diff --git a/charts/istio/1.21.6-tetrate-v1/README.md b/charts/istio/1.21.6-tetrate-v1/README.md
new file mode 100644
index 00000000..1e6bcfe2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/README.md
@@ -0,0 +1,136 @@
+# Istio Installer
+
+Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md)
+
+Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a
+fork of the Istio helm templates, refactored to increase modularity and isolation.
+
+Goals:
+- Improve upgrade experience: users should be able to gradually roll upgrades, with proper
+canary deployments for Istio components. It should be possible to deploy a new version while keeping the
+stable version in place and gradually migrate apps to the new version.
+
+- More flexibility: the new installer allows multiple 'environments', allowing applications to select
+a set of control plane settings and components. While the entire mesh respects the same APIs and config,
+apps may target different 'environments' which contain different instances and variants of Istio.
+
+- Better security: separate Istio components reside in different namespaces, allowing different teams or
+roles to manage different parts of Istio. For example, a security team would maintain the
+root CA and policy, a telemetry team may only have access to Prometheus,
+and a different team may maintain the control plane components (which are highly security sensitive).
+
+The install is organized in 'environments' - each environment consists of a set of components
+in different namespaces that are configured to work together. Regardless of 'environment',
+workloads can talk with each other and obey the Istio configuration resources, but each environment
+can use different Istio versions and different configuration defaults.
+
+`istioctl kube-inject` or the automatic sidecar injector are used to select the environment.
+In the case of the sidecar injector, the namespace label `istio-env: <NAME_OF_ENV>` is used instead
+of the conventional `istio-injected: true`. The name of the environment is defined as the namespace
+where the corresponding control plane components (config, discovery, auto-injection) are running.
+In the examples below, by default this is the `istio-control` namespace. Pod annotations can also
+be used to select a different 'environment'.
+
+## Installing
+
+The new installer is intended to be modular and very explicit about what is installed. It has
+far more steps than the Istio installer - but each step is smaller and focused on a specific
+feature, and can be performed by different people/teams at different times.
+
+It is strongly recommended that different namespaces are used, with different service accounts.
+In particular access to the security-critical production components (root CA, policy, control)
+should be locked down and restricted. The new installer allows multiple instances of
+policy/control/telemetry - so testing/staging of new settings and versions can be performed
+by a different role than the prod version.
+
+The intended users of this repo are users running Istio in production who want to select, tune
+and understand each binary that gets deployed, and select which combination to use.
+
+Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 installation in
+`istio-system`. The new components will not interfere with existing apps, but can interoperate,
+and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and
+across environments ( for example canary -> prod )
+
+Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions
+will need to move to the security component.
+
+## Everything is Optional
+
+Each component in the new installer is optional. Users can install the component defined in the new installer,
+use the equivalent component in `istio-system`, configured with the official installer, or use a different
+version or implementation.
+
+For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom
+certificate provisioning tool, or use components that are centrally managed and running in a different cluster.
+
+This is a work in progress - building on top of the multi-cluster installer.
+
+As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component
+in that cluster. Currently, the minimum we require is the security provider (node agent or citadel).
+
+### Install Istio CRDs
+
+This is the first step of the installation. Please do not remove or edit any CRD - config currently requires
+all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure
+you get all CRDs. CRDs are separated by release and by component type in the CRD directory.
+
+Istio has strong integration with certmanager. Some operators may want to keep their current certmanager
+CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually.
+
+```bash
+kubectl apply -k github.com/istio/installer/base
+```
+
+or
+
+```bash
+kubectl apply -f base/files
+```
+
+### Install Istio-CNI
+
+This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely
+security sensitive. Access to the CNI namespace must be highly restricted.
+
+**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster
+is a GKE cluster.
+
+```bash
+ISTIO_CNI_ARGS=
+# TODO: What k8s data can we use for this check for whether GKE?
+if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then
+ ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin"
+fi
+iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS}
+```
+
+TODO. It is possible to add Istio-CNI later, and gradually migrate.
+
+### Install Control plane
+
+This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server,
+and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster.
+
+```bash
+iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \
+ --set global.istioNamespace=istio-system
+
+# Second istio-discovery, using master version of istio
+TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \
+ --set policy.enable=false \
+ --set global.istioNamespace=istio-master
+```
+
+### Gateways
+
+A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates.
+
+Since the domain certificates are stored in the gateway namespace, it is recommended to keep each
+gateway in a dedicated namespace and restrict access.
+
+For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace.
+
+### Additional test templates
+
+A number of helm test setups are general-purpose and should be installable in any cluster, to confirm
+Istio works properly and allow testing the specific installation.
diff --git a/charts/istio/1.21.6-tetrate-v1/UPDATING-CHARTS.md b/charts/istio/1.21.6-tetrate-v1/UPDATING-CHARTS.md
new file mode 100644
index 00000000..272a336d
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/UPDATING-CHARTS.md
@@ -0,0 +1,66 @@
+# Updating charts and values.yaml
+
+## Acceptable Pull Requests
+
+Helm charts `values.yaml` represent a complex user facing API that tends to grow uncontrollably over time
+due to design choices in Helm.
+The underlying Kubernetes resources we configure have 1000s of fields; given enough users and bespoke use cases,
+eventually someone will want to customize every one of those fields.
+If all fields are exposed in `values.yaml`, we end up with an massive API that is also likely worse than just using the Kubernetes API directly.
+
+To avoid this, the project attempts to minimize additions to the `values.yaml` API where possible.
+
+If the change is a dynamic runtime configuration, it probably belongs in the [MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto).
+This allows configuration without re-installing or restarting deployments.
+
+If the change is to a Kubernetes field (such as modifying a Deployment attribute), it will likely need to be install-time configuration.
+However, that doesn't necessarily mean a PR to add a value will be accepted.
+The `values.yaml` API is intended to maintain a *minimal core set of configuration* that most users will use.
+For bespoke use cases, [Helm Chart Customization](https://istio.io/latest/docs/setup/additional-setup/customize-installation-helm/#advanced-helm-chart-customization) can be used
+to allow arbitrary customizations.
+
+If the change truly is generally purpose, it is generally preferred to have broader APIs. For example, instead of providing
+direct access to each of the complex fields in [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/), just providing
+a single `affinity` field that is passed through as-is to the Kubernetes resource.
+This provides maximum flexibility with minimal API surface overhead.
+
+## Making changes
+
+## Step 1. Make changes in charts and values.yaml in `manifests` directory
+
+Be sure to provide sufficient documentation and example usage in values.yaml.
+If the chart has a `values.schema.json`, that should be updated as well.
+
+## Step 2. Update the istioctl/Operator values
+
+If you are modifying the `gateway` chart, you can stop here.
+All other charts, however, are exposed by `istioctl` and need to follow the steps below.
+
+The charts in the `manifests` directory are used in istioctl to generate an installation manifest.
+
+If `values.yaml` is changed, be sure to update corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml)
+
+## Step 3. Update istioctl schema
+
+Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to
+the schema must be added here, otherwise istioctl users will see errors.
+Once the schema file is updated, run:
+
+```bash
+$ make operator-proto
+```
+
+This will regenerate the Go structs used for schema validation.
+
+## Step 4. Update the generated manifests
+
+Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts.
+To regenerate the manifests, run:
+
+```bash
+$ make copy-templates update-golden
+```
+
+## Step 5. Create a PR using outputs from Steps 1 to 4
+
+Your PR should pass all the checks if you followed these steps.
diff --git a/charts/istio/1.21.6-tetrate-v1/base/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/base/Chart.yaml
new file mode 100644
index 00000000..647d3d11
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+name: base
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio cluster resources and CRDs
+keywords:
+ - istio
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/base/README.md b/charts/istio/1.21.6-tetrate-v1/base/README.md
new file mode 100644
index 00000000..ae8f6d5b
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/README.md
@@ -0,0 +1,35 @@
+# Istio base Helm Chart
+
+This chart installs resources shared by all Istio revisions. This includes Istio CRDs.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-base`:
+
+```console
+kubectl create namespace istio-system
+helm install istio-base istio/base -n istio-system
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/charts/istio/1.21.6-tetrate-v1/base/crds/crd-all.gen.yaml b/charts/istio/1.21.6-tetrate-v1/base/crds/crd-all.gen.yaml
new file mode 100644
index 00000000..93cbd3fb
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/crds/crd-all.gen.yaml
@@ -0,0 +1,8457 @@
+# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: wasmplugins.extensions.istio.io
+spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: WasmPlugin
+ listKind: WasmPluginList
+ plural: wasmplugins
+ singular: wasmplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Extend the functionality provided by the Istio proxy through
+ WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+ properties:
+ failStrategy:
+ description: Specifies the failure behavior for the plugin due to
+ fatal errors.
+ enum:
+ - FAIL_CLOSE
+ - FAIL_OPEN
+ type: string
+ imagePullPolicy:
+ description: The pull behaviour to be applied when fetching Wasm module
+ by either OCI image or `http/https`.
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type: string
+ imagePullSecret:
+ description: Credentials to use for OCI image pulling.
+ maxLength: 253
+ minLength: 1
+ type: string
+ match:
+ description: Specifies the criteria to determine which traffic is
+ passed to WasmPlugin.
+ items:
+ properties:
+ mode:
+ description: Criteria for selecting traffic by their direction.
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ type: string
+ ports:
+ description: Criteria for selecting traffic by their destination
+ port.
+ items:
+ properties:
+ number:
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - number
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - number
+ x-kubernetes-list-type: map
+ type: object
+ type: array
+ phase:
+ description: Determines where in the filter chain this `WasmPlugin`
+ is to be injected.
+ enum:
+ - UNSPECIFIED_PHASE
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ pluginConfig:
+ description: The configuration that will be passed on to the plugin.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ description: The plugin name to be used in the Envoy configuration
+ (used to be called `rootID`).
+ maxLength: 256
+ minLength: 1
+ type: string
+ priority:
+ description: Determines ordering of `WasmPlugins` in the same `phase`.
+ nullable: true
+ type: integer
+ selector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this plugin configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ sha256:
+ description: SHA256 checksum that will be used to verify Wasm module
+ or OCI container.
+ pattern: (^$|^[a-f0-9]{64}$)
+ type: string
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type:
+ description: Specifies the type of Wasm Extension to be used.
+ enum:
+ - UNSPECIFIED_PLUGIN_TYPE
+ - HTTP
+ - NETWORK
+ type: string
+ url:
+ description: URL of a Wasm module or OCI container.
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have schema one of [http, https, file, oci]
+ rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'',
+ ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) &&
+ url(''http://'' +self).getScheme() in ['''', ''http'', ''https'',
+ ''oci'', ''file''])'
+ verificationKey:
+ type: string
+ vmConfig:
+ description: Configuration for a Wasm VM.
+ properties:
+ env:
+ description: Specifies environment variables to be injected to
+ this VM.
+ items:
+ properties:
+ name:
+ description: Name of the environment variable.
+ maxLength: 256
+ minLength: 1
+ type: string
+ value:
+ description: Value for the environment variable.
+ maxLength: 2048
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value.
+ enum:
+ - INLINE
+ - HOST
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: value may only be set when valueFrom is INLINE
+ rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST''
+ || !has(self.value)'
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - url
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: destinationrules.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ shortNames:
+ - dr
+ singular: destinationrule
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least min_health_percent hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to
+ this port should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least min_health_percent
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port should
+ be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least min_health_percent hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to
+ this port should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least min_health_percent
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port should
+ be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: envoyfilters.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: EnvoyFilter
+ listKind: EnvoyFilterList
+ plural: envoyfilters
+ singular: envoyfilter
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Customizing Envoy configuration generated by Istio. See
+ more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+ properties:
+ configPatches:
+ description: One or more patches with match conditions.
+ items:
+ properties:
+ applyTo:
+ description: Specifies where in the Envoy configuration, the
+ patch should be applied.
+ enum:
+ - INVALID
+ - LISTENER
+ - FILTER_CHAIN
+ - NETWORK_FILTER
+ - HTTP_FILTER
+ - ROUTE_CONFIGURATION
+ - VIRTUAL_HOST
+ - HTTP_ROUTE
+ - CLUSTER
+ - EXTENSION_CONFIG
+ - BOOTSTRAP
+ - LISTENER_FILTER
+ type: string
+ match:
+ description: Match on listener/route configuration/cluster.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ properties:
+ cluster:
+ description: Match on envoy cluster attributes.
+ properties:
+ name:
+ description: The exact name of the cluster to match.
+ type: string
+ portNumber:
+ description: The service port for which this cluster
+ was generated.
+ type: integer
+ service:
+ description: The fully qualified service name for this
+ cluster.
+ type: string
+ subset:
+ description: The subset associated with the service.
+ type: string
+ type: object
+ context:
+ description: The specific config generation context to match
+ on.
+ enum:
+ - ANY
+ - SIDECAR_INBOUND
+ - SIDECAR_OUTBOUND
+ - GATEWAY
+ type: string
+ listener:
+ description: Match on envoy listener attributes.
+ properties:
+ filterChain:
+ description: Match a specific filter chain in a listener.
+ properties:
+ applicationProtocols:
+ description: Applies only to sidecars.
+ type: string
+ destinationPort:
+ description: The destination_port value used by
+ a filter chain's match condition.
+ type: integer
+ filter:
+ description: The name of a specific filter to apply
+ the patch to.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ subFilter:
+ description: The next level filter within this
+ filter to match upon.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ type: object
+ type: object
+ name:
+ description: The name assigned to the filter chain.
+ type: string
+ sni:
+ description: The SNI value used by a filter chain's
+ match condition.
+ type: string
+ transportProtocol:
+ description: Applies only to `SIDECAR_INBOUND` context.
+ type: string
+ type: object
+ listenerFilter:
+ description: Match a specific listener filter.
+ type: string
+ name:
+ description: Match a specific listener by its name.
+ type: string
+ portName:
+ type: string
+ portNumber:
+ description: The service port/gateway port to which
+ traffic is being sent/received.
+ type: integer
+ type: object
+ proxy:
+ description: Match on properties associated with a proxy.
+ properties:
+ metadata:
+ additionalProperties:
+ type: string
+ description: Match on the node metadata supplied by
+ a proxy when connecting to Istio Pilot.
+ type: object
+ proxyVersion:
+ description: A regular expression in golang regex format
+ (RE2) that can be used to select proxies using a specific
+ version of istio proxy.
+ type: string
+ type: object
+ routeConfiguration:
+ description: Match on envoy HTTP route configuration attributes.
+ properties:
+ gateway:
+ description: The Istio gateway config's namespace/name
+ for which this route configuration was generated.
+ type: string
+ name:
+ description: Route configuration name to match on.
+ type: string
+ portName:
+ description: Applicable only for GATEWAY context.
+ type: string
+ portNumber:
+ description: The service port number or gateway server
+ port number for which this route configuration was
+ generated.
+ type: integer
+ vhost:
+ description: Match a specific virtual host in a route
+ configuration and apply the patch to the virtual host.
+ properties:
+ name:
+ description: The VirtualHosts objects generated
+ by Istio are named as host:port, where the host
+ typically corresponds to the VirtualService's
+ host field or the hostname of a service in the
+ registry.
+ type: string
+ route:
+ description: Match a specific route within the virtual
+ host.
+ properties:
+ action:
+ description: Match a route with specific action
+ type.
+ enum:
+ - ANY
+ - ROUTE
+ - REDIRECT
+ - DIRECT_RESPONSE
+ type: string
+ name:
+ description: The Route objects generated by
+ default are named as default.
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ patch:
+ description: The patch to apply along with the operation.
+ properties:
+ filterClass:
+ description: Determines the filter insertion order.
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ operation:
+ description: Determines how the patch should be applied.
+ enum:
+ - INVALID
+ - MERGE
+ - ADD
+ - REMOVE
+ - INSERT_BEFORE
+ - INSERT_AFTER
+ - INSERT_FIRST
+ - REPLACE
+ type: string
+ value:
+ description: The JSON config of the object being patched.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ priority:
+ description: Priority defines the order in which patch sets are applied
+ within a context.
+ format: int32
+ type: integer
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this patch configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: gateways.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: proxyconfigs.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ProxyConfig
+ listKind: ProxyConfigList
+ plural: proxyconfigs
+ singular: proxyconfig
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Provides configuration for individual workloads. See more
+ details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+ properties:
+ concurrency:
+ description: The number of worker threads to run.
+ nullable: true
+ type: integer
+ environmentVariables:
+ additionalProperties:
+ type: string
+ description: Additional environment variables for the proxy.
+ type: object
+ image:
+ description: Specifies the details of the proxy image.
+ properties:
+ imageType:
+ description: The image type of the image.
+ type: string
+ type: object
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: serviceentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ shortNames:
+ - se
+ singular: serviceentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ description: Specify whether the service should be considered external
+ to the mesh or part of the mesh.
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ type: integer
+ required:
+ - number
+ - name
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ description: Specify whether the service should be considered external
+ to the mesh or part of the mesh.
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ type: integer
+ required:
+ - number
+ - name
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: sidecars.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Sidecar
+ listKind: SidecarList
+ plural: sidecars
+ singular: sidecar
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: When the bind address is an IP, the captureMode
+ option dictates how traffic to the listener is expected to
+ be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: The captureMode option dictates how traffic to
+ the listener is expected to be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be
+ upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: When the bind address is an IP, the captureMode
+ option dictates how traffic to the listener is expected to
+ be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: The captureMode option dictates how traffic to
+ the listener is expected to be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be
+ upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: virtualservices.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ shortNames:
+ - vs
+ singular: virtualservice
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ nullable: true
+ type: integer
+ mirrorPercent:
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: 'On a redirect, dynamically set the port: *
+ FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP
+ and 443 for HTTPS.'
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ nullable: true
+ type: integer
+ mirrorPercent:
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: 'On a redirect, dynamically set the port: *
+ FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP
+ and 443 for HTTPS.'
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadEntry
+ listKind: WorkloadEntryList
+ plural: workloadentries
+ shortNames:
+ - we
+ singular: workloadentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadgroups.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadGroup
+ listKind: WorkloadGroupList
+ plural: workloadgroups
+ shortNames:
+ - wg
+ singular: workloadgroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ required:
+ - template
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: '`WorkloadGroup` enables specifying the properties of a single
+ workload for bootstrap and provides a template for `WorkloadEntry`,
+ similar to how `Deployment` specifies properties of workloads via `Pod`
+ templates.'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ required:
+ - template
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: authorizationpolicies.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: AuthorizationPolicy
+ listKind: AuthorizationPolicyList
+ plural: authorizationpolicies
+ singular: authorizationpolicy
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: peerauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: PeerAuthentication
+ listKind: PeerAuthenticationList
+ plural: peerauthentications
+ shortNames:
+ - pa
+ singular: peerauthentication
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Peer authentication configuration for workloads. See more
+ details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ type: object
+ selector:
+ description: The selector determines the workloads to apply the PeerAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: requestauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: RequestAuthentication
+ listKind: RequestAuthenticationList
+ plural: requestauthentications
+ shortNames:
+ - ra
+ singular: requestauthentication
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ required:
+ - issuer
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ required:
+ - issuer
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: telemetry
+ release: istio
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
+ - telemetry-istio-io
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ shortNames:
+ - telemetry
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ description: This determines whether or not to apply the
+ access logging configuration based on the direction of
+ traffic relative to the proxied workload.
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows providing the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ minLength: 1
+ type: string
+ metric:
+ description: One of the well-known [Istio Standard
+ Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ description: 'Controls which mode of metrics generation
+ is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.'
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: Operation controls whether or not to
+ update/add a tag, or to remove it.
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set when operation is UPSERT
+ rule: '((has(self.operation) ? self.operation : '''')
+ == ''UPSERT'') ? self.value != '''' : true'
+ - message: value must not be set when operation is REMOVE
+ rule: '((has(self.operation) ? self.operation : '''')
+ == ''REMOVE'') ? !has(self.value) : true'
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: RequestHeader adds the value of an header
+ from the request to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ description: This determines whether or not to apply the
+ tracing configuration based on the direction of traffic
+ relative to the proxied workload.
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ randomSamplingPercentage:
+ description: Controls the rate at which traffic will be selected
+ for tracing if no prior sampling decision has been made.
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/base/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/base/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/base/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/base/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/base/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/base/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/base/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/base/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/base/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/base/templates/NOTES.txt
new file mode 100644
index 00000000..00645016
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/NOTES.txt
@@ -0,0 +1,5 @@
+Istio base successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/crds.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/crds.yaml
new file mode 100644
index 00000000..af9901c6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/crds.yaml
@@ -0,0 +1,3 @@
+{{- if .Values.base.enableCRDTemplates }}
+{{ .Files.Get "crds/crd-all.gen.yaml" }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/default.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/default.yaml
new file mode 100644
index 00000000..b6e66316
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/default.yaml
@@ -0,0 +1,45 @@
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istiod-default-validator
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.defaultRevision | quote }}
+webhooks:
+ - name: validation.istio.io
+ clientConfig:
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ {{- if (eq .Values.defaultRevision "default") }}
+ name: istiod
+ {{- else }}
+ name: istiod-{{ .Values.defaultRevision }}
+ {{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/endpoints.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/endpoints.yaml
new file mode 100644
index 00000000..36575202
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/endpoints.yaml
@@ -0,0 +1,23 @@
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+# if the remotePilotAddress is an IP addr
+apiVersion: v1
+kind: Endpoints
+metadata:
+ {{- if .Values.pilot.enabled }}
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+ {{- else }}
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remotePilotAddress }}
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 15017
+ name: tcp-webhook
+ protocol: TCP
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/reader-serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/reader-serviceaccount.yaml
new file mode 100644
index 00000000..d9ce18c2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/reader-serviceaccount.yaml
@@ -0,0 +1,16 @@
+# This service account aggregates reader permissions for the revisions in a given cluster
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/services.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/services.yaml
new file mode 100644
index 00000000..fc1fa1a2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/services.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Service
+metadata:
+ {{- if .Values.pilot.enabled }}
+ # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+ {{- else }}
+ # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 443
+ targetPort: 15017
+ name: tcp-webhook
+ protocol: TCP
+ {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
+ # if the remotePilotAddress is not an IP addr, we use ExternalName
+ type: ExternalName
+ externalName: {{ .Values.global.remotePilotAddress }}
+ {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+ ipFamilies:
+{{- range .Values.global.ipFamilies }}
+ - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/base/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/base/values.yaml b/charts/istio/1.21.6-tetrate-v1/base/values.yaml
new file mode 100644
index 00000000..d8ace42c
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/base/values.yaml
@@ -0,0 +1,40 @@
+defaults:
+ global:
+
+ # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+
+ # Used to locate istiod.
