel. The default value is 90 days. This value should
be no greater than max-workload-cert-ttl of Citadel.
type: string
type: object
clusterName:
description: Should be set to the name of the cluster, this is required
for sidecar injection to properly label proxies
type: string
defaultResources:
description: DefaultResources are applied for all Istio components by
default, can be overridden for each component
type: object
enabledServices:
description: EnabledServices the Istio component services replicated
to remote side
items:
properties:
labelSelector:
type: string
name:
type: string
podIPs:
items:
type: string
type: array
ports:
items:
type: object
type: array
required:
- name
type: object
type: array
excludeIPRanges:
description: ExcludeIPRanges the range where not to capture egress traffic
type: string
includeIPRanges:
description: IncludeIPRanges the range where to capture egress traffic
type: string
proxy:
description: Proxy configuration options
properties:
accessLogEncoding:
description: Configure the access log for sidecar to JSON or TEXT.
enum:
- JSON
- TEXT
type: string
accessLogFile:
description: 'Configures the access log for each sidecar. Options: ""
- disables access log "/dev/stdout" - enables access log'
enum:
- ""
- /dev/stdout
type: string
accessLogFormat:
description: 'Configure how and what fields are displayed in sidecar
access log. Setting to empty string will result in default log
format. If accessLogEncoding is TEXT, value will be used directly
as the log format example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%
%PROTOCOL%\n" If AccessLogEncoding is JSON, value will be parsed
as map[string]string example: ''{"start_time": "%START_TIME%",
"req_method": "%REQ(:METHOD)%"}'''
type: string
componentLogLevel:
description: Per Component log level for proxy, applies to gateways
and sidecars. If a component level is not set, then the "LogLevel"
will be used. If left empty, "misc:error" is used.
type: string
coreDumpImage:
description: Image used to enable core dumps. This is only used,
when "EnableCoreDump" is set to true.
type: string
dnsRefreshRate:
description: Configure the DNS refresh rate for Envoy cluster of
type STRICT_DNS This must be given it terms of seconds. For example,
300s is valid but 5m is invalid.
pattern: ^[0-9]{1,5}s$
type: string
enableCoreDump:
description: If set, newly injected sidecars will have core dumps
enabled.
type: boolean
envoyAccessLogService:
properties:
enabled:
type: boolean
host:
type: string
port:
format: int32
type: integer
tcpKeepalive:
properties:
interval:
type: string
probes:
format: int32
type: integer
time:
type: string
type: object
tlsSettings:
properties:
caCertificates:
type: string
clientCertificate:
type: string
mode:
type: string
privateKey:
type: string
sni:
type: string
subjectAltNames:
items:
type: string
type: array
type: object
type: object
envoyMetricsService:
properties:
enabled:
type: boolean
host:
type: string
port:
format: int32
type: integer
type: object
envoyStatsD:
properties:
enabled:
type: boolean
host:
type: string
port:
format: int32
type: integer
type: object
image:
type: string
logLevel:
description: 'Log level for proxy, applies to gateways and sidecars.
If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
enum:
- trace
- debug
- info
- warning
- error
- critical
- "off"
type: string
privileged:
description: If set to true, istio-proxy container will have privileged
securityContext
type: boolean
protocolDetectionTimeout:
type: string
resources:
type: object
type: object
proxyInit:
description: Proxy Init configuration options
properties:
image:
type: string
type: object
sidecarInjector:
description: SidecarInjector configuration options
properties:
affinity:
type: object
alwaysInjectSelector:
description: 'AlwaysInjectSelector: Forces the injection on pods
whose labels match this selector. It''s an array of label selectors,
that will be OR''ed, meaning we will iterate over it and stop
at the first match'
items:
type: object
type: array
autoInjectionPolicyEnabled:
description: This controls the 'policy' in the sidecar injector
type: boolean
enableNamespacesByDefault:
description: This controls whether the webhook looks for namespaces
for injection enabled or disabled
type: boolean
enabled:
type: boolean
image:
type: string
init:
properties:
resources:
type: object
type: object
initCNIConfiguration:
properties:
affinity:
type: object
binDir:
description: Must be the same as the environment’s --cni-bin-dir
setting (kubelet parameter)
type: string
confDir:
description: Must be the same as the environment’s --cni-conf-dir
setting (kubelet parameter)
type: string
enabled:
description: If true, the privileged initContainer istio-init
is not needed to perform the traffic redirect settings for
the istio-proxy
type: boolean
excludeNamespaces:
description: List of namespaces to exclude from Istio pod check
items:
type: string
type: array
image:
type: string
logLevel:
description: Logging level for CNI binary
type: string
type: object
neverInjectSelector:
description: 'NeverInjectSelector: Refuses the injection on pods
whose labels match this selector. It''s an array of label selectors,
that will be OR''ed, meaning we will iterate over it and stop
at the first match Takes precedence over AlwaysInjectSelector.'
items:
type: object
type: array
nodeSelector:
type: object
replicaCount:
format: int32
type: integer
resources:
type: object
rewriteAppHTTPProbe:
description: If true, sidecar injector will rewrite PodSpec for
liveness health check to redirect request to sidecar. This makes
liveness check work even when mTLS is enabled.
type: boolean
tolerations:
items:
type: object
type: array
type: object
required:
- enabledServices
type: object
status:
type: object
version: v1beta1
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}
|