+ istioNamespace: istio-system
+
+ istiod:
+ enableAnalysis: false
+
+ configValidation: true
+ externalIstiod: false
+ remotePilotAddress: ""
+
+ # Platform where Istio is deployed. Possible values are: "openshift", "gcp".
+ # An empty value means it is a vanilla Kubernetes distribution, therefore no special
+ # treatment will be considered.
+ platform: ""
+
+ # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ # This is intended only for use with external istiod.
+ ipFamilyPolicy: ""
+ ipFamilies: []
+
+ base:
+ # Used for helm2 to add the CRDs to templates.
+ enableCRDTemplates: false
+
+ # Validation webhook configuration url
+ # For example: https://$remotePilotAddress:15017/validate
+ validationURL: ""
+
+ # For istioctl usage to disable istio config crds in base
+ enableIstioConfigCRDs: true
+
+ defaultRevision: "default"
diff --git a/charts/istio/1.21.6-tetrate-v1/default/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/default/Chart.yaml
new file mode 100644
index 00000000..cb8615dd
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+name: istio-default
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+description: Helm chart for istio default revision components.
+keywords:
+ - istio
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/default/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/default/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/default/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/default/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/default/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/default/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/default/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/default/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/default/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/default/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/default/templates/mutatingwebhook.yaml b/charts/istio/1.21.6-tetrate-v1/default/templates/mutatingwebhook.yaml
new file mode 100644
index 00000000..c7f3b1be
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/templates/mutatingwebhook.yaml
@@ -0,0 +1,122 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict "revision" .Values.revision "injectionURL" .Values.istiodRemote.injectionURL "namespace" .Release.Namespace }}
+{{- define "core" }}
+- name: {{.Prefix}}sidecar-injector.istio.io
+ clientConfig:
+ {{- if .injectionURL }}
+ url: {{ .injectionURL }}
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+ namespace: {{ .namespace }}
+ path: "/inject"
+ {{- end }}
+ sideEffects: None
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: istio-revision-tag-default
+ labels:
+ istio.io/tag: "default"
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ app: sidecar-injector
+ release: {{ .Release.Name }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - "default"
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ - key: istio.io/rev
+ operator: In
+ values:
+ - "default"
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - "true"
+ - key: istio.io/rev
+ operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: "kubernetes.io/metadata.name"
+ operator: "NotIn"
+ values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/default/templates/validatingwebhook.yaml b/charts/istio/1.21.6-tetrate-v1/default/templates/validatingwebhook.yaml
new file mode 100644
index 00000000..0b8b14a9
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/templates/validatingwebhook.yaml
@@ -0,0 +1,44 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istiod-default-validator
+ labels:
+ app: istiod
+ istio: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ istio.io/tag: "default"
+ # Required to make sure this resource is removed
+ # when purging Istio resources
+ operator.istio.io/component: Pilot
+webhooks:
+ - name: validation.istio.io
+ clientConfig:
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/default/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/default/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/default/values.yaml b/charts/istio/1.21.6-tetrate-v1/default/values.yaml
new file mode 100644
index 00000000..5ca44c2e
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/default/values.yaml
@@ -0,0 +1,22 @@
+defaults:
+ global:
+ # Used to locate istiod.
+ istioNamespace: "istio-system"
+
+ base:
+ # Validation webhook configuration url
+ # For example: https://$remotePilotAddress:15017/validate
+ validationURL: ""
+
+ istiodRemote:
+ # Sidecar injector mutating webhook configuration url
+ # For example: https://$remotePilotAddress:15017/inject
+ injectionURL: ""
+
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ sidecarInjectorWebhook:
+ # This enables injection of sidecar in all namespaces,
+ enableNamespacesByDefault: false
+
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/Chart.yaml
new file mode 100644
index 00000000..3736c6c1
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: gateway
+description: Helm chart for deploying Istio gateways
+type: application
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+sources:
+ - https://github.com/istio/istio
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+ - istio
+ - gateways
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/README.md b/charts/istio/1.21.6-tetrate-v1/gateway/README.md
new file mode 100644
index 00000000..5c064d16
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/README.md
@@ -0,0 +1,170 @@
+# Istio Gateway Helm Chart
+
+This chart installs an Istio gateway deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-ingressgateway`:
+
+```console
+helm install istio-ingressgateway istio/gateway
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istio-ingressgateway` deployment:
+
+```console
+helm delete istio-ingressgateway
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/gateway
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### OpenShift
+
+When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
+
+```console
+helm install istio-ingressgateway istio/gateway --set profile=openshift
+```
+
+### `image: auto` Information
+
+The image used by the chart, `auto`, may be unintuitive.
+This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
+This allows the same configurations and lifecycle to apply to gateways as sidecars.
+
+Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
+See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
+
+### Examples
+
+#### Egress Gateway
+
+Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
+
+```yaml
+service:
+ # Egress gateways do not need an external LoadBalancer IP
+ type: ClusterIP
+```
+
+#### Multi-network/VM Gateway
+
+Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
+
+```yaml
+networkGateway: network-1
+```
+
+### Migrating from other installation methods
+
+Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
+following the guidance below.
+If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
+
+WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
+
+#### Legacy Gateway Helm charts
+
+Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
+These are replaced by this chart.
+While not required, it is recommended all new users use this chart, and existing users migrate when possible.
+
+This chart has the following benefits and differences:
+* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
+* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
+* Published to official Istio Helm repository.
+* Single chart for all gateways (Ingress, Egress, East West).
+
+#### General concerns
+
+For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
+
+If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
+
+```yaml
+app: istio-gateway
+istio: gateway # the release name with leading istio- prefix stripped
+```
+
+If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
+`foo=bar,istio=ingressgateway`:
+
+```yaml
+name: my-custom-gateway # Override the name to match existing resources
+labels:
+ app: "" # Unset default app selector label
+ istio: ingressgateway # override default istio selector label
+ foo: bar # Add the existing custom selector label
+```
+
+#### Migrating an existing Helm release
+
+An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
+installation was done like:
+
+```console
+helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
+```
+
+It could be upgraded with
+
+```console
+helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
+```
+
+Note the name and labels are overridden to match the names of the existing installation.
+
+Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
+If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
+or customize the ports to match the old defaults.
+See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
+
+#### Other migrations
+
+If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
+
+The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
+
+```console
+KINDS=(service deployment)
+RELEASE=istio-ingressgateway
+NAMESPACE=istio-system
+for KIND in "${KINDS[@]}"; do
+ kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
+ kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
+ kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
+done
+```
+
+You may ignore errors about resources not being found.
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/gateway/templates/NOTES.txt
new file mode 100644
index 00000000..78451d33
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/NOTES.txt
@@ -0,0 +1,9 @@
+"{{ include "gateway.name" . }}" successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
+
+Next steps:
+ * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
+ * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/_helpers.tpl b/charts/istio/1.21.6-tetrate-v1/gateway/templates/_helpers.tpl
new file mode 100644
index 00000000..a777d43b
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/_helpers.tpl
@@ -0,0 +1,61 @@
+{{- define "gateway.name" -}}
+{{- if eq .Release.Name "RELEASE-NAME" -}}
+ {{- .Values.name | default "istio-ingressgateway" -}}
+{{- else -}}
+ {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "gateway.labels" -}}
+helm.sh/chart: {{ include "gateway.chart" . }}
+{{ include "gateway.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "gateway.name" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if not (or (eq $key "app") (eq $key "istio")) }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.podLabels" -}}
+{{ include "gateway.selectorLabels" . }}
+{{- range $key, $val := .Values.labels }}
+{{- if not (or (eq $key "app") (eq $key "istio")) }}
+{{ $key | quote }}: {{ $val | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.selectorLabels" -}}
+{{- if hasKey .Values.labels "app" }}
+{{- with .Values.labels.app }}app: {{.|quote}}
+{{- end}}
+{{- else }}app: {{ include "gateway.name" . }}
+{{- end }}
+{{- if hasKey .Values.labels "istio" }}
+{{- with .Values.labels.istio }}
+istio: {{.|quote}}
+{{- end}}
+{{- else }}
+istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
+{{- end }}
+{{- end }}
+
+{{- define "gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
+{{- else }}
+{{- .Values.serviceAccount.name | default "default" }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/deployment.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/deployment.yaml
new file mode 100644
index 00000000..18975173
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/deployment.yaml
@@ -0,0 +1,123 @@
+apiVersion: apps/v1
+kind: {{ .Values.kind | default "Deployment" }}
+metadata:
+ name: {{ include "gateway.name" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4}}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+ {{- if not .Values.autoscaling.enabled }}
+ {{- with .Values.replicaCount }}
+ replicas: {{ . }}
+ {{- end }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "gateway.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ sidecar.istio.io/inject: "true"
+ {{- with .Values.revision }}
+ istio.io/rev: {{ . | quote }}
+ {{- end }}
+ {{- include "gateway.podLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "gateway.serviceAccountName" . }}
+ securityContext:
+ {{- if .Values.securityContext }}
+ {{- toYaml .Values.securityContext | nindent 8 }}
+ {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+ # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ {{- with .Values.volumes }}
+ volumes:
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: istio-proxy
+ # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
+ image: auto
+ {{- with .Values.imagePullPolicy }}
+ imagePullPolicy: {{ . }}
+ {{- end }}
+ securityContext:
+ {{- if .Values.containerSecurityContext }}
+ {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+ {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
+ # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- if not (eq .Values.platform "openshift") }}
+ runAsUser: 1337
+ runAsGroup: 1337
+ {{- end }}
+ runAsNonRoot: true
+ {{- else }}
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 0
+ runAsGroup: 1337
+ runAsNonRoot: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: true
+ {{- end }}
+ env:
+ {{- with .Values.networkGateway }}
+ - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+ value: "{{.}}"
+ {{- end }}
+ {{- range $key, $val := .Values.env }}
+ - name: {{ $key }}
+ value: {{ $val | quote }}
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.volumeMounts }}
+ volumeMounts:
+ {{ toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }}
+ {{- with .Values.priorityClassName }}
+ priorityClassName: {{ . }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/hpa.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/hpa.yaml
new file mode 100644
index 00000000..d95768ac
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/hpa.yaml
@@ -0,0 +1,42 @@
+{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }}
+{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ include "gateway.name" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4 }}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: {{ .Values.kind | default "Deployment" }}
+ name: {{ include "gateway.name" . }}
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ metrics:
+ {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+ type: Utilization
+ {{- end }}
+ {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: memory
+ target:
+ averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ type: Utilization
+ {{- end }}
+ {{- if .Values.autoscaling.autoscaleBehavior }}
+ behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/poddisruptionbudget.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/poddisruptionbudget.yaml
new file mode 100644
index 00000000..77f71e7f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/poddisruptionbudget.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.podDisruptionBudget }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ include "gateway.name" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4}}
+spec:
+ selector:
+ matchLabels:
+ {{- include "gateway.selectorLabels" . | nindent 6 }}
+ {{- with .Values.podDisruptionBudget }}
+ {{- toYaml . | nindent 2 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/role.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/role.yaml
new file mode 100644
index 00000000..c8a25cb7
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/role.yaml
@@ -0,0 +1,33 @@
+{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "gateway.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4}}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "gateway.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4}}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "gateway.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ include "gateway.serviceAccountName" . }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/service.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/service.yaml
new file mode 100644
index 00000000..9177d2a1
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/service.yaml
@@ -0,0 +1,64 @@
+{{- if not (eq .Values.service.type "None") }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "gateway.name" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4 }}
+ {{- with .Values.networkGateway }}
+ topology.istio.io/network: "{{.}}"
+ {{- end }}
+ annotations:
+ {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
+spec:
+{{- with .Values.service.loadBalancerIP }}
+ loadBalancerIP: "{{ . }}"
+{{- end }}
+{{- if eq .Values.service.type "LoadBalancer" }}
+ {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
+ allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
+ {{- end }}
+{{- end }}
+{{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.service.ipFamilies }}
+ ipFamilies:
+{{- range .Values.service.ipFamilies }}
+ - {{ . }}
+{{- end }}
+{{- end }}
+{{- with .Values.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+{{ toYaml . | indent 4 }}
+{{- end }}
+{{- with .Values.service.externalTrafficPolicy }}
+ externalTrafficPolicy: "{{ . }}"
+{{- end }}
+ type: {{ .Values.service.type }}
+ ports:
+{{- if .Values.networkGateway }}
+ - name: status-port
+ port: 15021
+ targetPort: 15021
+ - name: tls
+ port: 15443
+ targetPort: 15443
+ - name: tls-istiod
+ port: 15012
+ targetPort: 15012
+ - name: tls-webhook
+ port: 15017
+ targetPort: 15017
+{{- else }}
+{{ .Values.service.ports | toYaml | indent 4 }}
+{{- end }}
+{{- if .Values.service.externalIPs }}
+ externalIPs: {{- range .Values.service.externalIPs }}
+ - {{.}}
+ {{- end }}
+{{- end }}
+ selector:
+ {{- include "gateway.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/serviceaccount.yaml
new file mode 100644
index 00000000..e5b2304d
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "gateway.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "gateway.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/values.schema.json b/charts/istio/1.21.6-tetrate-v1/gateway/values.schema.json
new file mode 100644
index 00000000..c97d84c1
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/values.schema.json
@@ -0,0 +1,301 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "additionalProperties": false,
+ "$defs": {
+ "values": {
+ "type": "object",
+ "properties": {
+ "global": {
+ "type": "object"
+ },
+ "affinity": {
+ "type": "object"
+ },
+ "securityContext": {
+ "type": [
+ "object",
+ "null"
+ ]
+ },
+ "containerSecurityContext": {
+ "type": [
+ "object",
+ "null"
+ ]
+ },
+ "kind": {
+ "type": "string",
+ "enum": [
+ "Deployment",
+ "DaemonSet"
+ ]
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": [
+ "string",
+ "integer"
+ ]
+ },
+ "type": "object"
+ },
+ "autoscaling": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "maxReplicas": {
+ "type": "integer"
+ },
+ "minReplicas": {
+ "type": "integer"
+ },
+ "targetCPUUtilizationPercentage": {
+ "type": "integer"
+ }
+ }
+ },
+ "env": {
+ "type": "object"
+ },
+ "labels": {
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object",
+ "properties": {
+ "inject.istio.io/templates": {
+ "type": "string"
+ },
+ "prometheus.io/path": {
+ "type": "string"
+ },
+ "prometheus.io/port": {
+ "type": "string"
+ },
+ "prometheus.io/scrape": {
+ "type": "string"
+ }
+ }
+ },
+ "replicaCount": {
+ "type": [
+ "integer",
+ "null"
+ ]
+ },
+ "resources": {
+ "type": "object",
+ "properties": {
+ "limits": {
+ "type": "object",
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ }
+ },
+ "requests": {
+ "type": "object",
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "revision": {
+ "type": "string"
+ },
+ "compatibilityVersion": {
+ "type": "string"
+ },
+ "runAsRoot": {
+ "type": "boolean"
+ },
+ "unprivilegedPort": {
+ "type": [
+ "string",
+ "boolean"
+ ],
+ "enum": [
+ true,
+ false,
+ "auto"
+ ]
+ },
+ "service": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "externalTrafficPolicy": {
+ "type": "string"
+ },
+ "loadBalancerIP": {
+ "type": "string"
+ },
+ "loadBalancerSourceRanges": {
+ "type": "array"
+ },
+ "ipFamilies": {
+ "items": {
+ "type": "string",
+ "enum": [
+ "IPv4",
+ "IPv6"
+ ]
+ }
+ },
+ "ipFamilyPolicy": {
+ "type": "string",
+ "enum": [
+ "",
+ "SingleStack",
+ "PreferDualStack",
+ "RequireDualStack"
+ ]
+ },
+ "ports": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "protocol": {
+ "type": "string"
+ },
+ "targetPort": {
+ "type": "integer"
+ }
+ }
+ }
+ },
+ "type": {
+ "type": "string"
+ }
+ }
+ },
+ "serviceAccount": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "create": {
+ "type": "boolean"
+ }
+ }
+ },
+ "rbac": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ },
+ "networkGateway": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string",
+ "enum": [
+ "",
+ "Always",
+ "IfNotPresent",
+ "Never"
+ ]
+ },
+ "imagePullSecrets": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "podDisruptionBudget": {
+ "type": "object",
+ "properties": {
+ "minAvailable": {
+ "type": [
+ "integer",
+ "string"
+ ]
+ },
+ "maxUnavailable": {
+ "type": [
+ "integer",
+ "string"
+ ]
+ },
+ "unhealthyPodEvictionPolicy": {
+ "type": "string",
+ "enum": [
+ "",
+ "IfHealthyBudget",
+ "AlwaysAllow"
+ ]
+ }
+ }
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "number"
+ },
+ "volumes": {
+ "type": "array",
+ "items": {
+ "type": "object"
+ }
+ },
+ "volumeMounts": {
+ "type": "array",
+ "items": {
+ "type": "object"
+ }
+ },
+ "priorityClassName": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "defaults": {
+ "$ref": "#/$defs/values"
+ },
+ "$ref": "#/$defs/values"
+}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateway/values.yaml b/charts/istio/1.21.6-tetrate-v1/gateway/values.yaml
new file mode 100644
index 00000000..1432f4d7
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateway/values.yaml
@@ -0,0 +1,152 @@
+defaults:
+ # Name allows overriding the release name. Generally this should not be set
+ name: ""
+ # revision declares which revision this gateway is a part of
+ revision: ""
+
+ # Controls the spec.replicas setting for the Gateway deployment if set.
+ # Otherwise defaults to Kubernetes Deployment default (1).
+ replicaCount:
+
+ kind: Deployment
+
+ rbac:
+ # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+ # when using http://gateway-api.org/.
+ enabled: true
+
+ serviceAccount:
+ # If set, a service account will be created. Otherwise, the default is used
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set, the release name is used
+ name: ""
+
+ podAnnotations:
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/stats/prometheus"
+ inject.istio.io/templates: "gateway"
+ sidecar.istio.io/inject: "true"
+
+ # Define the security context for the pod.
+ # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+ # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+ securityContext: {}
+ containerSecurityContext: {}
+
+ service:
+ # Type of service. Set to "None" to disable the service entirely
+ type: LoadBalancer
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ annotations: {}
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ externalTrafficPolicy: ""
+ externalIPs: []
+ ipFamilyPolicy: ""
+ ipFamilies: []
+ ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+ # allocateLoadBalancerNodePorts: false
+
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+
+ autoscaling:
+ enabled: true
+ minReplicas: 1
+ maxReplicas: 5
+ targetCPUUtilizationPercentage: 80
+ targetMemoryUtilizationPercentage: {}
+ autoscaleBehavior: {}
+
+ # Pod environment variables
+ env: {}
+
+ # Labels to apply to all resources
+ labels: {}
+
+ # Annotations to apply to all resources
+ annotations: {}
+
+ nodeSelector: {}
+
+ tolerations: []
+
+ topologySpreadConstraints: []
+
+ affinity: {}
+
+ # If specified, the gateway will act as a network gateway for the given network.
+ networkGateway: ""
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent
+ imagePullPolicy: ""
+
+ imagePullSecrets: []
+
+ # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+ #
+ # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+ # which means that no PodDisruptionBudget resource will be created.
+ #
+ # To enable the PodDisruptionBudget, configure it by specifying the
+ # `minAvailable` or `maxUnavailable`. For example, to set the
+ # minimum number of available replicas to 1, you can update this value as follows:
+ #
+ # podDisruptionBudget:
+ # minAvailable: 1
+ #
+ # Or, to allow a maximum of 1 unavailable replica, you can set:
+ #
+ # podDisruptionBudget:
+ # maxUnavailable: 1
+ #
+ # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+ # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+ #
+ # podDisruptionBudget:
+ # minAvailable: 1
+ # unhealthyPodEvictionPolicy: AlwaysAllow
+ #
+ # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+ #
+ # podDisruptionBudget: {}
+ #
+ podDisruptionBudget: {}
+
+ terminationGracePeriodSeconds: 30
+
+ # A list of `Volumes` added into the Gateway Pods. See
+ # https://kubernetes.io/docs/concepts/storage/volumes/.
+ volumes: []
+
+ # A list of `VolumeMounts` added into the Gateway Pods. See
+ # https://kubernetes.io/docs/concepts/storage/volumes/.
+ volumeMounts: []
+
+ # Configure this to a higher priority class in order to make sure your Istio gateway pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/Chart.yaml
new file mode 100644
index 00000000..6ce67359
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+name: istio-egress
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+description: Helm chart for deploying Istio gateways
+keywords:
+ - istio
+ - egressgateway
+ - gateways
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/NOTES.txt
new file mode 100644
index 00000000..9baacc0e
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/NOTES.txt
@@ -0,0 +1,45 @@
+
+Changes:
+- separate namespace allows:
+-- easier reconfig of just the gateway
+-- TLS secrets and domain name management is isolated, for better security
+-- simplified configuration
+-- multiple versions of the ingress can be used, to minize upgrade risks
+
+- the new chart uses the default namespace service account, and doesn't require
+additional RBAC permissions.
+
+- simplified label structure. Label change is not supported on upgrade.
+
+- for 'internal load balancer' you should deploy a separate gateway, in a different
+namespace.
+
+All ingress gateway have a "app:ingressgateway" label, used to identify it as an
+ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection.
+
+The Gateways use "istio: ingressgateway$SUFFIX" selectors.
+
+
+# Multiple gateway versions
+
+
+
+# Using different pilot versions
+
+
+
+# Migration from istio-system
+
+Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
+with the Service and bound to the namespace, it is recommended to:
+
+1. Install the new gateway in a new namespace.
+2. Copy any TLS certificate to the new namespace, and configure the domains.
+3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
+4. Modify the DNS server to add the A record of the new namespace
+5. Check traffic
+6. Delete the A record corresponding to the gateway in istio-system
+7. Upgrade istio-system, disabling the ingressgateway
+8. Delete the domain TLS certs from istio-system.
+
+If using certmanager, all Certificate and associated configs must be moved as well.
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/_affinity.tpl b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/_affinity.tpl
new file mode 100644
index 00000000..fc1ec540
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/_affinity.tpl
@@ -0,0 +1,104 @@
+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{ define "nodeaffinity" }}
+nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityRequiredDuringScheduling" . }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "nodeAffinityRequiredDuringScheduling" }}
+ {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
+ {{- if or .global.arch $nodeSelector }}
+ nodeSelectorTerms:
+ - matchExpressions:
+ {{- if .global.arch }}
+ - key: kubernetes.io/arch
+ operator: In
+ values:
+ {{- range $key, $val := .global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - {{ $key | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- range $key, $val := $nodeSelector }}
+ - key: {{ $key }}
+ operator: In
+ values:
+ - {{ $val | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "nodeAffinityPreferredDuringScheduling" }}
+ {{- range $key, $val := .global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - weight: {{ $val | int }}
+ preference:
+ matchExpressions:
+ - key: kubernetes.io/arch
+ operator: In
+ values:
+ - {{ $key | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+ podAntiAffinity:
+ {{- if .podAntiAffinityLabelSelector }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityRequiredDuringScheduling" . }}
+ {{- end }}
+ {{- if .podAntiAffinityTermLabelSelector }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityPreferredDuringScheduling" . }}
+ {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityRequiredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityLabelSelector }}
+ - labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v | quote }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- if $item.namespaces }}
+ namespaces:
+ {{- $ns := split "," $item.namespaces }}
+ {{- range $i, $n := $ns }}
+ - {{ $n | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityPreferredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v | quote }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ weight: 100
+ {{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/autoscale.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/autoscale.yaml
new file mode 100644
index 00000000..b577cca2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/autoscale.yaml
@@ -0,0 +1,60 @@
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
+{{- if not .Values.global.autoscalingv2API }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+ maxReplicas: {{ $gateway.autoscaleMax }}
+ minReplicas: {{ $gateway.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ $gateway.name }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
+---
+{{- else }}
+{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+ maxReplicas: {{ $gateway.autoscaleMax }}
+ minReplicas: {{ $gateway.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ $gateway.name }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/deployment.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/deployment.yaml
new file mode 100644
index 00000000..1bdaa8e1
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/deployment.yaml
@@ -0,0 +1,345 @@
+{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
+{{- if eq $gateway.injectionTemplate "" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+{{- if not $gateway.autoscaleEnabled }}
+{{- if $gateway.replicaCount }}
+ replicas: {{ $gateway.replicaCount }}
+{{- end }}
+{{- end }}
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | indent 6 }}
+ strategy:
+ rollingUpdate:
+ maxSurge: {{ $gateway.rollingMaxSurge }}
+ maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
+ template:
+ metadata:
+ labels:
+{{ $gateway.labels | toYaml | indent 8 }}
+{{- if eq .Release.Namespace "istio-system"}}
+ heritage: Tiller
+ release: istio
+ chart: gateways
+{{- end }}
+ service.istio.io/canonical-name: {{ $gateway.name }}
+ service.istio.io/canonical-revision: {{ index $gateway.labels "app.kubernetes.io/version" | default (index $gateway.labels "version") | default .Values.revision | default "latest" | quote }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+ sidecar.istio.io/inject: "false"
+ annotations:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ {{- if .Values.meshConfig.enablePrometheusMerge }}
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/stats/prometheus"
+ {{- end }}
+ sidecar.istio.io/inject: "false"
+{{- if $gateway.podAnnotations }}
+{{ toYaml $gateway.podAnnotations | indent 8 }}
+{{ end }}
+ spec:
+{{- if not $gateway.runAsRoot }}
+ securityContext:
+{{- if not (eq .Values.global.platform "openshift") }}
+ runAsUser: 1337
+ runAsGroup: 1337
+{{- end }}
+ runAsNonRoot: true
+{{- end }}
+ serviceAccountName: {{ $gateway.name }}-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- if .Values.global.proxy.enableCoreDump }}
+ initContainers:
+ - name: enable-core-dump
+{{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ .Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
+ securityContext:
+ runAsUser: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ privileged: true
+{{- end }}
+ containers:
+ - name: istio-proxy
+{{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ .Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ ports:
+ {{- range $key, $val := $gateway.ports }}
+ - containerPort: {{ $val.targetPort | default $val.port }}
+ protocol: {{ $val.protocol | default "TCP" }}
+ {{- end }}
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ {{- if .Values.global.proxy.logLevel }}
+ - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
+ {{- end}}
+ {{- if .Values.global.proxy.componentLogLevel }}
+ - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
+ {{- end}}
+ {{- if .Values.global.logging.level }}
+ - --log_output_level={{ .Values.global.logging.level }}
+ {{- end}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if not $gateway.runAsRoot }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+{{- if $gateway.resources }}
+{{ toYaml $gateway.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{ $gateway.name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
+ {{- if $.Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ $.Values.global.meshID }}"
+ {{- else if .Values.meshConfig.trustDomain }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.meshConfig.trustDomain }}"
+ {{- end }}
+ {{- if .Values.meshConfig.trustDomain }}
+ - name: TRUST_DOMAIN
+ value: "{{ .Values.meshConfig.trustDomain }}"
+ {{- end }}
+ {{- if not $gateway.runAsRoot }}
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ {{- end }}
+ {{- range $key, $val := $gateway.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
+ {{- if and (not $network_set) .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ - name: istio-envoy
+ mountPath: /etc/istio/proxy
+ - name: config-volume
+ mountPath: /etc/istio/config
+{{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+{{- end }}
+{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ readOnly: true
+{{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - name: podinfo
+ mountPath: /etc/istio/pod
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ {{- if .mountPath }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+{{- if $gateway.additionalContainers }}
+{{ toYaml $gateway.additionalContainers | indent 8 }}
+{{- end }}
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+{{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+{{- end }}
+ - name: podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-envoy
+ emptyDir: {}
+ - name: istio-data
+ emptyDir: {}
+{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+{{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-egressgateway-service-account
+ optional: true
+ {{- end }}
+ - name: config-volume
+ configMap:
+ name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ optional: true
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ secret:
+ secretName: {{ .secretName | quote }}
+ optional: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ - name: {{ .name }}
+ configMap:
+ name: {{ .configMapName | quote }}
+ optional: true
+ {{- end }}
+ affinity:
+{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
+ {{- include "podAntiAffinity" $gateway | indent 6 }}
+{{- if $gateway.tolerations }}
+ tolerations:
+{{ toYaml $gateway.tolerations | indent 6 }}
+{{- else if .Values.global.defaultTolerations }}
+ tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/injected-deployment.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/injected-deployment.yaml
new file mode 100644
index 00000000..4fa160c8
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/injected-deployment.yaml
@@ -0,0 +1,147 @@
+{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
+{{- if ne $gateway.injectionTemplate "" }}
+{{/* This provides a minimal gateway, ready to be injected.
+ Any settings from values.gateways should be here - these are options specific to the gateway.
+ Global settings, like the image, various env vars and volumes, etc will be injected.
+ The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $gateway.name | default "istio-egressgateway" }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+{{- if not $gateway.autoscaleEnabled }}
+{{- if $gateway.replicaCount }}
+ replicas: {{ $gateway.replicaCount }}
+{{- end }}
+{{- end }}
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | indent 6 }}
+ strategy:
+ rollingUpdate:
+ maxSurge: {{ $gateway.rollingMaxSurge }}
+ maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
+ template:
+ metadata:
+ labels:
+{{ $gateway.labels | toYaml | indent 8 }}
+{{- if eq .Release.Namespace "istio-system"}}
+ heritage: Tiller
+ release: istio
+ chart: gateways
+{{- end }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+ sidecar.istio.io/inject: "true"
+ {{- with .Values.revision }}
+ istio.io/rev: {{ . }}
+ {{- end }}
+ annotations:
+ {{- if .Values.meshConfig.enablePrometheusMerge }}
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/stats/prometheus"
+ {{- end }}
+ sidecar.istio.io/inject: "true"
+ inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
+{{- if $gateway.podAnnotations }}
+{{ toYaml $gateway.podAnnotations | indent 8 }}
+{{ end }}
+ spec:
+{{- if not $gateway.runAsRoot }}
+ securityContext:
+{{- if not (eq .Values.global.platform "openshift") }}
+ runAsUser: 1337
+ runAsGroup: 1337
+{{- end }}
+ runAsNonRoot: true
+{{- end }}
+ serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: istio-proxy
+ image: auto
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ ports:
+ {{- range $key, $val := $gateway.ports }}
+ - containerPort: {{ $val.targetPort | default $val.port }}
+ protocol: {{ $val.protocol | default "TCP" }}
+ {{- end }}
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ {{- if not $gateway.runAsRoot }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ resources:
+{{- if $gateway.resources }}
+{{ toYaml $gateway.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ {{- if not $gateway.runAsRoot }}
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ {{- end }}
+ {{- range $key, $val := $gateway.env }}
+ - name: {{ $key }}
+ value: {{ $val | quote }}
+ {{- end }}
+ volumeMounts:
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ {{- if .mountPath }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+{{- if $gateway.additionalContainers }}
+{{ toYaml $gateway.additionalContainers | indent 8 }}
+{{- end }}
+ volumes:
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ secret:
+ secretName: {{ .secretName | quote }}
+ optional: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ - name: {{ .name }}
+ configMap:
+ name: {{ .configMapName | quote }}
+ optional: true
+ {{- end }}
+ affinity:
+{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
+ {{- include "podAntiAffinity" $gateway | indent 6 }}
+{{- if $gateway.tolerations }}
+ tolerations:
+{{ toYaml $gateway.tolerations | indent 6 }}
+{{- else if .Values.global.defaultTolerations }}
+ tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/poddisruptionbudget.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/poddisruptionbudget.yaml
new file mode 100644
index 00000000..1ebbaf70
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/poddisruptionbudget.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | trim | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | trim | indent 6 }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/role.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/role.yaml
new file mode 100644
index 00000000..4d5a64e6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/role.yaml
@@ -0,0 +1,16 @@
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $gateway.name }}-sds
+ namespace: {{ .Release.Namespace }}
+ labels:
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/rolebindings.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/rolebindings.yaml
new file mode 100644
index 00000000..9ef6d226
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/rolebindings.yaml
@@ -0,0 +1,19 @@
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $gateway.name }}-sds
+ namespace: {{ .Release.Namespace }}
+ labels:
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $gateway.name }}-sds
+subjects:
+- kind: ServiceAccount
+ name: {{ $gateway.name }}-service-account
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/service.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/service.yaml
new file mode 100644
index 00000000..4cbcf773
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/service.yaml
@@ -0,0 +1,56 @@
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+{{- if not $gateway.customService }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := $gateway.serviceAnnotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+spec:
+{{- if $gateway.loadBalancerIP }}
+ loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
+{{- end }}
+{{- if $gateway.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
+{{- if $gateway.externalTrafficPolicy }}
+ externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
+{{- end }}
+ type: {{ $gateway.type }}
+ selector:
+{{ $gateway.labels | toYaml | indent 4 }}
+ ports:
+
+ {{- range $key, $val := $gateway.ports }}
+ -
+ {{- range $pkey, $pval := $val }}
+ {{ $pkey}}: {{ $pval }}
+ {{- end }}
+ {{- end }}
+
+ {{ range $app := $gateway.egressPorts }}
+ -
+ port: {{ $app.port }}
+ name: {{ $app.name }}
+ {{- end }}
+{{- if $gateway.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ $gateway.ipFamilyPolicy }}
+{{- end }}
+{{- if $gateway.ipFamilies }}
+ ipFamilies:
+{{- range $gateway.ipFamilies }}
+ - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{ end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/serviceaccount.yaml
new file mode 100644
index 00000000..8ecfb03f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{ $gateway := index .Values "gateways" "istio-egressgateway" }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: {{ $gateway.name }}-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | trim | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "EgressGateways"
+ {{- with $gateway.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/values.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/values.yaml
new file mode 100644
index 00000000..7e082f3f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-egress/values.yaml
@@ -0,0 +1,306 @@
+defaults:
+ # Standalone istio egress gateway.
+ # Should be installed in a separate namespace, to minimize access to config
+ gateways:
+ istio-egressgateway:
+ name: istio-egressgateway
+ ports:
+ - port: 80
+ targetPort: 8080
+ name: http2
+ protocol: TCP
+ - port: 443
+ name: https
+ targetPort: 8443
+ protocol: TCP
+
+ labels:
+ app: istio-egressgateway
+ istio: egressgateway
+
+ # Scalability tuning
+ # replicaCount: 1
+ rollingMaxSurge: 100%
+ rollingMaxUnavailable: 25%
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ cpu:
+ targetAverageUtilization: 80
+ memory: {}
+ # targetAverageUtilization: 80
+
+ serviceAnnotations: {}
+ podAnnotations: {}
+ type: ClusterIP # change to NodePort or LoadBalancer if need be
+
+ # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: ""
+ ipFamilies: []
+
+ secretVolumes:
+ - name: egressgateway-certs
+ secretName: istio-egressgateway-certs
+ mountPath: /etc/istio/egressgateway-certs
+ - name: egressgateway-ca-certs
+ secretName: istio-egressgateway-ca-certs
+ mountPath: /etc/istio/egressgateway-ca-certs
+
+ configVolumes: []
+ additionalContainers: []
+
+ serviceAccount:
+ # Annotations to add to the service account
+ annotations: {}
+
+ ### Advanced options ############
+ # TODO: convert to real options, env should not be exposed
+ env: {}
+ # Set this to "external" if and only if you want the egress gateway to
+ # act as a transparent SNI gateway that routes mTLS/TLS traffic to
+ # external services defined using service entries, where the service
+ # entry has resolution set to DNS, has one or more endpoints with
+ # network field set to "external". By default its set to "" so that
+ # the egress gateway sees the same set of endpoints as the sidecars
+ # preserving backward compatibility
+ # ISTIO_META_REQUESTED_NETWORK_VIEW: ""
+
+ nodeSelector: {}
+ tolerations: []
+
+ # Specify the pod anti-affinity that allows you to constrain which nodes
+ # your pod is eligible to be scheduled based on labels on pods that are
+ # already running on the node rather than based on labels on nodes.
+ # There are currently two types of anti-affinity:
+ # "requiredDuringSchedulingIgnoredDuringExecution"
+ # "preferredDuringSchedulingIgnoredDuringExecution"
+ # which denote "hard" vs. "soft" requirements, you can define your values
+ # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+ # correspondingly.
+ # For example:
+ # podAntiAffinityLabelSelector:
+ # - key: security
+ # operator: In
+ # values: S1,S2
+ # topologyKey: "kubernetes.io/hostname"
+ # This pod anti-affinity rule says that the pod requires not to be scheduled
+ # onto a node if that node is already running a pod with label having key
+ # "security" and value "S1".
+ podAntiAffinityLabelSelector: []
+ podAntiAffinityTermLabelSelector: []
+
+ # whether to run the gateway in a privileged container
+ runAsRoot: false
+
+ # The injection template to use for the gateway. If not set, no injection will be performed.
+ injectionTemplate: ""
+
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ # For Helm compatibility.
+ ownerName: ""
+
+ global:
+ # set the default set of namespaces to which services, service entries, virtual services, destination
+ # rules should be exported to. Currently only one value can be provided in this list. This value
+ # should be one of the following two options:
+ # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
+ # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
+ defaultConfigVisibilitySettings: []
+
+ # Default node selector to be applied to all deployments so that all pods can be
+ # constrained to run a particular nodes. Each component can overwrite these default
+ # values by adding its node selector block in the relevant section below and setting
+ # the desired values.
+ defaultNodeSelector: {}
+
+ # enable pod disruption budget for the control plane, which is used to
+ # ensure Istio control plane components are gradually upgraded or recovered.
+ defaultPodDisruptionBudget:
+ enabled: true
+
+ # A minimal set of requested resources to applied to all deployments so that
+ # Horizontal Pod Autoscaler will be able to function (if set).
+ # Each component can overwrite these default values by adding its own resources
+ # block in the relevant section below and setting the desired resources values.
+ defaultResources:
+ requests:
+ cpu: 10m
+ # memory: 128Mi
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Default node tolerations to be applied to all deployments so that all pods can be
+ # scheduled to a particular nodes with matching taints. Each component can overwrite
+ # these default values by adding its tolerations block in the relevant section below
+ # and setting the desired values.
+ # Configure this field in case that all pods of Istio control plane are expected to
+ # be scheduled to particular nodes with specified taints.
+ defaultTolerations: []
+
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Dev builds from prow are on gcr.io
+ hub: addon-containers.istio.tetratelabs.com
+
+ # Default tag for Istio images.
+ tag: 1.21.6-tetrate-v1
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+ # - private-registry-key
+
+ # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+ logAsJson: false
+
+ # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:
+ # 0 - Never scheduled
+ # 1 - Least preferred
+ # 2 - No preference
+ # 3 - Most preferred
+ arch: {}
+
+ # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+ # The control plane has different scopes depending on component, but can configure default log level across all components
+ # If empty, default scope and level will be used as configured in code
+ logging:
+ level: "default:info"
+
+ # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+ # system-node-critical, it is better to configure this in order to make sure your Istio pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
+
+ proxy:
+ image: proxyv2
+
+ # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+ # cluster domain. Default value is "cluster.local".
+ clusterDomain: "cluster.local"
+
+ # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+ # not set, then the global "logLevel" will be used.
+ componentLogLevel: "misc:error"
+
+ # If set, newly injected sidecars will have core dumps enabled.
+ enableCoreDump: false
+
+ # Log level for proxy, applies to gateways and sidecars.
+ # Expected values are: trace|debug|info|warning|error|critical|off
+ logLevel: warning
+
+ ##############################################################################################
+ # The following values are found in other charts. To effectively modify these values, make #
+ # make sure they are consistent across your Istio helm charts #
+ ##############################################################################################
+
+ # The customized CA address to retrieve certificates for the pods in the cluster.
+ # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+ caAddress: ""
+
+ # Used to locate istiod.
+ istioNamespace: istio-system
+
+ # Configure the policy for validating JWT.
+ # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+ jwtPolicy: "third-party-jwt"
+
+ # Mesh ID means Mesh Identifier. It should be unique within the scope where
+ # meshes will interact with each other, but it is not required to be
+ # globally/universally unique. For example, if any of the following are true,
+ # then two meshes must have different Mesh IDs:
+ # - Meshes will have their telemetry aggregated in one place
+ # - Meshes will be federated together
+ # - Policy will be written referencing one mesh from the other
+ #
+ # If an administrator expects that any of these conditions may become true in
+ # the future, they should ensure their meshes have different Mesh IDs
+ # assigned.
+ #
+ # Within a multicluster mesh, each cluster must be (manually or auto)
+ # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+ # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+ # of migration TBD, and it may be a disruptive operation to change the Mesh
+ # ID post-install.
+ #
+ # If the mesh admin does not specify a value, Istio will use the value of the
+ # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+ # value.
+ meshID: ""
+
+ # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+ mountMtlsCerts: false
+
+ multiCluster:
+ # Set to true to connect two kubernetes clusters via their respective
+ # ingressgateway services when pods in each cluster cannot directly
+ # talk to one another. All clusters should be using Istio mTLS and must
+ # have a shared root CA for this model to work.
+ enabled: false
+ # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+ # to properly label proxies
+ clusterName: ""
+
+ # Network defines the network this cluster belong to. This name
+ # corresponds to the networks in the map of mesh networks.
+ network: ""
+
+ # Configure the certificate provider for control plane communication.
+ # Currently, two providers are supported: "kubernetes" and "istiod".
+ # As some platforms may not have kubernetes signing APIs,
+ # Istiod is the default
+ pilotCertProvider: istiod
+
+ sds:
+ # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+ # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
+ # JWT is intended for the CA.
+ token:
+ aud: istio-ca
+
+ sts:
+ # The service port used by Security Token Service (STS) server to handle token exchange requests.
+ # Setting this port to a non-zero value enables STS server.
+ servicePort: 0
+
+ # whether to use autoscaling/v2 template for HPA settings
+ # for internal usage only, not to be configured by users.
+ autoscalingv2API: true
+
+ meshConfig:
+ enablePrometheusMerge: true
+
+ # The trust domain corresponds to the trust root of a system
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain: "cluster.local"
+
+ defaultConfig:
+ proxyMetadata: {}
+ tracing:
+ # tlsSettings:
+ # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
+ # privateKey: # example: /etc/istio/tracer/key.pem
+ # caCertificates: # example: /etc/istio/tracer/root-cert.pem
+ # sni: # example: tracer.somedomain
+ # subjectAltNames: []
+ # - tracer.somedomain
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/Chart.yaml
new file mode 100644
index 00000000..0faf0af2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/Chart.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+name: istio-ingress
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio gateways
+keywords:
+ - istio
+ - ingressgateway
+ - gateways
+sources:
+ - http://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/NOTES.txt
new file mode 100644
index 00000000..221ee560
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/NOTES.txt
@@ -0,0 +1,43 @@
+
+Changes:
+- separate namespace allows:
+-- easier reconfig of just the gateway
+-- TLS secrets and domain name management is isolated, for better security
+-- simplified configuration
+-- multiple versions of the ingress can be used, to minimize upgrade risks
+
+- the new chart uses the default namespace service account, and doesn't require
+additional RBAC permissions.
+
+- simplified label and chart structure.
+- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
+and allows a bit more flexibility.
+- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
+
+# Port and basic host configuration
+
+In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
+In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
+both in upgrade, Gateway and VirtualService.
+
+The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
+Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
+config for the rest.
+
+All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
+
+# Migration from istio-system
+
+Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
+with the Service and bound to the namespace, it is recommended to:
+
+1. Install the new gateway in a new namespace.
+2. Copy any TLS certificate to the new namespace, and configure the domains.
+3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
+4. Modify the DNS server to add the A record of the new namespace
+5. Check traffic
+6. Delete the A record corresponding to the gateway in istio-system
+7. Upgrade istio-system, disabling the ingressgateway
+8. Delete the domain TLS certs from istio-system.
+
+If using certmanager, all Certificate and associated configs must be moved as well.
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/_affinity.tpl b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/_affinity.tpl
new file mode 100644
index 00000000..fc1ec540
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/_affinity.tpl
@@ -0,0 +1,104 @@
+{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
+
+{{ define "nodeaffinity" }}
+nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityRequiredDuringScheduling" . }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "nodeAffinityPreferredDuringScheduling" . }}
+{{- end }}
+
+{{- define "nodeAffinityRequiredDuringScheduling" }}
+ {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
+ {{- if or .global.arch $nodeSelector }}
+ nodeSelectorTerms:
+ - matchExpressions:
+ {{- if .global.arch }}
+ - key: kubernetes.io/arch
+ operator: In
+ values:
+ {{- range $key, $val := .global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - {{ $key | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- range $key, $val := $nodeSelector }}
+ - key: {{ $key }}
+ operator: In
+ values:
+ - {{ $val | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "nodeAffinityPreferredDuringScheduling" }}
+ {{- range $key, $val := .global.arch }}
+ {{- if gt ($val | int) 0 }}
+ - weight: {{ $val | int }}
+ preference:
+ matchExpressions:
+ - key: kubernetes.io/arch
+ operator: In
+ values:
+ - {{ $key | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinity" }}
+{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
+ podAntiAffinity:
+ {{- if .podAntiAffinityLabelSelector }}
+ requiredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityRequiredDuringScheduling" . }}
+ {{- end }}
+ {{- if .podAntiAffinityTermLabelSelector }}
+ preferredDuringSchedulingIgnoredDuringExecution:
+ {{- include "podAntiAffinityPreferredDuringScheduling" . }}
+ {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityRequiredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityLabelSelector }}
+ - labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v | quote }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ {{- if $item.namespaces }}
+ namespaces:
+ {{- $ns := split "," $item.namespaces }}
+ {{- range $i, $n := $ns }}
+ - {{ $n | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- define "podAntiAffinityPreferredDuringScheduling" }}
+ {{- range $index, $item := .podAntiAffinityTermLabelSelector }}
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: {{ $item.key }}
+ operator: {{ $item.operator }}
+ {{- if $item.values }}
+ values:
+ {{- $vals := split "," $item.values }}
+ {{- range $i, $v := $vals }}
+ - {{ $v | quote }}
+ {{- end }}
+ {{- end }}
+ topologyKey: {{ $item.topologyKey }}
+ weight: 100
+ {{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/autoscale.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/autoscale.yaml
new file mode 100644
index 00000000..0d7ed0cd
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/autoscale.yaml
@@ -0,0 +1,60 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
+{{- if not .Values.global.autoscalingv2API }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+ maxReplicas: {{ $gateway.autoscaleMax }}
+ minReplicas: {{ $gateway.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ $gateway.name }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
+---
+{{- else }}
+{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+ maxReplicas: {{ $gateway.autoscaleMax }}
+ minReplicas: {{ $gateway.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ $gateway.name }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/deployment.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/deployment.yaml
new file mode 100644
index 00000000..081a6d1f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/deployment.yaml
@@ -0,0 +1,345 @@
+{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- if eq $gateway.injectionTemplate "" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+{{- if not $gateway.autoscaleEnabled }}
+{{- if $gateway.replicaCount }}
+ replicas: {{ $gateway.replicaCount }}
+{{- end }}
+{{- end }}
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | indent 6 }}
+ strategy:
+ rollingUpdate:
+ maxSurge: {{ $gateway.rollingMaxSurge }}
+ maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
+ template:
+ metadata:
+ labels:
+{{ $gateway.labels | toYaml | indent 8 }}
+{{- if eq .Release.Namespace "istio-system"}}
+ heritage: Tiller
+ release: istio
+ chart: gateways
+{{- end }}
+ service.istio.io/canonical-name: {{ $gateway.name }}
+ service.istio.io/canonical-revision: {{ index $gateway.labels "app.kubernetes.io/version" | default (index $gateway.labels "version") | default .Values.revision | default "latest" | quote }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+ sidecar.istio.io/inject: "false"
+ annotations:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ {{- if .Values.meshConfig.enablePrometheusMerge }}
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/stats/prometheus"
+ {{- end }}
+ sidecar.istio.io/inject: "false"
+{{- if $gateway.podAnnotations }}
+{{ toYaml $gateway.podAnnotations | indent 8 }}
+{{ end }}
+ spec:
+{{- if not $gateway.runAsRoot }}
+ securityContext:
+{{- if not (eq .Values.global.platform "openshift") }}
+ runAsUser: 1337
+ runAsGroup: 1337
+{{- end }}
+ runAsNonRoot: true
+{{- end }}
+ serviceAccountName: {{ $gateway.name }}-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+{{- if .Values.global.proxy.enableCoreDump }}
+ initContainers:
+ - name: enable-core-dump
+{{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ .Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
+ securityContext:
+ runAsUser: 0
+ runAsGroup: 0
+ runAsNonRoot: false
+ privileged: true
+{{- end }}
+ containers:
+ - name: istio-proxy
+{{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ .Values.global.proxy.image }}"
+{{- else }}
+ image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}{{with (.Values.global.proxy.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ ports:
+ {{- range $key, $val := $gateway.ports }}
+ - containerPort: {{ $val.targetPort | default $val.port }}
+ protocol: {{ $val.protocol | default "TCP" }}
+ {{- end }}
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ {{- if .Values.global.proxy.logLevel }}
+ - --proxyLogLevel={{ .Values.global.proxy.logLevel }}
+ {{- end}}
+ {{- if .Values.global.proxy.componentLogLevel }}
+ - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
+ {{- end}}
+ {{- if .Values.global.logging.level }}
+ - --log_output_level={{ .Values.global.logging.level }}
+ {{- end}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if not $gateway.runAsRoot }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+{{- if $gateway.resources }}
+{{ toYaml $gateway.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{ $gateway.name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
+ {{- if $.Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ $.Values.global.meshID }}"
+ {{- else if .Values.meshConfig.trustDomain }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.meshConfig.trustDomain }}"
+ {{- end }}
+ {{- if .Values.meshConfig.trustDomain }}
+ - name: TRUST_DOMAIN
+ value: "{{ .Values.meshConfig.trustDomain }}"
+ {{- end }}
+ {{- if not $gateway.runAsRoot }}
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ {{- end }}
+ {{- range $key, $val := $gateway.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
+ {{- if and (not $network_set) .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ - name: istio-envoy
+ mountPath: /etc/istio/proxy
+ - name: config-volume
+ mountPath: /etc/istio/config
+{{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+{{- end }}
+{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ readOnly: true
+{{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ mountPath: /etc/certs
+ readOnly: true
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - name: podinfo
+ mountPath: /etc/istio/pod
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ {{- if .mountPath }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+{{- if $gateway.additionalContainers }}
+{{ toYaml $gateway.additionalContainers | indent 8 }}
+{{- end }}
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+{{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+{{- end }}
+ - name: podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-envoy
+ emptyDir: {}
+ - name: istio-data
+ emptyDir: {}
+{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+{{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ secretName: istio.istio-ingressgateway-service-account
+ optional: true
+ {{- end }}
+ - name: config-volume
+ configMap:
+ name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ optional: true
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ secret:
+ secretName: {{ .secretName | quote }}
+ optional: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ - name: {{ .name }}
+ configMap:
+ name: {{ .configMapName | quote }}
+ optional: true
+ {{- end }}
+ affinity:
+{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
+ {{- include "podAntiAffinity" $gateway | indent 6 }}
+{{- if $gateway.tolerations }}
+ tolerations:
+{{ toYaml $gateway.tolerations | indent 6 }}
+{{- else if .Values.global.defaultTolerations }}
+ tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/injected-deployment.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/injected-deployment.yaml
new file mode 100644
index 00000000..ec4a4e0f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/injected-deployment.yaml
@@ -0,0 +1,147 @@
+{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- if ne $gateway.injectionTemplate "" }}
+{{/* This provides a minimal gateway, ready to be injected.
+ Any settings from values.gateways should be here - these are options specific to the gateway.
+ Global settings, like the image, various env vars and volumes, etc will be injected.
+ The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ $gateway.name | default "istio-ingressgateway" }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+{{- if not $gateway.autoscaleEnabled }}
+{{- if $gateway.replicaCount }}
+ replicas: {{ $gateway.replicaCount }}
+{{- end }}
+{{- end }}
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | indent 6 }}
+ strategy:
+ rollingUpdate:
+ maxSurge: {{ $gateway.rollingMaxSurge }}
+ maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
+ template:
+ metadata:
+ labels:
+{{ $gateway.labels | toYaml | indent 8 }}
+{{- if eq .Release.Namespace "istio-system"}}
+ heritage: Tiller
+ release: istio
+ chart: gateways
+{{- end }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+ sidecar.istio.io/inject: "true"
+ {{- with .Values.revision }}
+ istio.io/rev: {{ . }}
+ {{- end }}
+ annotations:
+ {{- if .Values.meshConfig.enablePrometheusMerge }}
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ prometheus.io/path: "/stats/prometheus"
+ {{- end }}
+ sidecar.istio.io/inject: "true"
+ inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
+{{- if $gateway.podAnnotations }}
+{{ toYaml $gateway.podAnnotations | indent 8 }}
+{{ end }}
+ spec:
+{{- if not $gateway.runAsRoot }}
+ securityContext:
+{{- if not (eq .Values.global.platform "openshift") }}
+ runAsUser: 1337
+ runAsGroup: 1337
+{{- end }}
+ runAsNonRoot: true
+{{- end }}
+ serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: istio-proxy
+ image: auto
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ ports:
+ {{- range $key, $val := $gateway.ports }}
+ - containerPort: {{ $val.targetPort | default $val.port }}
+ protocol: {{ $val.protocol | default "TCP" }}
+ {{- end }}
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ {{- if not $gateway.runAsRoot }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ {{- end }}
+ resources:
+{{- if $gateway.resources }}
+{{ toYaml $gateway.resources | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | indent 12 }}
+{{- end }}
+ env:
+ {{- if not $gateway.runAsRoot }}
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ {{- end }}
+ {{- range $key, $val := $gateway.env }}
+ - name: {{ $key }}
+ value: {{ $val | quote }}
+ {{- end }}
+ volumeMounts:
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ {{- if .mountPath }}
+ - name: {{ .name }}
+ mountPath: {{ .mountPath | quote }}
+ readOnly: true
+ {{- end }}
+ {{- end }}
+{{- if $gateway.additionalContainers }}
+{{ toYaml $gateway.additionalContainers | indent 8 }}
+{{- end }}
+ volumes:
+ {{- range $gateway.secretVolumes }}
+ - name: {{ .name }}
+ secret:
+ secretName: {{ .secretName | quote }}
+ optional: true
+ {{- end }}
+ {{- range $gateway.configVolumes }}
+ - name: {{ .name }}
+ configMap:
+ name: {{ .configMapName | quote }}
+ optional: true
+ {{- end }}
+ affinity:
+{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
+ {{- include "podAntiAffinity" $gateway | indent 6 }}
+{{- if $gateway.tolerations }}
+ tolerations:
+{{ toYaml $gateway.tolerations | indent 6 }}
+{{- else if .Values.global.defaultTolerations }}
+ tolerations:
+{{ toYaml .Values.global.defaultTolerations | indent 6 }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/poddisruptionbudget.yaml
new file mode 100644
index 00000000..ba633fce
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/poddisruptionbudget.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | trim | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+{{ $gateway.labels | toYaml | trim | indent 6 }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/role.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/role.yaml
new file mode 100644
index 00000000..be8d0a53
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/role.yaml
@@ -0,0 +1,16 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $gateway.name }}-sds
+ namespace: {{ .Release.Namespace }}
+ labels:
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/rolebindings.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/rolebindings.yaml
new file mode 100644
index 00000000..d42dcb37
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/rolebindings.yaml
@@ -0,0 +1,19 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $gateway.name }}-sds
+ namespace: {{ .Release.Namespace }}
+ labels:
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $gateway.name }}-sds
+subjects:
+- kind: ServiceAccount
+ name: {{ $gateway.name }}-service-account
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/service.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/service.yaml
new file mode 100644
index 00000000..2aefc0e9
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/service.yaml
@@ -0,0 +1,56 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+{{- if not $gateway.customService }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ $gateway.name }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ {{- range $key, $val := $gateway.serviceAnnotations }}
+ {{ $key }}: {{ $val | quote }}
+ {{- end }}
+ labels:
+{{ $gateway.labels | toYaml | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+spec:
+{{- if $gateway.loadBalancerIP }}
+ loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
+{{- end }}
+{{- if $gateway.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
+{{- if $gateway.externalTrafficPolicy }}
+ externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
+{{- end }}
+ type: {{ $gateway.type }}
+ selector:
+{{ $gateway.labels | toYaml | indent 4 }}
+ ports:
+
+ {{- range $key, $val := $gateway.ports }}
+ -
+ {{- range $pkey, $pval := $val }}
+ {{ $pkey}}: {{ $pval }}
+ {{- end }}
+ {{- end }}
+
+ {{ range $app := $gateway.ingressPorts }}
+ -
+ port: {{ $app.port }}
+ name: {{ $app.name }}
+ {{- end }}
+{{- if $gateway.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ $gateway.ipFamilyPolicy }}
+{{- end }}
+{{- if $gateway.ipFamilies }}
+ ipFamilies:
+{{- range $gateway.ipFamilies }}
+ - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{ end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/serviceaccount.yaml
new file mode 100644
index 00000000..a3735f1d
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/serviceaccount.yaml
@@ -0,0 +1,22 @@
+{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: {{ $gateway.name }}-service-account
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{ $gateway.labels | toYaml | trim | indent 4 }}
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "IngressGateways"
+ {{- with $gateway.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/values.yaml b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/values.yaml
new file mode 100644
index 00000000..b0c26b51
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/gateways/istio-ingress/values.yaml
@@ -0,0 +1,325 @@
+defaults:
+ # A-la-carte istio ingress gateway.
+ # Must be installed in a separate namespace, to minimize access to secrets.
+ gateways:
+ istio-ingressgateway:
+ name: istio-ingressgateway
+ labels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ protocol: TCP
+ - port: 80
+ targetPort: 8080
+ name: http2
+ protocol: TCP
+ - port: 443
+ targetPort: 8443
+ name: https
+ protocol: TCP
+
+ # Scalability tuning
+ # replicaCount: 1
+ rollingMaxSurge: 100%
+ rollingMaxUnavailable: 25%
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+
+ cpu:
+ targetAverageUtilization: 80
+ memory: {}
+ # targetAverageUtilization: 80
+
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ serviceAnnotations: {}
+
+ # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: ""
+ ipFamilies: []
+
+ # To generate an internal load balancer:
+ # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
+ #serviceAnnotations:
+ # cloud.google.com/load-balancer-type: "internal"
+
+ podAnnotations: {}
+ type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
+
+ ##############
+ secretVolumes:
+ - name: ingressgateway-certs
+ secretName: istio-ingressgateway-certs
+ mountPath: /etc/istio/ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secretName: istio-ingressgateway-ca-certs
+ mountPath: /etc/istio/ingressgateway-ca-certs
+
+ customService: false
+ externalTrafficPolicy: ""
+
+ ingressPorts: []
+ additionalContainers: []
+ configVolumes: []
+
+ serviceAccount:
+ # Annotations to add to the service account
+ annotations: {}
+
+ ### Advanced options ############
+ env: {}
+ nodeSelector: {}
+ tolerations: []
+
+ # Specify the pod anti-affinity that allows you to constrain which nodes
+ # your pod is eligible to be scheduled based on labels on pods that are
+ # already running on the node rather than based on labels on nodes.
+ # There are currently two types of anti-affinity:
+ # "requiredDuringSchedulingIgnoredDuringExecution"
+ # "preferredDuringSchedulingIgnoredDuringExecution"
+ # which denote "hard" vs. "soft" requirements, you can define your values
+ # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
+ # correspondingly.
+ # For example:
+ # podAntiAffinityLabelSelector:
+ # - key: security
+ # operator: In
+ # values: S1,S2
+ # topologyKey: "kubernetes.io/hostname"
+ # This pod anti-affinity rule says that the pod requires not to be scheduled
+ # onto a node if that node is already running a pod with label having key
+ # "security" and value "S1".
+ podAntiAffinityLabelSelector: []
+ podAntiAffinityTermLabelSelector: []
+
+ # whether to run the gateway in a privileged container
+ runAsRoot: false
+
+ # The injection template to use for the gateway. If not set, no injection will be performed.
+ injectionTemplate: ""
+
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ # For Helm compatibility.
+ ownerName: ""
+
+ global:
+ # set the default set of namespaces to which services, service entries, virtual services, destination
+ # rules should be exported to. Currently only one value can be provided in this list. This value
+ # should be one of the following two options:
+ # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
+ # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
+ defaultConfigVisibilitySettings: []
+
+ # Default node selector to be applied to all deployments so that all pods can be
+ # constrained to run a particular nodes. Each component can overwrite these default
+ # values by adding its node selector block in the relevant section below and setting
+ # the desired values.
+ defaultNodeSelector: {}
+
+ # enable pod disruption budget for the control plane, which is used to
+ # ensure Istio control plane components are gradually upgraded or recovered.
+ defaultPodDisruptionBudget:
+ enabled: true
+
+ # A minimal set of requested resources to applied to all deployments so that
+ # Horizontal Pod Autoscaler will be able to function (if set).
+ # Each component can overwrite these default values by adding its own resources
+ # block in the relevant section below and setting the desired resources values.
+ defaultResources:
+ requests:
+ cpu: 10m
+ # memory: 128Mi
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Default node tolerations to be applied to all deployments so that all pods can be
+ # scheduled to a particular nodes with matching taints. Each component can overwrite
+ # these default values by adding its tolerations block in the relevant section below
+ # and setting the desired values.
+ # Configure this field in case that all pods of Istio control plane are expected to
+ # be scheduled to particular nodes with specified taints.
+ defaultTolerations: []
+
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Dev builds from prow are on gcr.io
+ hub: addon-containers.istio.tetratelabs.com
+
+ # Default tag for Istio images.
+ tag: 1.21.6-tetrate-v1
+
+ # Variant of the image to use.
+ # Currently supported are: [debug, distroless]
+ variant: ""
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+ # - private-registry-key
+
+ # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+ logAsJson: false
+
+ # Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:
+ # 0 - Never scheduled
+ # 1 - Least preferred
+ # 2 - No preference
+ # 3 - Most preferred
+ arch: {}
+
+ # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+ # The control plane has different scopes depending on component, but can configure default log level across all components
+ # If empty, default scope and level will be used as configured in code
+ logging:
+ level: "default:info"
+
+ # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+ # system-node-critical, it is better to configure this in order to make sure your Istio pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
+
+ proxy:
+ image: proxyv2
+
+ # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+ # cluster domain. Default value is "cluster.local".
+ clusterDomain: "cluster.local"
+
+ # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+ # not set, then the global "logLevel" will be used.
+ componentLogLevel: "misc:error"
+
+ # If set, newly injected sidecars will have core dumps enabled.
+ enableCoreDump: false
+
+ # Log level for proxy, applies to gateways and sidecars.
+ # Expected values are: trace|debug|info|warning|error|critical|off
+ logLevel: warning
+
+ ##############################################################################################
+ # The following values are found in other charts. To effectively modify these values, make #
+ # make sure they are consistent across your Istio helm charts #
+ ##############################################################################################
+
+ # The customized CA address to retrieve certificates for the pods in the cluster.
+ # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+ caAddress: ""
+
+ # Used to locate istiod.
+ istioNamespace: istio-system
+
+ # Configure the policy for validating JWT.
+ # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+ jwtPolicy: "third-party-jwt"
+
+ # Mesh ID means Mesh Identifier. It should be unique within the scope where
+ # meshes will interact with each other, but it is not required to be
+ # globally/universally unique. For example, if any of the following are true,
+ # then two meshes must have different Mesh IDs:
+ # - Meshes will have their telemetry aggregated in one place
+ # - Meshes will be federated together
+ # - Policy will be written referencing one mesh from the other
+ #
+ # If an administrator expects that any of these conditions may become true in
+ # the future, they should ensure their meshes have different Mesh IDs
+ # assigned.
+ #
+ # Within a multicluster mesh, each cluster must be (manually or auto)
+ # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+ # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+ # of migration TBD, and it may be a disruptive operation to change the Mesh
+ # ID post-install.
+ #
+ # If the mesh admin does not specify a value, Istio will use the value of the
+ # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+ # value.
+ meshID: ""
+
+ # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+ mountMtlsCerts: false
+
+ multiCluster:
+ # Set to true to connect two kubernetes clusters via their respective
+ # ingressgateway services when pods in each cluster cannot directly
+ # talk to one another. All clusters should be using Istio mTLS and must
+ # have a shared root CA for this model to work.
+ enabled: false
+ # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+ # to properly label proxies
+ clusterName: ""
+ # The suffix for global service names
+ globalDomainSuffix: "global"
+ # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
+ includeEnvoyFilter: true
+
+ # Network defines the network this cluster belong to. This name
+ # corresponds to the networks in the map of mesh networks.
+ network: ""
+
+ # Configure the certificate provider for control plane communication.
+ # Currently, two providers are supported: "kubernetes" and "istiod".
+ # As some platforms may not have kubernetes signing APIs,
+ # Istiod is the default
+ pilotCertProvider: istiod
+
+ sds:
+ # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+ # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
+ # JWT is intended for the CA.
+ token:
+ aud: istio-ca
+
+ sts:
+ # The service port used by Security Token Service (STS) server to handle token exchange requests.
+ # Setting this port to a non-zero value enables STS server.
+ servicePort: 0
+ # whether to use autoscaling/v2 template for HPA settings
+ # for internal usage only, not to be configured by users.
+ autoscalingv2API: true
+
+ meshConfig:
+ enablePrometheusMerge: true
+
+ # The trust domain corresponds to the trust root of a system
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain: "cluster.local"
+
+ defaultConfig:
+ proxyMetadata: {}
+ tracing:
+ # tlsSettings:
+ # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
+ # privateKey: # example: /etc/istio/tracer/key.pem
+ # caCertificates: # example: /etc/istio/tracer/root-cert.pem
+ # sni: # example: tracer.somedomain
+ # subjectAltNames: []
+ # - tracer.somedomain
diff --git a/charts/istio/1.21.6-tetrate-v1/install-OpenShift.md b/charts/istio/1.21.6-tetrate-v1/install-OpenShift.md
new file mode 100644
index 00000000..72b0a686
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/install-OpenShift.md
@@ -0,0 +1,43 @@
+# Installing Istio on OpenShift using Helm
+
+> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio.
+
+To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows:
+
+```console
+kubectl create namespace istio-system
+```
+
+The installation process using the Helm charts is as follows:
+
+1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended.
+
+```console
+helm install istio-base -n istio-system manifests/charts/base
+```
+
+2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage.
+
+```console
+helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.privileged=true --set cni.provider=multus --set cni.logLevel=info
+```
+
+3) `istio-control/istio-discovery` chart installs a revision of istiod.
+
+```console
+ helm install -n istio-system istiod manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set istio_cni.chained=false --set global.platform=openshift
+```
+
+4) `gateways` charts install a load balancer with `ingress` and `egress`.
+
+Ingress secrets and access should be separated from the control plane.
+
+```console
+helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt
+```
+
+Egress secrets and access should be separated from the control plane.
+
+```console
+helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt
+```
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/Chart.yaml
new file mode 100644
index 00000000..0df6477a
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+name: cni
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+description: Helm chart for istio-cni components
+keywords:
+ - istio-cni
+ - istio
+sources:
+ - https://github.com/istio/istio/tree/release-1.21/cni
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/README.md b/charts/istio/1.21.6-tetrate-v1/istio-cni/README.md
new file mode 100644
index 00000000..a8b78d5b
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/README.md
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/NOTES.txt
new file mode 100644
index 00000000..99462824
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/NOTES.txt
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrole.yaml
new file mode 100644
index 00000000..64dfe6bf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrole.yaml
@@ -0,0 +1,70 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-cni
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+rules:
+- apiGroups: [""]
+ resources: ["pods","nodes","namespaces"]
+ verbs: ["get", "list", "watch"]
+{{- if (eq .Values.platform "openshift") }}
+- apiGroups: ["security.openshift.io"]
+ resources: ["securitycontextconstraints"]
+ resourceNames: ["privileged"]
+ verbs: ["use"]
+{{- end }}
+---
+{{- if .Values.cni.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-cni-repair-role
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+rules:
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["watch", "get", "list"]
+{{- if .Values.cni.repair.repairPods }}
+{{- /* No privileges needed*/}}
+{{- else if .Values.cni.repair.deletePods }}
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["delete"]
+{{- else if .Values.cni.repair.labelPods }}
+ - apiGroups: [""]
+ {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+ resources: ["pods/status"]
+ verbs: ["patch", "update"]
+{{- end }}
+{{- end }}
+---
+{{- if .Values.cni.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-cni-ambient
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+rules:
+- apiGroups: [""]
+ {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
+ resources: ["pods/status"]
+ verbs: ["patch", "update"]
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrolebinding.yaml
new file mode 100644
index 00000000..570f15cf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/clusterrolebinding.yaml
@@ -0,0 +1,58 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cni
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cni
+subjects:
+- kind: ServiceAccount
+ name: istio-cni
+ namespace: {{ .Release.Namespace }}
+---
+{{- if .Values.cni.repair.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cni-repair-rolebinding
+ labels:
+ k8s-app: istio-cni-repair
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+subjects:
+- kind: ServiceAccount
+ name: istio-cni
+ namespace: {{ .Release.Namespace}}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cni-repair-role
+{{- end }}
+---
+{{- if .Values.cni.ambient.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-cni-ambient
+ labels:
+ k8s-app: istio-cni-repair
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+subjects:
+ - kind: ServiceAccount
+ name: istio-cni
+ namespace: {{ .Release.Namespace}}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-cni-ambient
+{{- end }}
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/configmap-cni.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/configmap-cni.yaml
new file mode 100644
index 00000000..cf4e020d
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/configmap-cni.yaml
@@ -0,0 +1,34 @@
+{{- $defaultBinDir :=
+ (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+ "/home/kubernetes/bin"
+ "/opt/cni/bin"
+}}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: istio-cni-config
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+data:
+ # The CNI network configuration to add to the plugin chain on each node. The special
+ # values in this config will be automatically populated.
+ cni_network_config: |-
+ {
+ "cniVersion": "0.3.1",
+ "name": "istio-cni",
+ "type": "istio-cni",
+ "log_level": {{ quote .Values.cni.logLevel }},
+ "log_uds_address": "__LOG_UDS_ADDRESS__",
+ {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}}
+ "cni_event_address": "__CNI_EVENT_ADDRESS__",
+ "kubernetes": {
+ "kubeconfig": "__KUBECONFIG_FILEPATH__",
+ "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }},
+ "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ]
+ }
+ }
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/daemonset.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/daemonset.yaml
new file mode 100644
index 00000000..2449edee
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/daemonset.yaml
@@ -0,0 +1,228 @@
+# This manifest installs the Istio install-cni container, as well
+# as the Istio CNI plugin and config on
+# each master and worker node in a Kubernetes cluster.
+{{- $defaultBinDir :=
+ (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary
+ "/home/kubernetes/bin"
+ "/opt/cni/bin"
+}}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+ name: istio-cni-node
+ namespace: {{ .Release.Namespace }}
+ labels:
+ k8s-app: istio-cni-node
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
+spec:
+ selector:
+ matchLabels:
+ k8s-app: istio-cni-node
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }}
+ template:
+ metadata:
+ labels:
+ k8s-app: istio-cni-node
+ sidecar.istio.io/inject: "false"
+ annotations:
+ sidecar.istio.io/inject: "false"
+ ambient.istio.io/redirection: disabled
+ # Add Prometheus Scrape annotations
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: "15014"
+ prometheus.io/path: '/metrics'
+ # Custom annotations
+ {{- if .Values.cni.podAnnotations }}
+{{ toYaml .Values.cni.podAnnotations | indent 8 }}
+ {{- end }}
+ spec:
+ {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }}
+ nodeSelector:
+ kubernetes.io/os: linux
+ # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes
+ {{- with .Values.cni.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ tolerations:
+ # Make sure istio-cni-node gets scheduled on all nodes.
+ - effect: NoSchedule
+ operator: Exists
+ # Mark the pod as a critical add-on for rescheduling.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ priorityClassName: system-node-critical
+ serviceAccountName: istio-cni
+ # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+ # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+ terminationGracePeriodSeconds: 5
+ containers:
+ # This container installs the Istio CNI binaries
+ # and CNI network config file on each node.
+ - name: install-cni
+{{- if contains "/" .Values.cni.image }}
+ image: "{{ .Values.cni.image }}"
+{{- else }}
+ image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }}
+{{- end }}
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8000
+ securityContext:
+ runAsGroup: 0
+ runAsUser: 0
+ runAsNonRoot: false
+{{- if .Values.cni.ambient.enabled }}
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_ADMIN
+ # TODO this, `privileged`, etc need to be reworked - both sidecar (repair) and ambient require SYS_ADMIN
+ # and istio-cni is *always* privileged to some degree, regardless of the `privileged` flag
+ - SYS_ADMIN
+ - NET_RAW
+{{- end }}
+ privileged: {{ .Values.cni.privileged }}
+{{- if .Values.cni.seccompProfile }}
+ seccompProfile:
+{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }}
+{{- end }}
+ command: ["install-cni"]
+ args:
+ {{- if .Values.global.logging.level }}
+ - --log_output_level={{ .Values.global.logging.level }}
+ {{- end}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end}}
+ env:
+{{- if .Values.cni.cniConfFileName }}
+ # Name of the CNI config file to create.
+ - name: CNI_CONF_NAME
+ value: "{{ .Values.cni.cniConfFileName }}"
+{{- end }}
+ # The CNI network config to install on each node.
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ name: istio-cni-config
+ key: cni_network_config
+ - name: CNI_NET_DIR
+ value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }}
+ # Deploy as a standalone CNI plugin or as chained?
+ - name: CHAINED_CNI_PLUGIN
+ value: "{{ .Values.cni.chained }}"
+ - name: REPAIR_ENABLED
+ value: "{{ .Values.cni.repair.enabled }}"
+{{- if .Values.cni.ambient.enabled }}
+ - name: AMBIENT_DNS_CAPTURE
+ value: "{{ .Values.cni.ambient.dnsCapture }}"
+{{- end }}
+ - name: REPAIR_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: REPAIR_LABEL_PODS
+ value: "{{.Values.cni.repair.labelPods}}"
+ # Set to true to enable pod deletion
+ - name: REPAIR_DELETE_PODS
+ value: "{{.Values.cni.repair.deletePods}}"
+ - name: REPAIR_REPAIR_PODS
+ value: "{{.Values.cni.repair.repairPods}}"
+ - name: REPAIR_RUN_AS_DAEMON
+ value: "true"
+ - name: REPAIR_SIDECAR_ANNOTATION
+ value: "sidecar.istio.io/status"
+ - name: REPAIR_INIT_CONTAINER_NAME
+ value: "{{ .Values.cni.repair.initContainerName }}"
+ - name: REPAIR_BROKEN_POD_LABEL_KEY
+ value: "{{.Values.cni.repair.brokenPodLabelKey}}"
+ - name: REPAIR_BROKEN_POD_LABEL_VALUE
+ value: "{{.Values.cni.repair.brokenPodLabelValue}}"
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: LOG_LEVEL
+ value: {{ .Values.cni.logLevel | quote }}
+ {{- if .Values.cni.ambient.enabled }}
+ - name: AMBIENT_ENABLED
+ value: "true"
+ {{- end }}
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }}
+ - mountPath: /host/proc
+ name: cni-host-procfs
+ readOnly: true
+ {{- end }}
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ - mountPath: /var/run/istio-cni
+ name: cni-socket-dir
+ {{- if .Values.cni.ambient.enabled }}
+ - mountPath: /host/var/run/netns
+ mountPropagation: HostToContainer
+ name: cni-netns-dir
+ - mountPath: /var/run/ztunnel
+ name: cni-ztunnel-sock-dir
+ {{ end }}
+ resources:
+{{- if .Values.cni.resources }}
+{{ toYaml .Values.cni.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+ volumes:
+ # Used to install CNI.
+ - name: cni-bin-dir
+ hostPath:
+ path: {{ .Values.cni.cniBinDir | default $defaultBinDir }}
+ {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }}
+ - name: cni-host-procfs
+ hostPath:
+ path: /proc
+ type: Directory
+ {{- end }}
+ {{- if .Values.cni.ambient.enabled }}
+ - name: cni-ztunnel-sock-dir
+ hostPath:
+ path: /var/run/ztunnel
+ type: DirectoryOrCreate
+ {{- end }}
+ - name: cni-net-dir
+ hostPath:
+ path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }}
+ # Used for UDS sockets for logging, ambient eventing
+ - name: cni-socket-dir
+ hostPath:
+ path: /var/run/istio-cni
+ - name: cni-netns-dir
+ hostPath:
+ path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }}
+ type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node,
+ # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod.
+ # Once the CNI does mount this, it will get populated and we're good.
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/network-attachment-definition.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/network-attachment-definition.yaml
new file mode 100644
index 00000000..1da070ba
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/network-attachment-definition.yaml
@@ -0,0 +1,9 @@
+{{- if eq .Values.cni.provider "multus" }}
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+ name: istio-cni
+ namespace: default
+ labels:
+ operator.istio.io/component: "Cni"
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/resourcequota.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/resourcequota.yaml
new file mode 100644
index 00000000..15946ae7
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/resourcequota.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.cni.resourceQuotas.enabled }}
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+ name: istio-cni-resource-quota
+ namespace: {{ .Release.Namespace }}
+spec:
+ hard:
+ pods: {{ .Values.cni.resourceQuotas.pods | quote }}
+ scopeSelector:
+ matchExpressions:
+ - operator: In
+ scopeName: PriorityClass
+ values:
+ - system-node-critical
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/serviceaccount.yaml
new file mode 100644
index 00000000..4645db63
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/serviceaccount.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ServiceAccount
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end }}
+metadata:
+ name: istio-cni
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istio-cni
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Cni"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-cni/values.yaml b/charts/istio/1.21.6-tetrate-v1/istio-cni/values.yaml
new file mode 100644
index 00000000..a26a88fe
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-cni/values.yaml
@@ -0,0 +1,147 @@
+defaults:
+ cni:
+ hub: ""
+ tag: ""
+ variant: ""
+ image: install-cni
+ pullPolicy: ""
+
+ # Configuration log level of istio-cni binary
+ # by default istio-cni send all logs to UDS server
+ # if want to see them you need change global.logging.level with cni:debug
+ logLevel: debug
+
+ # Configuration file to insert istio-cni plugin configuration
+ # by default this will be the first file found in the cni-conf-dir
+ # Example
+ # cniConfFileName: 10-calico.conflist
+
+ # CNI bin and conf dir override settings
+ # defaults:
+ cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin.
+ cniConfDir: /etc/cni/net.d
+ cniConfFileName: ""
+ # This directory must exist on the node, if it does not, consult your container runtime
+ # documentation for the appropriate path.
+ cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+
+
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+
+ # Allows user to set custom affinity for the DaemonSet
+ affinity: {}
+
+ # Custom annotations on pod level, if you need them
+ podAnnotations: {}
+
+ # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+ # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+ chained: true
+
+ # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) or features (repairPods)
+ # Note that even if this is false, the `istio-cni` container *requires* root privileges on the node to function,
+ # and setting this to false does not change that, nor will it run the container as non-root or make it "un-privileged".
+ privileged: true
+
+ # Custom configuration happens based on the CNI provider.
+ # Possible values: "default", "multus"
+ provider: "default"
+
+ # Configure ambient settings
+ ambient:
+ # If enabled, ambient redirection will be enabled
+ enabled: false
+ # Set ambient config dir path: defaults to /etc/ambient-config
+ configDir: ""
+ # If enabled, and ambient is enabled, DNS redirection will be enabled
+ dnsCapture: false
+
+
+ repair:
+ enabled: true
+ hub: ""
+ tag: ""
+
+ # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+ # This defines the action the controller will take when a pod is detected as broken.
+
+ # labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+ # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+ # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+ labelPods: false
+ # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+ # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+ deletePods: false
+ # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+ # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+ # This requires no RBAC privilege, but does require `securityContext.privileged`.
+ repairPods: true
+
+ initContainerName: "istio-validation"
+
+ brokenPodLabelKey: "cni.istio.io/uninitialized"
+ brokenPodLabelValue: "true"
+
+ # Set to `type: RuntimeDefault` to use the default profile if available.
+ seccompProfile: {}
+
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
+
+ resourceQuotas:
+ enabled: false
+ pods: 5000
+
+ # The number of pods that can be unavailable during rolling update (see
+ # `updateStrategy.rollingUpdate.maxUnavailable` here:
+ # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+ # May be specified as a number of pods or as a percent of the total number
+ # of pods at the start of the update.
+ rollingMaxUnavailable: 1
+
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ # For Helm compatibility.
+ ownerName: ""
+
+ global:
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Dev builds from prow are on gcr.io
+ hub: addon-containers.istio.tetratelabs.com
+
+ # Default tag for Istio images.
+ tag: 1.21.6-tetrate-v1
+
+ # Variant of the image to use.
+ # Currently supported are: [debug, distroless]
+ variant: ""
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+
+ # change cni scope level to control logging out of istio-cni-node DaemonSet
+ logging:
+ level: default:info,cni:info
+
+ logAsJson: false
+
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+ # - private-registry-key
+
+ # Default resources allocated
+ defaultResources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/Chart.yaml
new file mode 100644
index 00000000..4b64f189
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/Chart.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+name: istiod
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+tillerVersion: ">=2.7.2"
+description: Helm chart for istio control plane
+keywords:
+ - istio
+ - istiod
+ - istio-discovery
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/README.md b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/README.md
new file mode 100644
index 00000000..ddbfbc8f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/README.md
@@ -0,0 +1,73 @@
+# Istiod Helm Chart
+
+This chart installs an Istiod deployment.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart).
+
+To install the chart with the release name `istiod`:
+
+```console
+kubectl create namespace istio-system
+helm install istiod istio/istiod --namespace istio-system
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `istiod` deployment:
+
+```console
+helm delete istiod --namespace istio-system
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istiod
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Examples
+
+#### Configuring mesh configuration settings
+
+Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below:
+
+```yaml
+meshConfig:
+ accessLogFile: /dev/stdout
+```
+
+#### Revisions
+
+Control plane revisions allow deploying multiple versions of the control plane in the same cluster.
+This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/)
+
+```yaml
+revision: my-revision-name
+```
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/gateway-injection-template.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/gateway-injection-template.yaml
new file mode 100644
index 00000000..59b33c16
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/gateway-injection-template.yaml
@@ -0,0 +1,256 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+ labels:
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if eq (len $containers) 1 }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{ end }}
+ }
+spec:
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ securityContext:
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-agent.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-agent.yaml
new file mode 100644
index 00000000..eb179b37
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-agent.yaml
@@ -0,0 +1,316 @@
+{{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+ labels:
+ {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+ sidecar.istio.io/rewriteAppHTTPProbers: "false",
+ }
+spec:
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15020
+ protocol: TCP
+ name: mesh-metrics
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ - --url=http://localhost:15020/healthz/ready
+ env:
+ - name: ISTIO_META_GENERATOR
+ value: grpc
+ - name: OUTPUT_CERTS
+ value: /var/lib/istio/data
+ {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ # grpc uses xds:/// to resolve – no need to resolve VIP
+ - name: ISTIO_META_DNS_CAPTURE
+ value: "false"
+ - name: DISABLE_ENVOY
+ value: "true"
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15020
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+{{- range $index, $container := .Spec.Containers }}
+{{ if not (eq $container.Name "istio-proxy") }}
+ - name: {{ $container.Name }}
+ env:
+ - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+ value: "true"
+ - name: "GRPC_XDS_BOOTSTRAP"
+ value: "/etc/istio/proxy/grpc-bootstrap.json"
+ volumeMounts:
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+{{- end }}
+{{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-xds
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-simple.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-simple.yaml
new file mode 100644
index 00000000..9ba0c7a4
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/grpc-simple.yaml
@@ -0,0 +1,65 @@
+metadata:
+ annotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+spec:
+ initContainers:
+ - name: grpc-bootstrap-init
+ image: busybox:1.28
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ env:
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_NAMESPACE
+ value: |
+ {{ .Values.global.istioNamespace }}
+ command:
+ - sh
+ - "-c"
+ - |-
+ NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+ SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+ echo '
+ {
+ "xds_servers": [
+ {
+ "server_uri": "'${SERVER_URI}'",
+ "channel_creds": [{"type": "insecure"}],
+ "server_features" : ["xds_v3"]
+ }
+ ],
+ "node": {
+ "id": "'${NODE_ID}'",
+ "metadata": {
+ "GENERATOR": "grpc"
+ }
+ }
+ }' > /var/lib/grpc/data/bootstrap.json
+ containers:
+ {{- range $index, $container := .Spec.Containers }}
+ - name: {{ $container.Name }}
+ env:
+ - name: GRPC_XDS_BOOTSTRAP
+ value: /var/lib/grpc/data/bootstrap.json
+ - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+ value: "99"
+ - name: GRPC_GO_LOG_SEVERITY_LEVEL
+ value: info
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ {{- end }}
+ volumes:
+ - name: grpc-io-proxyless-bootstrap
+ emptyDir: {}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/injection-template.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/injection-template.yaml
new file mode 100644
index 00000000..f88fec82
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/injection-template.yaml
@@ -0,0 +1,548 @@
+{{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+ labels:
+ security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
+ {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+ networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
+ {{- end }}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+{{- if .Values.istio_cni.enabled }}
+ {{- if not .Values.istio_cni.chained }}
+ k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+ {{- end }}
+ sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
+ traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+ traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+ traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+ {{- end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+ }
+spec:
+ {{- $holdProxy := and
+ (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+ (not $nativeSidecar) }}
+ initContainers:
+ {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+ {{ if .Values.istio_cni.enabled -}}
+ - name: istio-validation
+ {{ else -}}
+ - name: istio-init
+ {{ end -}}
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ args:
+ - istio-iptables
+ - "-p"
+ - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+ - "-z"
+ - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+ - "-u"
+ - {{ .ProxyUID | default "1337" | quote }}
+ - "-m"
+ - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+ - "-i"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+ - "-x"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+ - "-b"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+ - "-d"
+ {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+ - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+ {{- else }}
+ - "15090,15021"
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+ - "-q"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+ {{ end -}}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+ - "-o"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+ - "-c"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+ {{ end -}}
+ - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+ {{ if .Values.global.logAsJson -}}
+ - "--log_as_json"
+ {{ end -}}
+ {{ if .Values.istio_cni.enabled -}}
+ - "--run-validation"
+ - "--skip-rule-apply"
+ {{ end -}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ env:
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ privileged: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{- if not .Values.istio_cni.enabled }}
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ {{- end }}
+ drop:
+ - ALL
+ {{- if not .Values.istio_cni.enabled }}
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ readOnlyRootFilesystem: true
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsNonRoot: true
+ {{- end }}
+ {{ end -}}
+ {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ - name: enable-core-dump
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
+ command:
+ - /bin/sh
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - SYS_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{ end }}
+ {{ if not $nativeSidecar }}
+ containers:
+ {{ end }}
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- else if $holdProxy }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ {{- else if $nativeSidecar }}
+ {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - pilot-agent
+ - request
+ - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+ - POST
+ - drain
+ {{- end }}
+ env:
+ {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ {{- end }}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ {{ if .Values.global.proxy.startupProbe.enabled }}
+ startupProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+ {{ end }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ {{ end -}}
+ securityContext:
+ {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ add:
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+ - NET_ADMIN
+ {{- end }}
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+ - NET_BIND_SERVICE
+ {{- end }}
+ {{- end }}
+ drop:
+ - ALL
+ privileged: {{ .Values.global.proxy.privileged }}
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else -}}
+ runAsNonRoot: true
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - mountPath: /var/run/secrets/istio/kubernetes
+ name: kube-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+ name: lightstep-certs
+ readOnly: true
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ - emptyDir:
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - name: kube-ca-cert
+ configMap:
+ name: kube-root-ca.crt
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - name: lightstep-certs
+ secret:
+ optional: true
+ secretName: lightstep.cacert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/kube-gateway.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/kube-gateway.yaml
new file mode 100644
index 00000000..ec699fa4
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/kube-gateway.yaml
@@ -0,0 +1,354 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+spec:
+ selector:
+ matchLabels:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 8 }}
+ spec:
+ {{- if .KubeVersion122 }}
+ {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}}
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{- if .Values.global.proxy.resources }}
+ resources:
+ {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ securityContext:
+ {{- if .KubeVersion122 }}
+ # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsNonRoot: true
+ {{- else }}
+ capabilities:
+ drop:
+ - ALL
+ add:
+ - NET_BIND_SERVICE
+ runAsUser: 0
+ runAsGroup: 1337
+ runAsNonRoot: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: true
+ {{- end }}
+ ports:
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: "[]"
+ - name: ISTIO_META_APP_CONTAINERS
+ value: ""
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+ - name: ISTIO_META_NETWORK
+ value: {{.|quote}}
+ {{- end }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName|quote}}
+ - name: ISTIO_META_OWNER
+ value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+ - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+ value: {{.|quote}}
+ {{- end }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 4 }}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: {{.UID}}
+spec:
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ .ServiceType | quote }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/waypoint.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/waypoint.yaml
new file mode 100644
index 00000000..531cdae6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/files/waypoint.yaml
@@ -0,0 +1,298 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 4 }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+spec:
+ selector:
+ matchLabels:
+ "{{.GatewayNameLabel}}": "{{.Name}}"
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "ambient.istio.io/redirection" "disabled"
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 8}}
+ spec:
+ terminationGracePeriodSeconds: 2
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ ports:
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ args:
+ - proxy
+ - waypoint
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - {{.ServiceAccount}}.$(POD_NAMESPACE)
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ env:
+ - name: ISTIO_META_SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+ {{- if $network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ $network }}"
+ {{- end }}
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: REDIRECT
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName}}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ resources:
+ limits:
+ cpu: "2"
+ memory: 1Gi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ privileged: false
+ runAsGroup: 1337
+ runAsUser: 0
+ capabilities:
+ drop:
+ - ALL
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - mountPath: /etc/istio/pod
+ name: istio-podinfo
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - emptyDir:
+ medium: Memory
+ name: go-proxy-envoy
+ - emptyDir: {}
+ name: istio-data
+ - emptyDir: {}
+ name: go-proxy-data
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: istio-podinfo
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "istio.io/gateway-name" .Name
+ ) | nindent 4 }}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+spec:
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ "{{.GatewayNameLabel}}": "{{.Name}}"
+ {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ .ServiceType | quote }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/NOTES.txt
new file mode 100644
index 00000000..27877a1b
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/NOTES.txt
@@ -0,0 +1,69 @@
+"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
+
+Next steps:
+ * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
+ * Try out our tasks to get started on common configurations:
+ * https://istio.io/latest/docs/tasks/traffic-management
+ * https://istio.io/latest/docs/tasks/security/
+ * https://istio.io/latest/docs/tasks/policy-enforcement/
+ * Review the list of actively supported releases, CVE publications and our hardening guide:
+ * https://istio.io/latest/docs/releases/supported-releases/
+ * https://istio.io/latest/news/security/
+ * https://istio.io/latest/docs/ops/best-practices/security/
+
+For further documentation see https://istio.io website
+
+{{-
+ $deps := dict
+ "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy"
+ "global.certificates" "meshConfig.certificates"
+ "global.localityLbSetting" "meshConfig.localityLbSetting"
+ "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen"
+ "global.enableTracing" "meshConfig.enableTracing"
+ "global.proxy.accessLogFormat" "meshConfig.accessLogFormat"
+ "global.proxy.accessLogFile" "meshConfig.accessLogFile"
+ "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency"
+ "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService"
+ "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService"
+ "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService"
+ "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout"
+ "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts"
+ "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass"
+ "global.mtls.enabled" "the PeerAuthentication resource"
+ "global.mtls.auto" "meshConfig.enableAutoMtls"
+ "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address"
+ "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken"
+ "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address"
+ "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug"
+ "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes"
+ "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations"
+ "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents"
+ "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address"
+ "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/"
+ "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)"
+}}
+{{- range $dep, $replace := $deps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead.
+{{- end }}
+{{- end }}
+{{-
+ $failDeps := dict
+ "telemetry.v2.prometheus.configOverride"
+ "telemetry.v2.stackdriver.configOverride"
+ "telemetry.v2.stackdriver.disableOutbound"
+ "telemetry.v2.stackdriver.outboundAccessLogging"
+}}
+{{- range $dep, $replace := $failDeps }}
+{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}}
+{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}}
+{{- if not (eq $res "")}}
+{{fail (print $dep " is removed")}}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/_helpers.tpl b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/_helpers.tpl
new file mode 100644
index 00000000..47b89a40
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/autoscale.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/autoscale.yaml
new file mode 100644
index 00000000..0068b13c
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/autoscale.yaml
@@ -0,0 +1,76 @@
+{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
+{{- if not .Values.global.autoscalingv2API }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+spec:
+ maxReplicas: {{ .Values.pilot.autoscaleMax }}
+ minReplicas: {{ .Values.pilot.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
+ {{- if .Values.pilot.memory.targetAverageUtilization }}
+ - type: Resource
+ resource:
+ name: memory
+ targetAverageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }}
+ {{- end }}
+---
+{{- else }}
+{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}}
+apiVersion: autoscaling/v2
+{{- else }}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+spec:
+ maxReplicas: {{ .Values.pilot.autoscaleMax }}
+ minReplicas: {{ .Values.pilot.autoscaleMin }}
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
+ {{- if .Values.pilot.memory.targetAverageUtilization }}
+ - type: Resource
+ resource:
+ name: memory
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }}
+ {{- end }}
+ {{- if .Values.pilot.autoscaleBehavior }}
+ behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }}
+ {{- end }}
+---
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrole.yaml
new file mode 100644
index 00000000..097e5c0c
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrole.yaml
@@ -0,0 +1,152 @@
+{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+ # sidecar injection controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+
+ # configuration validation webhook controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+
+ # istio configuration
+ # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+ # please proceed with caution
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+ verbs: ["get", "watch", "list"]
+ resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+ verbs: ["update"]
+ # TODO: should be on just */status but wildcard is not supported
+ resources: ["*"]
+
+ # Needed because status reporter sets the config map owner reference to the istiod pod
+ - apiGroups: [""]
+ verbs: ["update"]
+ resources: ["pods/finalizers"]
+{{- end }}
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries/status" ]
+
+ # auto-detect installed CRD definitions
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+
+ # discovery and routing
+ - apiGroups: [""]
+ resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+
+ # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+{{- end}}
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses", "ingressclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+
+ # required for CA's namespace controller
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+
+ # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "certificatesigningrequests"
+ - "certificatesigningrequests/approval"
+ - "certificatesigningrequests/status"
+ verbs: ["update", "create", "get", "delete", "watch"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "signers"
+ resourceNames:
+ - "kubernetes.io/legacy-unknown"
+{{- range .Values.global.certSigners }}
+ - {{ . | quote }}
+{{- end }}
+ verbs: ["approve"]
+{{- end}}
+
+ # Used by Istiod to verify the JWT tokens
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+
+ # Used by Istiod to verify gateway SDS
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+
+ # Use for Kubernetes Service APIs
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"] # TODO: should be on just */status but wildcard is not supported
+ verbs: ["update", "patch"]
+ - apiGroups: ["gateway.networking.k8s.io"]
+ resources: ["gatewayclasses"]
+ verbs: ["create", "update", "patch", "delete"]
+
+ # Needed for multicluster secret reading, possibly ingress certs in the future
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+
+ # Used for MCS serviceexport management
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceexports"]
+ verbs: [ "get", "watch", "list", "create", "delete"]
+
+ # Used for MCS serviceimport management
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceimports"]
+ verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups: ["apps"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "deployments" ]
+ - apiGroups: [""]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "services" ]
+ - apiGroups: [""]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "serviceaccounts"]
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrolebinding.yaml
new file mode 100644
index 00000000..f6e42521
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/clusterrolebinding.yaml
@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap-jwks.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap-jwks.yaml
new file mode 100644
index 00000000..b4c49dfa
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap-jwks.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.pilot.jwksResolverExtraRootCA }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ release: {{ .Release.Name }}
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+data:
+ extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap.yaml
new file mode 100644
index 00000000..df0ce35c
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/configmap.yaml
@@ -0,0 +1,112 @@
+{{- define "mesh" }}
+ # The trust domain corresponds to the trust root of a system.
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain: "cluster.local"
+
+ # The namespace to treat as the administrative root namespace for Istio configuration.
+ # When processing a leaf namespace Istio will search for declarations in that namespace first
+ # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+ # is processed as if it were declared in the leaf namespace.
+ rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+ {{ $prom := include "default-prometheus" . | eq "true" }}
+ {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+ {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+ {{- if or $prom $sdMetrics $sdLogs }}
+ defaultProviders:
+ {{- if or $prom $sdMetrics }}
+ metrics:
+ {{ if $prom }}- prometheus{{ end }}
+ {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+ {{- end }}
+ {{- if and $sdMetrics $sdLogs }}
+ accessLogging:
+ - stackdriver
+ {{- end }}
+ {{- end }}
+
+ defaultConfig:
+ {{- if .Values.global.meshID }}
+ meshId: "{{ .Values.global.meshID }}"
+ {{- end }}
+ {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+ image:
+ imageType: {{. | quote}}
+ {{- end }}
+ tracing:
+ {{- if eq .Values.global.proxy.tracer "lightstep" }}
+ lightstep:
+ # Address of the LightStep Satellite pool
+ address: {{ .Values.global.tracer.lightstep.address }}
+ # Access Token used to communicate with the Satellite pool
+ accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+ {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+ zipkin:
+ # Address of the Zipkin collector
+ address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+ {{- else if eq .Values.global.proxy.tracer "datadog" }}
+ datadog:
+ # Address of the Datadog Agent
+ address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+ {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+ stackdriver:
+ # enables trace output to stdout.
+ debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+ # The global default max number of attributes per span.
+ maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+ # The global default max number of annotation events per span.
+ maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+ # The global default max number of message events per span.
+ maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+ {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
+ {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
+{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
+ {{- else }}
+ {}
+ {{- end }}
+ {{- if .Values.global.remotePilotAddress }}
+ {{- if .Values.pilot.enabled }}
+ discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+ {{- else }}
+ discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+ {{- end }}
+ {{- else }}
+ discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+ {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.pilot.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ release: {{ .Release.Name }}
+data:
+
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ meshNetworks: |-
+ {{- if .Values.global.meshNetworks }}
+ networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+ {{- else }}
+ networks: {}
+ {{- end }}
+
+ mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/deployment.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/deployment.yaml
new file mode 100644
index 00000000..9b1b6c2d
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/deployment.yaml
@@ -0,0 +1,265 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ istio: pilot
+ release: {{ .Release.Name }}
+{{- range $key, $val := .Values.pilot.deploymentLabels }}
+ {{ $key }}: "{{ $val }}"
+{{- end }}
+spec:
+{{- if not .Values.pilot.autoscaleEnabled }}
+{{- if .Values.pilot.replicaCount }}
+ replicas: {{ .Values.pilot.replicaCount }}
+{{- end }}
+{{- end }}
+ strategy:
+ rollingUpdate:
+ maxSurge: {{ .Values.pilot.rollingMaxSurge }}
+ maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
+ selector:
+ matchLabels:
+ {{- if ne .Values.revision "" }}
+ app: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ {{- else }}
+ istio: pilot
+ {{- end }}
+ template:
+ metadata:
+ labels:
+ app: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ sidecar.istio.io/inject: "false"
+ operator.istio.io/component: "Pilot"
+ {{- if ne .Values.revision "" }}
+ istio: istiod
+ {{- else }}
+ istio: pilot
+ {{- end }}
+ {{- range $key, $val := .Values.pilot.podLabels }}
+ {{ $key }}: "{{ $val }}"
+ {{- end }}
+ annotations:
+ {{- if .Values.meshConfig.enablePrometheusMerge }}
+ prometheus.io/port: "15014"
+ prometheus.io/scrape: "true"
+ {{- end }}
+ ambient.istio.io/redirection: disabled
+ sidecar.istio.io/inject: "false"
+ {{- if .Values.pilot.podAnnotations }}
+{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
+ {{- end }}
+ spec:
+{{- if .Values.pilot.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
+{{- end }}
+{{- with .Values.pilot.affinity }}
+ affinity:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.pilot.tolerations }}
+ tolerations:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+{{- with .Values.pilot.topologySpreadConstraints }}
+ topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+{{- end }}
+ serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.global.priorityClassName }}
+ priorityClassName: "{{ .Values.global.priorityClassName }}"
+{{- end }}
+ containers:
+ - name: discovery
+{{- if contains "/" .Values.pilot.image }}
+ image: "{{ .Values.pilot.image }}"
+{{- else }}
+ image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}"
+{{- end }}
+{{- if .Values.global.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+{{- end }}
+ args:
+ - "discovery"
+ - --monitoringAddr=:15014
+{{- if .Values.global.logging.level }}
+ - --log_output_level={{ .Values.global.logging.level }}
+{{- end}}
+{{- if .Values.global.logAsJson }}
+ - --log_as_json
+{{- end }}
+ - --domain
+ - {{ .Values.global.proxy.clusterDomain }}
+{{- if .Values.global.oneNamespace }}
+ - "-a"
+ - {{ .Release.Namespace }}
+{{- end }}
+{{- if .Values.pilot.plugins }}
+ - --plugins={{ .Values.pilot.plugins }}
+{{- end }}
+ - --keepaliveMaxServerConnectionAge
+ - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
+{{- if .Values.pilot.extraContainerArgs }}
+ {{- with .Values.pilot.extraContainerArgs }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+{{- end }}
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 15010
+ protocol: TCP
+ - containerPort: 15017
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 1
+ periodSeconds: 3
+ timeoutSeconds: 5
+ env:
+ - name: REVISION
+ value: "{{ .Values.revision | default `default` }}"
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.serviceAccountName
+ - name: KUBECONFIG
+ value: /var/run/secrets/remote/config
+ {{- if .Values.pilot.env }}
+ {{- range $key, $val := .Values.pilot.env }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+{{- if .Values.pilot.traceSampling }}
+ - name: PILOT_TRACE_SAMPLING
+ value: "{{ .Values.pilot.traceSampling }}"
+{{- end }}
+ - name: PILOT_ENABLE_ANALYSIS
+ value: "{{ .Values.global.istiod.enableAnalysis }}"
+ - name: CLUSTER_ID
+ value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PLATFORM
+ value: "{{ .Values.global.platform }}"
+ resources:
+{{- if .Values.pilot.resources }}
+{{ toYaml .Values.pilot.resources | trim | indent 12 }}
+{{- else }}
+{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
+{{- end }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - ALL
+{{- if .Values.pilot.seccompProfile }}
+ seccompProfile:
+{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }}
+{{- end }}
+ volumeMounts:
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ mountPath: /var/run/secrets/tokens
+ readOnly: true
+ {{- end }}
+ - name: local-certs
+ mountPath: /var/run/secrets/istio-dns
+ - name: cacerts
+ mountPath: /etc/cacerts
+ readOnly: true
+ - name: istio-kubeconfig
+ mountPath: /var/run/secrets/remote
+ readOnly: true
+ {{- if .Values.pilot.jwksResolverExtraRootCA }}
+ - name: extracacerts
+ mountPath: /cacerts
+ {{- end }}
+ - name: istio-csr-dns-cert
+ mountPath: /var/run/secrets/istiod/tls
+ readOnly: true
+ - name: istio-csr-ca-configmap
+ mountPath: /var/run/secrets/istiod/ca
+ readOnly: true
+ {{- with .Values.pilot.volumeMounts }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ volumes:
+ # Technically not needed on this pod - but it helps debugging/testing SDS
+ # Should be removed after everything works.
+ - emptyDir:
+ medium: Memory
+ name: local-certs
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: {{ .Values.global.sds.token.aud }}
+ expirationSeconds: 43200
+ path: istio-token
+ {{- end }}
+ # Optional: user-generated root
+ - name: cacerts
+ secret:
+ secretName: cacerts
+ optional: true
+ - name: istio-kubeconfig
+ secret:
+ secretName: istio-kubeconfig
+ optional: true
+ # Optional: istio-csr dns pilot certs
+ - name: istio-csr-dns-cert
+ secret:
+ secretName: istiod-tls
+ optional: true
+ - name: istio-csr-ca-configmap
+ configMap:
+ name: istio-ca-root-cert
+ defaultMode: 420
+ optional: true
+ {{- if .Values.pilot.jwksResolverExtraRootCA }}
+ - name: extracacerts
+ configMap:
+ name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ {{- end }}
+ {{- with .Values.pilot.volumes }}
+ {{- toYaml . | nindent 6}}
+ {{- end }}
+
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml
new file mode 100644
index 00000000..61da47eb
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,78 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ release: {{ .Release.Name }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+ values: |-
+{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+ # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+ # and istiod webhook functionality.
+ #
+ # New fields should not use Values - it is a 'primary' config object, users should be able
+ # to fine tune it or use it with kube-inject.
+ config: |-
+ # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+ {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+ defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+ - {{ . }}
+{{- end }}
+ {{- else }}
+ defaultTemplates: [sidecar]
+ {{- end }}
+ policy: {{ .Values.global.proxy.autoInject }}
+ alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+ neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+ injectedAnnotations:
+ {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+ "{{ $key }}": {{ $val | quote }}
+ {{- end }}
+ {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+ which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+ This should make it obvious that their installation is broken.
+ */}}
+ template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+ templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+ sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+ gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+ grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+ grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+ waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+ kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/mutatingwebhook.yaml
new file mode 100644
index 00000000..c39151c6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/mutatingwebhook.yaml
@@ -0,0 +1,149 @@
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict "revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath "injectionURL" .Values.istiodRemote.injectionURL "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+ clientConfig:
+ {{- if .injectionURL }}
+ url: "{{ .injectionURL }}"
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+ namespace: {{ .namespace }}
+ path: "{{ .injectionPath }}"
+ port: 443
+ {{- end }}
+ sideEffects: None
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ reinvocationPolicy: "{{ .reinvocationPolicy }}"
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ app: sidecar-injector
+ release: {{ .Release.Name }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - "true"
+ - key: istio.io/rev
+ operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: "kubernetes.io/metadata.name"
+ operator: "NotIn"
+ values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/poddisruptionbudget.yaml
new file mode 100644
index 00000000..ce61de5a
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/poddisruptionbudget.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ release: {{ .Release.Name }}
+ istio: pilot
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: istiod
+ {{- if ne .Values.revision "" }}
+ istio.io/rev: {{ .Values.revision | quote }}
+ {{- else }}
+ istio: pilot
+ {{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrole.yaml
new file mode 100644
index 00000000..d3d53d6a
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrole.yaml
@@ -0,0 +1,58 @@
+{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups:
+ - "config.istio.io"
+ - "security.istio.io"
+ - "networking.istio.io"
+ - "authentication.istio.io"
+ - "rbac.istio.io"
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["gateways"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceexports"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceimports"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+{{- if .Values.global.externalIstiod }}
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 00000000..4f9925c9
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/revision-tags.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/revision-tags.yaml
new file mode 100644
index 00000000..e4995a77
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/revision-tags.yaml
@@ -0,0 +1,136 @@
+# Adapted from istio-discovery/templates/mutatingwebhook.yaml
+# Removed paths for legacy and default selectors since a revision tag
+# is inherently created from a specific revision
+{{- $whv := dict "revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath "injectionURL" .Values.istiodRemote.injectionURL "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+ clientConfig:
+ {{- if .injectionURL }}
+ url: "{{ .injectionURL }}"
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+ namespace: {{ .namespace }}
+ path: "{{ .injectionPath }}"
+ port: 443
+ {{- end }}
+ sideEffects: None
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+{{- range $tagName := $.Values.revisionTags }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq $.Release.Namespace "istio-system"}}
+ name: istio-revision-tag-{{ $tagName }}
+{{- else }}
+ name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
+{{- end }}
+ labels:
+ istio.io/tag: {{ $tagName }}
+ istio.io/rev: {{ $.Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ app: sidecar-injector
+ release: {{ $.Release.Name }}
+webhooks:
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - "{{ $tagName }}"
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ - key: istio.io/rev
+ operator: In
+ values:
+ - "{{ $tagName }}"
+
+{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
+{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
+{{- if (eq $tagName "default") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - "true"
+ - key: istio.io/rev
+ operator: DoesNotExist
+
+{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: "kubernetes.io/metadata.name"
+ operator: "NotIn"
+ values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/role.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/role.yaml
new file mode 100644
index 00000000..195bdde4
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/role.yaml
@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+ verbs: ["create"]
+ resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+ resources: ["secrets"]
+ # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "update", "patch", "create"]
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/rolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/rolebinding.yaml
new file mode 100644
index 00000000..0d700f00
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/service.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/service.yaml
new file mode 100644
index 00000000..208e8356
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/service.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ {{- if .Values.pilot.serviceAnnotations }}
+ annotations:
+{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }}
+ {{- end }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ app: istiod
+ istio: pilot
+ release: {{ .Release.Name }}
+spec:
+ ports:
+ - port: 15010
+ name: grpc-xds # plaintext
+ protocol: TCP
+ - port: 15012
+ name: https-dns # mTLS with k8s-signed cert
+ protocol: TCP
+ - port: 443
+ name: https-webhook # validation and injection
+ targetPort: 15017
+ protocol: TCP
+ - port: 15014
+ name: http-monitoring # prometheus stats
+ protocol: TCP
+ selector:
+ app: istiod
+ {{- if ne .Values.revision "" }}
+ istio.io/rev: {{ .Values.revision | quote }}
+ {{- else }}
+ # Label used by the 'default' service. For versioned deployments we match with app and version.
+ # This avoids default deployment picking the canary
+ istio: pilot
+ {{- end }}
+ {{- if .Values.pilot.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.pilot.ipFamilies }}
+ ipFamilies:
+ {{- range .Values.pilot.ipFamilies }}
+ - {{ . }}
+ {{- end }}
+ {{- end }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/serviceaccount.yaml
new file mode 100644
index 00000000..ee6cbc32
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 00000000..1978d392
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,55 @@
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+webhooks:
+ # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+ # are rejecting invalid configs on a per-revision basis.
+ - name: rev.validation.istio.io
+ clientConfig:
+ # Should change from base but cannot for API compat
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/values.yaml b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/values.yaml
new file mode 100644
index 00000000..4834fab3
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-control/istio-discovery/values.yaml
@@ -0,0 +1,500 @@
+defaults:
+ #.Values.pilot for discovery and mesh wide config
+
+ ## Discovery Settings
+ pilot:
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ autoscaleBehavior: {}
+ replicaCount: 1
+ rollingMaxSurge: 100%
+ rollingMaxUnavailable: 25%
+
+ hub: ""
+ tag: ""
+ variant: ""
+
+ # Can be a full hub/image:tag
+ image: pilot
+ traceSampling: 1.0
+
+ # Resources for a small pilot install
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+
+ # Set to `type: RuntimeDefault` to use the default profile if available.
+ seccompProfile: {}
+
+ # Additional container arguments
+ extraContainerArgs: []
+
+ env: {}
+
+ affinity: {}
+
+ tolerations: []
+
+ cpu:
+ targetAverageUtilization: 80
+ memory: {}
+ # targetAverageUtilization: 80
+
+ # Additional volumeMounts to the istiod container
+ volumeMounts: []
+
+ # Additional volumes to the istiod pod
+ volumes: []
+
+ nodeSelector: {}
+ podAnnotations: {}
+ serviceAnnotations: {}
+
+ topologySpreadConstraints: []
+
+ # You can use jwksResolverExtraRootCA to provide a root certificate
+ # in PEM format. This will then be trusted by pilot when resolving
+ # JWKS URIs.
+ jwksResolverExtraRootCA: ""
+
+ # This is used to set the source of configuration for
+ # the associated address in configSource, if nothing is specified
+ # the default MCP is assumed.
+ configSource:
+ subscribedResources: []
+
+ plugins: []
+
+ # The following is used to limit how long a sidecar can be connected
+ # to a pilot. It balances out load across pilot instances at the cost of
+ # increasing system churn.
+ keepaliveMaxServerConnectionAge: 30m
+
+ # Additional labels to apply to the deployment.
+ deploymentLabels: {}
+
+ ## Mesh config settings
+
+ # Install the mesh config map, generated from values.yaml.
+ # If false, pilot wil use default values (by default) or user-supplied values.
+ configMap: true
+
+ # Additional labels to apply on the pod level for monitoring and logging configuration.
+ podLabels: {}
+
+ # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: ""
+ ipFamilies: []
+
+ sidecarInjectorWebhook:
+ # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+ # always skip the injection on pods that match that label selector, regardless of the global policy.
+ # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+ neverInjectSelector: []
+ alwaysInjectSelector: []
+
+ # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+ # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+ #
+ # annotations:
+ # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+ # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+ #
+ # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+ # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+ # injectedAnnotations:
+ # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+ # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+ injectedAnnotations: {}
+
+ # This enables injection of sidecar in all namespaces,
+ # with the exception of namespaces with "istio-injection:disabled" annotation
+ # Only one environment should have this enabled.
+ enableNamespacesByDefault: false
+
+ # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+ # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+ # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+ reinvocationPolicy: Never
+
+ rewriteAppHTTPProbe: true
+
+ # Templates defines a set of custom injection templates that can be used. For example, defining:
+ #
+ # templates:
+ # hello: |
+ # metadata:
+ # labels:
+ # hello: world
+ #
+ # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+ # being injected with the hello=world labels.
+ # This is intended for advanced configuration only; most users should use the built in template
+ templates: {}
+
+ # Default templates specifies a set of default templates that are used in sidecar injection.
+ # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+ # To inject other additional templates, define it using the `templates` option, and add it to
+ # the default templates list.
+ # For example:
+ #
+ # templates:
+ # hello: |
+ # metadata:
+ # labels:
+ # hello: world
+ #
+ # defaultTemplates: ["sidecar", "hello"]
+ defaultTemplates: []
+ istiodRemote:
+ # Sidecar injector mutating webhook configuration clientConfig.url value.
+ # For example: https://$remotePilotAddress:15017/inject
+ # The host should not refer to a service running in the cluster; use a service reference by specifying
+ # the clientConfig.service field instead.
+ injectionURL: ""
+
+ # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+ # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+ injectionPath: "/inject"
+ telemetry:
+ enabled: true
+ v2:
+ # For Null VM case now.
+ # This also enables metadata exchange.
+ enabled: true
+ # Indicate if prometheus stats filter is enabled or not
+ prometheus:
+ enabled: true
+ # stackdriver filter settings.
+ stackdriver:
+ enabled: false
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ # Revision tags are aliases to Istio control plane revisions
+ revisionTags: []
+
+ # For Helm compatibility.
+ ownerName: ""
+
+ # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+ # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+ meshConfig:
+ enablePrometheusMerge: true
+
+ global:
+ # Used to locate istiod.
+ istioNamespace: istio-system
+ # List of cert-signers to allow "approve" action in the istio cluster role
+ #
+ # certSigners:
+ # - clusterissuers.cert-manager.io/istio-ca
+ certSigners: []
+ # enable pod disruption budget for the control plane, which is used to
+ # ensure Istio control plane components are gradually upgraded or recovered.
+ defaultPodDisruptionBudget:
+ enabled: true
+ # The values aren't mutable due to a current PodDisruptionBudget limitation
+ # minAvailable: 1
+
+ # A minimal set of requested resources to applied to all deployments so that
+ # Horizontal Pod Autoscaler will be able to function (if set).
+ # Each component can overwrite these default values by adding its own resources
+ # block in the relevant section below and setting the desired resources values.
+ defaultResources:
+ requests:
+ cpu: 10m
+ # memory: 128Mi
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Dev builds from prow are on gcr.io
+ hub: addon-containers.istio.tetratelabs.com
+ # Default tag for Istio images.
+ tag: 1.21.6-tetrate-v1
+ # Variant of the image to use.
+ # Currently supported are: [debug, distroless]
+ variant: ""
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+ # - private-registry-key
+
+ # Enabled by default in master for maximising testing.
+ istiod:
+ enableAnalysis: false
+
+ # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+ logAsJson: false
+
+ # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+ # The control plane has different scopes depending on component, but can configure default log level across all components
+ # If empty, default scope and level will be used as configured in code
+ logging:
+ level: "default:info"
+
+ omitSidecarInjectorConfigMap: false
+
+ # Whether to restrict the applications namespace the controller manages;
+ # If not set, controller watches all namespaces
+ oneNamespace: false
+
+ # Configure whether Operator manages webhook configurations. The current behavior
+ # of Istiod is to manage its own webhook configurations.
+ # When this option is set as true, Istio Operator, instead of webhooks, manages the
+ # webhook configurations. When this option is set as false, webhooks manage their
+ # own webhook configurations.
+ operatorManageWebhooks: false
+
+ # Custom DNS config for the pod to resolve names of services in other
+ # clusters. Use this to add additional search domains, and other settings.
+ # see
+ # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+ # This does not apply to gateway pods as they typically need a different
+ # set of DNS settings than the normal application pods (e.g., in
+ # multicluster scenarios).
+ # NOTE: If using templates, follow the pattern in the commented example below.
+ #podDNSSearchNamespaces:
+ #- global
+ #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+ # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+ # system-node-critical, it is better to configure this in order to make sure your Istio pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
+
+ proxy:
+ image: proxyv2
+
+ # This controls the 'policy' in the sidecar injector.
+ autoInject: enabled
+
+ # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+ # cluster domain. Default value is "cluster.local".
+ clusterDomain: "cluster.local"
+
+ # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+ # not set, then the global "logLevel" will be used.
+ componentLogLevel: "misc:error"
+
+ # If set, newly injected sidecars will have core dumps enabled.
+ enableCoreDump: false
+
+ # istio ingress capture allowlist
+ # examples:
+ # Redirect only selected ports: --includeInboundPorts="80,8080"
+ excludeInboundPorts: ""
+ includeInboundPorts: "*"
+
+ # istio egress capture allowlist
+ # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+ # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+ # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+ # be allowed by the sidecar
+ includeIPRanges: "*"
+ excludeIPRanges: ""
+ includeOutboundPorts: ""
+ excludeOutboundPorts: ""
+
+ # Log level for proxy, applies to gateways and sidecars.
+ # Expected values are: trace|debug|info|warning|error|critical|off
+ logLevel: warning
+
+ #If set to true, istio-proxy container will have privileged securityContext
+ privileged: false
+
+ # The number of successive failed probes before indicating readiness failure.
+ readinessFailureThreshold: 4
+
+ # The initial delay for readiness probes in seconds.
+ readinessInitialDelaySeconds: 0
+
+ # The period between readiness probes.
+ readinessPeriodSeconds: 15
+
+ # Enables or disables a startup probe.
+ # For optimal startup times, changing this should be tied to the readiness probe values.
+ #
+ # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+ # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+ # and doesn't spam the readiness endpoint too much
+ #
+ # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+ # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+ startupProbe:
+ enabled: true
+ failureThreshold: 600 # 10 minutes
+
+ # Resources for the sidecar.
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+
+ # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+ statusPort: 15020
+
+ # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+ # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+ tracer: "zipkin"
+
+ proxy_init:
+ # Base name for the proxy_init container, used to configure iptables.
+ image: proxyv2
+
+ # configure remote pilot and istiod service and endpoint
+ remotePilotAddress: ""
+
+ ##############################################################################################
+ # The following values are found in other charts. To effectively modify these values, make #
+ # make sure they are consistent across your Istio helm charts #
+ ##############################################################################################
+
+ # The customized CA address to retrieve certificates for the pods in the cluster.
+ # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+ # If not set explicitly, default to the Istio discovery address.
+ caAddress: ""
+
+ # Configure a remote cluster data plane controlled by an external istiod.
+ # When set to true, istiod is not deployed locally and only a subset of the other
+ # discovery charts are enabled.
+ externalIstiod: false
+
+ # Configure a remote cluster as the config cluster for an external istiod.
+ configCluster: false
+
+ # Configure the policy for validating JWT.
+ # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+ jwtPolicy: "third-party-jwt"
+
+ # Mesh ID means Mesh Identifier. It should be unique within the scope where
+ # meshes will interact with each other, but it is not required to be
+ # globally/universally unique. For example, if any of the following are true,
+ # then two meshes must have different Mesh IDs:
+ # - Meshes will have their telemetry aggregated in one place
+ # - Meshes will be federated together
+ # - Policy will be written referencing one mesh from the other
+ #
+ # If an administrator expects that any of these conditions may become true in
+ # the future, they should ensure their meshes have different Mesh IDs
+ # assigned.
+ #
+ # Within a multicluster mesh, each cluster must be (manually or auto)
+ # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+ # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+ # of migration TBD, and it may be a disruptive operation to change the Mesh
+ # ID post-install.
+ #
+ # If the mesh admin does not specify a value, Istio will use the value of the
+ # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+ # value.
+ meshID: ""
+
+ # Configure the mesh networks to be used by the Split Horizon EDS.
+ #
+ # The following example defines two networks with different endpoints association methods.
+ # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+ # mapped to network1. The gateway for this network example is specified by its public IP
+ # address and port.
+ # The second network, `network2`, in this example is defined differently with all endpoints
+ # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+ # gateway is also defined differently with the name of the gateway service on the remote
+ # cluster. The public IP for the gateway will be determined from that remote service (only
+ # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+ # it still need to be configured manually).
+ #
+ # meshNetworks:
+ # network1:
+ # endpoints:
+ # - fromCidr: "192.168.0.1/24"
+ # gateways:
+ # - address: 1.1.1.1
+ # port: 80
+ # network2:
+ # endpoints:
+ # - fromRegistry: reg1
+ # gateways:
+ # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+ # port: 443
+ #
+ meshNetworks: {}
+
+ # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+ mountMtlsCerts: false
+
+ multiCluster:
+ # Set to true to connect two kubernetes clusters via their respective
+ # ingressgateway services when pods in each cluster cannot directly
+ # talk to one another. All clusters should be using Istio mTLS and must
+ # have a shared root CA for this model to work.
+ enabled: false
+ # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+ # to properly label proxies
+ clusterName: ""
+
+ # Network defines the network this cluster belong to. This name
+ # corresponds to the networks in the map of mesh networks.
+ network: ""
+
+ # Configure the certificate provider for control plane communication.
+ # Currently, two providers are supported: "kubernetes" and "istiod".
+ # As some platforms may not have kubernetes signing APIs,
+ # Istiod is the default
+ pilotCertProvider: istiod
+
+ sds:
+ # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+ # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+ # JWT is intended for the CA.
+ token:
+ aud: istio-ca
+
+ sts:
+ # The service port used by Security Token Service (STS) server to handle token exchange requests.
+ # Setting this port to a non-zero value enables STS server.
+ servicePort: 0
+
+ # The name of the CA for workload certificates.
+ # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+ # will be used as the certificates for workloads.
+ # The default value is "" and when caName="", the CA will be configured by other
+ # mechanisms (e.g., environmental variable CA_PROVIDER).
+ caName: ""
+
+ # whether to use autoscaling/v2 template for HPA settings
+ # for internal usage only, not to be configured by users.
+ autoscalingv2API: true
+
+ base:
+ # For istioctl usage to disable istio config crds in base
+ enableIstioConfigCRDs: true
+
+ # keep in sync with settings used when installing the Istio CNI chart
+ istio_cni:
+ enabled: false
+ chained: true
+
+ # Gateway Settings
+ gateways:
+ # Define the security context for the pod.
+ # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+ # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+ securityContext: {}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/Chart.yaml
new file mode 100644
index 00000000..b62c889b
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+name: istio-operator
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+tillerVersion: ">=2.7.2"
+description: Helm chart for deploying Istio operator
+keywords:
+ - istio
+ - operator
+sources:
+ - https://github.com/istio/istio/tree/master/operator
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/crds/crd-operator.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/crds/crd-operator.yaml
new file mode 100644
index 00000000..93ac1de0
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/crds/crd-operator.yaml
@@ -0,0 +1,48 @@
+# SYNC WITH manifests/charts/base/files
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: istiooperators.install.istio.io
+ labels:
+ release: istio
+spec:
+ conversion:
+ strategy: None
+ group: install.istio.io
+ names:
+ kind: IstioOperator
+ listKind: IstioOperatorList
+ plural: istiooperators
+ singular: istiooperator
+ shortNames:
+ - iop
+ - io
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Istio control plane revision
+ jsonPath: .spec.revision
+ name: Revision
+ type: string
+ - description: IOP current state
+ jsonPath: .status.status
+ name: Status
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ subresources:
+ status: {}
+ schema:
+ openAPIV3Schema:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ served: true
+ storage: true
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole.yaml
new file mode 100644
index 00000000..c7101ab6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole.yaml
@@ -0,0 +1,117 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+rules:
+# istio groups
+- apiGroups:
+ - authentication.istio.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+- apiGroups:
+ - config.istio.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+- apiGroups:
+ - install.istio.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+- apiGroups:
+ - security.istio.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+# k8s groups
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - '*'
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions.apiextensions.k8s.io
+ - customresourcedefinitions
+ verbs:
+ - '*'
+- apiGroups:
+ - apps
+ - extensions
+ resources:
+ - daemonsets
+ - deployments
+ - deployments/finalizers
+ - replicasets
+ verbs:
+ - '*'
+- apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - '*'
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - servicemonitors
+ verbs:
+ - get
+ - create
+ - update
+- apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - '*'
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - clusterrolebindings
+ - clusterroles
+ - roles
+ - rolebindings
+ verbs:
+ - '*'
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - create
+ - update
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - endpoints
+ - events
+ - namespaces
+ - pods
+ - pods/proxy
+ - pods/portforward
+ - persistentvolumeclaims
+ - secrets
+ - services
+ - serviceaccounts
+ - resourcequotas
+ verbs:
+ - '*'
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole_binding.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole_binding.yaml
new file mode 100644
index 00000000..a3df073a
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/clusterrole_binding.yaml
@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+subjects:
+- kind: ServiceAccount
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{.Release.Namespace}}
+roleRef:
+ kind: ClusterRole
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ apiGroup: rbac.authorization.k8s.io
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/crds.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/crds.yaml
new file mode 100644
index 00000000..a3703650
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/crds.yaml
@@ -0,0 +1,6 @@
+{{- if .Values.enableCRDTemplates -}}
+{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
+---
+{{ $.Files.Get $path }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/deployment.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/deployment.yaml
new file mode 100644
index 00000000..6c2ca6c2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/deployment.yaml
@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: {{.Release.Namespace}}
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+spec:
+ replicas: 1
+ revisionHistoryLimit: {{ .Values.deploymentHistory }}
+ selector:
+ matchLabels:
+ name: istio-operator
+ template:
+ metadata:
+ labels:
+ name: istio-operator
+ {{- range $key, $val := .Values.podLabels }}
+ {{ $key }}: "{{ $val }}"
+ {{- end }}
+ annotations:
+ prometheus.io/port: "{{ .Values.operator.monitoring.port }}"
+ prometheus.io/scrape: "true"
+ {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+ {{- end }}
+ spec:
+ serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ containers:
+ - name: istio-operator
+ image: {{.Values.hub}}/operator:{{.Values.tag}}
+ command:
+ - operator
+ - server
+ - --monitoring-host={{ .Values.operator.monitoring.host }}
+ - --monitoring-port={{ .Values.operator.monitoring.port }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+{{- if .Values.operator.seccompProfile }}
+ seccompProfile:
+{{ toYaml .Values.operator.seccompProfile | trim | indent 14 }}
+{{- end }}
+{{- if .Values.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- end }}
+ resources:
+{{ toYaml .Values.operator.resources | trim | indent 12 }}
+ env:
+ - name: WATCH_NAMESPACE
+ value: {{.Values.watchedNamespaces | quote}}
+ - name: LEADER_ELECTION_NAMESPACE
+ value: {{.Release.Namespace | quote}}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: OPERATOR_NAME
+ value: {{.Release.Namespace | quote}}
+ - name: WAIT_FOR_RESOURCES_TIMEOUT
+ value: {{.Values.waitForResourcesTimeout | quote}}
+ - name: REVISION
+ value: {{.Values.revision | quote}}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service.yaml
new file mode 100644
index 00000000..e32e8ea0
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: {{.Release.Namespace}}
+ labels:
+ name: istio-operator
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+spec:
+ ports:
+ - name: http-metrics
+ port: 8383
+ targetPort: 8383
+ protocol: TCP
+ selector:
+ name: istio-operator
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service_account.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service_account.yaml
new file mode 100644
index 00000000..fe9d4cf2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/service_account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ namespace: {{.Release.Namespace}}
+ name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.imagePullSecrets }}
+- name: {{ . }}
+{{- end }}
+{{- end }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istio-operator/values.yaml b/charts/istio/1.21.6-tetrate-v1/istio-operator/values.yaml
new file mode 100644
index 00000000..b83ed570
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istio-operator/values.yaml
@@ -0,0 +1,52 @@
+defaults:
+ hub: addon-containers.istio.tetratelabs.com
+ tag: 1.21.6-tetrate-v1
+
+ # ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace
+ # used to pull operator image. Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+
+ # Used to replace istioNamespace to support operator watch multiple namespaces.
+ watchedNamespaces: istio-system
+ waitForResourcesTimeout: 300s
+
+ # Used for helm2 to add the CRDs to templates.
+ enableCRDTemplates: false
+
+ # revision for the operator resources
+ revision: ""
+
+ # The number of old ReplicaSets to retain in operator deployment
+ deploymentHistory: 10
+
+ # Operator resource defaults
+ operator:
+ monitoring:
+ host: 127.0.0.1
+ port: 15014
+ resources:
+ limits:
+ cpu: 200m
+ memory: 256Mi
+ requests:
+ cpu: 50m
+ memory: 128Mi
+ # Set to `type: RuntimeDefault` to use the default profile if available.
+ seccompProfile: {}
+
+ # Node labels for pod assignment
+ nodeSelector: {}
+
+ # Tolerations for pod assignment
+ tolerations: []
+
+ # Affinity for pod assignment
+ affinity: {}
+
+ # Additional labels and annotations to apply on the pod level for monitoring and logging configuration.
+ podLabels: {}
+ podAnnotations: {}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/Chart.yaml
new file mode 100644
index 00000000..5269e40f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+name: istiod-remote
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+tillerVersion: ">=2.7.2"
+description: Helm chart for a remote cluster using an external istio control plane
+keywords:
+ - istio
+ - external-istiod
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/istiod-remote/NOTES.txt
new file mode 100644
index 00000000..0230b6f8
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/NOTES.txt
@@ -0,0 +1,4 @@
+Install for a remote cluster using an external control plane.
+
+The templates in this directory are copies of base and istio-discovery templates.
+DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen.
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/gateway-injection-template.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/gateway-injection-template.yaml
new file mode 100644
index 00000000..59b33c16
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/gateway-injection-template.yaml
@@ -0,0 +1,256 @@
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+ labels:
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if eq (len $containers) 1 }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{ end }}
+ }
+spec:
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" .Values.global.proxy.image }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ securityContext:
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ env:
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/injection-template.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/injection-template.yaml
new file mode 100644
index 00000000..f88fec82
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/injection-template.yaml
@@ -0,0 +1,548 @@
+{{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }}
+{{- $containers := list }}
+{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+metadata:
+ labels:
+ security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
+ {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+ networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
+ {{- end }}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+{{- if .Values.istio_cni.enabled }}
+ {{- if not .Values.istio_cni.chained }}
+ k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+ {{- end }}
+ sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }}
+ traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+ traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+ traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+ {{- end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+{{- end }}
+ }
+spec:
+ {{- $holdProxy := and
+ (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+ (not $nativeSidecar) }}
+ initContainers:
+ {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+ {{ if .Values.istio_cni.enabled -}}
+ - name: istio-validation
+ {{ else -}}
+ - name: istio-init
+ {{ end -}}
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ args:
+ - istio-iptables
+ - "-p"
+ - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+ - "-z"
+ - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+ - "-u"
+ - {{ .ProxyUID | default "1337" | quote }}
+ - "-m"
+ - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+ - "-i"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+ - "-x"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+ - "-b"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+ - "-d"
+ {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+ - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+ {{- else }}
+ - "15090,15021"
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+ - "-q"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+ {{ end -}}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+ - "-o"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+ - "-c"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+ {{ end -}}
+ - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+ {{ if .Values.global.logAsJson -}}
+ - "--log_as_json"
+ {{ end -}}
+ {{ if .Values.istio_cni.enabled -}}
+ - "--run-validation"
+ - "--skip-rule-apply"
+ {{ end -}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ env:
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ privileged: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{- if not .Values.istio_cni.enabled }}
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ {{- end }}
+ drop:
+ - ALL
+ {{- if not .Values.istio_cni.enabled }}
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ readOnlyRootFilesystem: true
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsNonRoot: true
+ {{- end }}
+ {{ end -}}
+ {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ - name: enable-core-dump
+ args:
+ - -c
+ - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
+ command:
+ - /bin/sh
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - SYS_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{ end }}
+ {{ if not $nativeSidecar }}
+ containers:
+ {{ end }}
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- else if $holdProxy }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ {{- else if $nativeSidecar }}
+ {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - pilot-agent
+ - request
+ - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+ - POST
+ - drain
+ {{- end }}
+ env:
+ {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: JWT_POLICY
+ value: {{ .Values.global.jwtPolicy }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ {{- end }}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ {{ if .Values.global.proxy.startupProbe.enabled }}
+ startupProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+ {{ end }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ {{ end -}}
+ securityContext:
+ {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ add:
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+ - NET_ADMIN
+ {{- end }}
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+ - NET_BIND_SERVICE
+ {{- end }}
+ {{- end }}
+ drop:
+ - ALL
+ privileged: {{ .Values.global.proxy.privileged }}
+ readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else -}}
+ runAsNonRoot: true
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - mountPath: /var/run/secrets/istio/kubernetes
+ name: kube-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+ name: lightstep-certs
+ readOnly: true
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ - emptyDir:
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
+ - name: kube-ca-cert
+ configMap:
+ name: kube-root-ca.crt
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - name: lightstep-certs
+ secret:
+ optional: true
+ secretName: lightstep.cacert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/_helpers.tpl b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/_helpers.tpl
new file mode 100644
index 00000000..47b89a40
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/_helpers.tpl
@@ -0,0 +1,23 @@
+{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}}
+{{ define "default-prometheus" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}}
+{{ define "default-sd-metrics" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
+
+{{/* SD has metrics and logging split. */}}
+{{ define "default-sd-logs" }}
+{{- and
+ (not .Values.meshConfig.defaultProviders)
+ .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled
+}}
+{{- end }}
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrole.yaml
new file mode 100644
index 00000000..26621616
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrole.yaml
@@ -0,0 +1,154 @@
+{{- if .Values.global.configCluster }}
+{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+ # sidecar injection controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+
+ # configuration validation webhook controller
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+
+ # istio configuration
+ # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
+ # please proceed with caution
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+ verbs: ["get", "watch", "list"]
+ resources: ["*"]
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
+ verbs: ["update"]
+ # TODO: should be on just */status but wildcard is not supported
+ resources: ["*"]
+
+ # Needed because status reporter sets the config map owner reference to the istiod pod
+ - apiGroups: [""]
+ verbs: ["update"]
+ resources: ["pods/finalizers"]
+{{- end }}
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "workloadentries/status" ]
+
+ # auto-detect installed CRD definitions
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+
+ # discovery and routing
+ - apiGroups: [""]
+ resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+
+ # ingress controller
+{{- if .Values.global.istiod.enableAnalysis }}
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["extensions", "networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+{{- end}}
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses", "ingressclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["*"]
+
+ # required for CA's namespace controller
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+
+ # Istiod and bootstrap.
+{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
+{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "certificatesigningrequests"
+ - "certificatesigningrequests/approval"
+ - "certificatesigningrequests/status"
+ verbs: ["update", "create", "get", "delete", "watch"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources:
+ - "signers"
+ resourceNames:
+ - "kubernetes.io/legacy-unknown"
+{{- range .Values.global.certSigners }}
+ - {{ . | quote }}
+{{- end }}
+ verbs: ["approve"]
+{{- end}}
+
+ # Used by Istiod to verify the JWT tokens
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+
+ # Used by Istiod to verify gateway SDS
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+
+ # Use for Kubernetes Service APIs
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["*"] # TODO: should be on just */status but wildcard is not supported
+ verbs: ["update", "patch"]
+ - apiGroups: ["gateway.networking.k8s.io"]
+ resources: ["gatewayclasses"]
+ verbs: ["create", "update", "patch", "delete"]
+
+ # Needed for multicluster secret reading, possibly ingress certs in the future
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
+
+ # Used for MCS serviceexport management
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceexports"]
+ verbs: [ "get", "watch", "list", "create", "delete"]
+
+ # Used for MCS serviceimport management
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceimports"]
+ verbs: ["get", "watch", "list"]
+---
+{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups: ["apps"]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "deployments" ]
+ - apiGroups: [""]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "services" ]
+ - apiGroups: [""]
+ verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
+ resources: [ "serviceaccounts"]
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrolebinding.yaml
new file mode 100644
index 00000000..932cdce0
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/clusterrolebinding.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.global.configCluster }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+---
+{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/configmap.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/configmap.yaml
new file mode 100644
index 00000000..df0ce35c
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/configmap.yaml
@@ -0,0 +1,112 @@
+{{- define "mesh" }}
+ # The trust domain corresponds to the trust root of a system.
+ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
+ trustDomain: "cluster.local"
+
+ # The namespace to treat as the administrative root namespace for Istio configuration.
+ # When processing a leaf namespace Istio will search for declarations in that namespace first
+ # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
+ # is processed as if it were declared in the leaf namespace.
+ rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
+
+ {{ $prom := include "default-prometheus" . | eq "true" }}
+ {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }}
+ {{ $sdLogs := include "default-sd-logs" . | eq "true" }}
+ {{- if or $prom $sdMetrics $sdLogs }}
+ defaultProviders:
+ {{- if or $prom $sdMetrics }}
+ metrics:
+ {{ if $prom }}- prometheus{{ end }}
+ {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }}
+ {{- end }}
+ {{- if and $sdMetrics $sdLogs }}
+ accessLogging:
+ - stackdriver
+ {{- end }}
+ {{- end }}
+
+ defaultConfig:
+ {{- if .Values.global.meshID }}
+ meshId: "{{ .Values.global.meshID }}"
+ {{- end }}
+ {{- with (.Values.global.proxy.variant | default .Values.global.variant) }}
+ image:
+ imageType: {{. | quote}}
+ {{- end }}
+ tracing:
+ {{- if eq .Values.global.proxy.tracer "lightstep" }}
+ lightstep:
+ # Address of the LightStep Satellite pool
+ address: {{ .Values.global.tracer.lightstep.address }}
+ # Access Token used to communicate with the Satellite pool
+ accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
+ {{- else if eq .Values.global.proxy.tracer "zipkin" }}
+ zipkin:
+ # Address of the Zipkin collector
+ address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
+ {{- else if eq .Values.global.proxy.tracer "datadog" }}
+ datadog:
+ # Address of the Datadog Agent
+ address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }}
+ {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
+ stackdriver:
+ # enables trace output to stdout.
+ debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }}
+ # The global default max number of attributes per span.
+ maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }}
+ # The global default max number of annotation events per span.
+ maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }}
+ # The global default max number of message events per span.
+ maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }}
+ {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
+ {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
+{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
+ {{- else }}
+ {}
+ {{- end }}
+ {{- if .Values.global.remotePilotAddress }}
+ {{- if .Values.pilot.enabled }}
+ discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
+ {{- else }}
+ discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
+ {{- end }}
+ {{- else }}
+ discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
+ {{- end }}
+{{- end }}
+
+{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
+{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
+{{- $originalMesh := include "mesh" . | fromYaml }}
+{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
+
+{{- if .Values.pilot.configMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ release: {{ .Release.Name }}
+data:
+
+ # Configuration file for the mesh networks to be used by the Split Horizon EDS.
+ meshNetworks: |-
+ {{- if .Values.global.meshNetworks }}
+ networks:
+{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
+ {{- else }}
+ networks: {}
+ {{- end }}
+
+ mesh: |-
+{{- if .Values.meshConfig }}
+{{ $mesh | toYaml | indent 4 }}
+{{- else }}
+{{- include "mesh" . }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/crd-all.gen.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/crd-all.gen.yaml
new file mode 100644
index 00000000..41199372
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/crd-all.gen.yaml
@@ -0,0 +1,8459 @@
+{{- if .Values.global.configCluster }}
+# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: wasmplugins.extensions.istio.io
+spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: WasmPlugin
+ listKind: WasmPluginList
+ plural: wasmplugins
+ singular: wasmplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Extend the functionality provided by the Istio proxy through
+ WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+ properties:
+ failStrategy:
+ description: Specifies the failure behavior for the plugin due to
+ fatal errors.
+ enum:
+ - FAIL_CLOSE
+ - FAIL_OPEN
+ type: string
+ imagePullPolicy:
+ description: The pull behaviour to be applied when fetching Wasm module
+ by either OCI image or `http/https`.
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type: string
+ imagePullSecret:
+ description: Credentials to use for OCI image pulling.
+ maxLength: 253
+ minLength: 1
+ type: string
+ match:
+ description: Specifies the criteria to determine which traffic is
+ passed to WasmPlugin.
+ items:
+ properties:
+ mode:
+ description: Criteria for selecting traffic by their direction.
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ type: string
+ ports:
+ description: Criteria for selecting traffic by their destination
+ port.
+ items:
+ properties:
+ number:
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - number
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - number
+ x-kubernetes-list-type: map
+ type: object
+ type: array
+ phase:
+ description: Determines where in the filter chain this `WasmPlugin`
+ is to be injected.
+ enum:
+ - UNSPECIFIED_PHASE
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ pluginConfig:
+ description: The configuration that will be passed on to the plugin.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ description: The plugin name to be used in the Envoy configuration
+ (used to be called `rootID`).
+ maxLength: 256
+ minLength: 1
+ type: string
+ priority:
+ description: Determines ordering of `WasmPlugins` in the same `phase`.
+ nullable: true
+ type: integer
+ selector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this plugin configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ sha256:
+ description: SHA256 checksum that will be used to verify Wasm module
+ or OCI container.
+ pattern: (^$|^[a-f0-9]{64}$)
+ type: string
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type:
+ description: Specifies the type of Wasm Extension to be used.
+ enum:
+ - UNSPECIFIED_PLUGIN_TYPE
+ - HTTP
+ - NETWORK
+ type: string
+ url:
+ description: URL of a Wasm module or OCI container.
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have schema one of [http, https, file, oci]
+ rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'',
+ ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) &&
+ url(''http://'' +self).getScheme() in ['''', ''http'', ''https'',
+ ''oci'', ''file''])'
+ verificationKey:
+ type: string
+ vmConfig:
+ description: Configuration for a Wasm VM.
+ properties:
+ env:
+ description: Specifies environment variables to be injected to
+ this VM.
+ items:
+ properties:
+ name:
+ description: Name of the environment variable.
+ maxLength: 256
+ minLength: 1
+ type: string
+ value:
+ description: Value for the environment variable.
+ maxLength: 2048
+ type: string
+ valueFrom:
+ description: Source for the environment variable's value.
+ enum:
+ - INLINE
+ - HOST
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: value may only be set when valueFrom is INLINE
+ rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST''
+ || !has(self.value)'
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - url
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: destinationrules.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ shortNames:
+ - dr
+ singular: destinationrule
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least min_health_percent hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to
+ this port should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least min_health_percent
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port should
+ be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection
+ should be upgraded to http2 for the associated
+ destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing,
+ this is DestinationRule-level and will override
+ mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of
+ Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least min_health_percent hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to
+ this port should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this is DestinationRule-level
+ and will override mesh wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least min_health_percent
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should
+ be upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: enable locality load balancing, this
+ is DestinationRule-level and will override mesh
+ wide settings in entirety.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmupDurationSecs:
+ description: Represents the warmup duration of Service.
+ type: string
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ min_health_percent hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port
+ should be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: The PROXY protocol version to use.
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: Indicates whether connections to this port should
+ be secured using TLS.
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: envoyfilters.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: EnvoyFilter
+ listKind: EnvoyFilterList
+ plural: envoyfilters
+ singular: envoyfilter
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Customizing Envoy configuration generated by Istio. See
+ more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+ properties:
+ configPatches:
+ description: One or more patches with match conditions.
+ items:
+ properties:
+ applyTo:
+ description: Specifies where in the Envoy configuration, the
+ patch should be applied.
+ enum:
+ - INVALID
+ - LISTENER
+ - FILTER_CHAIN
+ - NETWORK_FILTER
+ - HTTP_FILTER
+ - ROUTE_CONFIGURATION
+ - VIRTUAL_HOST
+ - HTTP_ROUTE
+ - CLUSTER
+ - EXTENSION_CONFIG
+ - BOOTSTRAP
+ - LISTENER_FILTER
+ type: string
+ match:
+ description: Match on listener/route configuration/cluster.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ properties:
+ cluster:
+ description: Match on envoy cluster attributes.
+ properties:
+ name:
+ description: The exact name of the cluster to match.
+ type: string
+ portNumber:
+ description: The service port for which this cluster
+ was generated.
+ type: integer
+ service:
+ description: The fully qualified service name for this
+ cluster.
+ type: string
+ subset:
+ description: The subset associated with the service.
+ type: string
+ type: object
+ context:
+ description: The specific config generation context to match
+ on.
+ enum:
+ - ANY
+ - SIDECAR_INBOUND
+ - SIDECAR_OUTBOUND
+ - GATEWAY
+ type: string
+ listener:
+ description: Match on envoy listener attributes.
+ properties:
+ filterChain:
+ description: Match a specific filter chain in a listener.
+ properties:
+ applicationProtocols:
+ description: Applies only to sidecars.
+ type: string
+ destinationPort:
+ description: The destination_port value used by
+ a filter chain's match condition.
+ type: integer
+ filter:
+ description: The name of a specific filter to apply
+ the patch to.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ subFilter:
+ description: The next level filter within this
+ filter to match upon.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ type: object
+ type: object
+ name:
+ description: The name assigned to the filter chain.
+ type: string
+ sni:
+ description: The SNI value used by a filter chain's
+ match condition.
+ type: string
+ transportProtocol:
+ description: Applies only to `SIDECAR_INBOUND` context.
+ type: string
+ type: object
+ listenerFilter:
+ description: Match a specific listener filter.
+ type: string
+ name:
+ description: Match a specific listener by its name.
+ type: string
+ portName:
+ type: string
+ portNumber:
+ description: The service port/gateway port to which
+ traffic is being sent/received.
+ type: integer
+ type: object
+ proxy:
+ description: Match on properties associated with a proxy.
+ properties:
+ metadata:
+ additionalProperties:
+ type: string
+ description: Match on the node metadata supplied by
+ a proxy when connecting to Istio Pilot.
+ type: object
+ proxyVersion:
+ description: A regular expression in golang regex format
+ (RE2) that can be used to select proxies using a specific
+ version of istio proxy.
+ type: string
+ type: object
+ routeConfiguration:
+ description: Match on envoy HTTP route configuration attributes.
+ properties:
+ gateway:
+ description: The Istio gateway config's namespace/name
+ for which this route configuration was generated.
+ type: string
+ name:
+ description: Route configuration name to match on.
+ type: string
+ portName:
+ description: Applicable only for GATEWAY context.
+ type: string
+ portNumber:
+ description: The service port number or gateway server
+ port number for which this route configuration was
+ generated.
+ type: integer
+ vhost:
+ description: Match a specific virtual host in a route
+ configuration and apply the patch to the virtual host.
+ properties:
+ name:
+ description: The VirtualHosts objects generated
+ by Istio are named as host:port, where the host
+ typically corresponds to the VirtualService's
+ host field or the hostname of a service in the
+ registry.
+ type: string
+ route:
+ description: Match a specific route within the virtual
+ host.
+ properties:
+ action:
+ description: Match a route with specific action
+ type.
+ enum:
+ - ANY
+ - ROUTE
+ - REDIRECT
+ - DIRECT_RESPONSE
+ type: string
+ name:
+ description: The Route objects generated by
+ default are named as default.
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ patch:
+ description: The patch to apply along with the operation.
+ properties:
+ filterClass:
+ description: Determines the filter insertion order.
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ operation:
+ description: Determines how the patch should be applied.
+ enum:
+ - INVALID
+ - MERGE
+ - ADD
+ - REMOVE
+ - INSERT_BEFORE
+ - INSERT_AFTER
+ - INSERT_FIRST
+ - REPLACE
+ type: string
+ value:
+ description: The JSON config of the object being patched.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ priority:
+ description: Priority defines the order in which patch sets are applied
+ within a context.
+ format: int32
+ type: integer
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this patch configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: gateways.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: proxyconfigs.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ProxyConfig
+ listKind: ProxyConfigList
+ plural: proxyconfigs
+ singular: proxyconfig
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Provides configuration for individual workloads. See more
+ details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+ properties:
+ concurrency:
+ description: The number of worker threads to run.
+ nullable: true
+ type: integer
+ environmentVariables:
+ additionalProperties:
+ type: string
+ description: Additional environment variables for the proxy.
+ type: object
+ image:
+ description: Specifies the details of the proxy image.
+ properties:
+ imageType:
+ description: The image type of the image.
+ type: string
+ type: object
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: serviceentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ shortNames:
+ - se
+ singular: serviceentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ description: Specify whether the service should be considered external
+ to the mesh or part of the mesh.
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ type: integer
+ required:
+ - number
+ - name
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ type: string
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ type: array
+ location:
+ description: Specify whether the service should be considered external
+ to the mesh or part of the mesh.
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ type: integer
+ required:
+ - number
+ - name
+ type: object
+ type: array
+ resolution:
+ description: Service resolution mode for the hosts.
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: sidecars.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Sidecar
+ listKind: SidecarList
+ plural: sidecars
+ singular: sidecar
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: When the bind address is an IP, the captureMode
+ option dictates how traffic to the listener is expected to
+ be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: The captureMode option dictates how traffic to
+ the listener is expected to be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be
+ upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: When the bind address is an IP, the captureMode
+ option dictates how traffic to the listener is expected to
+ be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be upgraded
+ to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: The captureMode option dictates how traffic to
+ the listener is expected to be captured (or not).
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: Specify if http1.1 connection should be
+ upgraded to http2 for the associated destination.
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: 'Optional: Maximum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: 'Optional: Minimum TLS protocol version.'
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: 'Optional: Indicates whether connections to
+ this port should be secured using TLS.'
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Configuration for the outbound traffic policy.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: virtualservices.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ shortNames:
+ - vs
+ singular: virtualservice
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ nullable: true
+ type: integer
+ mirrorPercent:
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: 'On a redirect, dynamically set the port: *
+ FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP
+ and 443 for HTTPS.'
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ nullable: true
+ type: integer
+ mirrorPercent:
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: 'On a redirect, dynamically set the port: *
+ FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP
+ and 443 for HTTPS.'
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadEntry
+ listKind: WorkloadEntryList
+ plural: workloadentries
+ shortNames:
+ - we
+ singular: workloadentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ release: istio
+ name: workloadgroups.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadGroup
+ listKind: WorkloadGroupList
+ plural: workloadgroups
+ shortNames:
+ - wg
+ singular: workloadgroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ required:
+ - template
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: '`WorkloadGroup` enables specifying the properties of a single
+ workload for bootstrap and provides a template for `WorkloadEntry`,
+ similar to how `Deployment` specifies properties of workloads via `Pod`
+ templates.'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ type: string
+ type: array
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ type: integer
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ type: integer
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ type: string
+ ports:
+ additionalProperties:
+ type: integer
+ description: Set of ports associated with the endpoint.
+ type: object
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ type: integer
+ type: object
+ required:
+ - template
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: authorizationpolicies.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: AuthorizationPolicy
+ listKind: AuthorizationPolicyList
+ plural: authorizationpolicies
+ singular: authorizationpolicy
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: Optional.
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: peerauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: PeerAuthentication
+ listKind: PeerAuthenticationList
+ plural: peerauthentications
+ shortNames:
+ - pa
+ singular: peerauthentication
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Peer authentication configuration for workloads. See more
+ details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: Defines the mTLS mode used for peer authentication.
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ type: object
+ selector:
+ description: The selector determines the workloads to apply the PeerAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: security
+ release: istio
+ name: requestauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: RequestAuthentication
+ listKind: RequestAuthenticationList
+ plural: requestauthentications
+ shortNames:
+ - ra
+ singular: requestauthentication
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ required:
+ - issuer
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ type: string
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ type: string
+ header:
+ description: The name of the header to be created.
+ type: string
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ required:
+ - issuer
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ "helm.sh/resource-policy": keep
+ labels:
+ app: istio-pilot
+ chart: istio
+ heritage: Tiller
+ istio: telemetry
+ release: istio
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
+ - telemetry-istio-io
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ shortNames:
+ - telemetry
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ description: This determines whether or not to apply the
+ access logging configuration based on the direction of
+ traffic relative to the proxied workload.
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows providing the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ minLength: 1
+ type: string
+ metric:
+ description: One of the well-known [Istio Standard
+ Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ description: 'Controls which mode of metrics generation
+ is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.'
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: Operation controls whether or not to
+ update/add a tag, or to remove it.
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set when operation is UPSERT
+ rule: '((has(self.operation) ? self.operation : '''')
+ == ''UPSERT'') ? self.value != '''' : true'
+ - message: value must not be set when operation is REMOVE
+ rule: '((has(self.operation) ? self.operation : '''')
+ == ''REMOVE'') ? !has(self.value) : true'
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ type: object
+ type: object
+ targetRef:
+ description: Optional.
+ properties:
+ group:
+ description: group is the group of the target resource.
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ type: string
+ name:
+ description: name is the name of the target resource.
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ type: object
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: RequestHeader adds the value of an header
+ from the request to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ description: This determines whether or not to apply the
+ tracing configuration based on the direction of traffic
+ relative to the proxied workload.
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ randomSamplingPercentage:
+ description: Controls the rate at which traffic will be selected
+ for tracing if no prior sampling decision has been made.
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/default.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/default.yaml
new file mode 100644
index 00000000..3a5b0f54
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/default.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.global.configCluster }}
+{{- if not (eq .Values.defaultRevision "") }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istiod-default-validator
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.defaultRevision | quote }}
+webhooks:
+ - name: validation.istio.io
+ clientConfig:
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ {{- if (eq .Values.defaultRevision "default") }}
+ name: istiod
+ {{- else }}
+ name: istiod-{{ .Values.defaultRevision }}
+ {{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/endpoints.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/endpoints.yaml
new file mode 100644
index 00000000..36575202
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/endpoints.yaml
@@ -0,0 +1,23 @@
+{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
+# if the remotePilotAddress is an IP addr
+apiVersion: v1
+kind: Endpoints
+metadata:
+ {{- if .Values.pilot.enabled }}
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+ {{- else }}
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+subsets:
+- addresses:
+ - ip: {{ .Values.global.remotePilotAddress }}
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 15017
+ name: tcp-webhook
+ protocol: TCP
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/istiod-injector-configmap.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/istiod-injector-configmap.yaml
new file mode 100644
index 00000000..61da47eb
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/istiod-injector-configmap.yaml
@@ -0,0 +1,78 @@
+{{- if not .Values.global.omitSidecarInjectorConfigMap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ release: {{ .Release.Name }}
+data:
+{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
+ values: |-
+{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}}
+{{ $gatewayVals := pick .Values.gateways "securityContext" -}}
+{{ $vals = set $vals "gateways" $gatewayVals -}}
+{{ $vals | toPrettyJson | indent 4 }}
+
+ # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
+ # and istiod webhook functionality.
+ #
+ # New fields should not use Values - it is a 'primary' config object, users should be able
+ # to fine tune it or use it with kube-inject.
+ config: |-
+ # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+ {{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
+ defaultTemplates:
+{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
+ - {{ . }}
+{{- end }}
+ {{- else }}
+ defaultTemplates: [sidecar]
+ {{- end }}
+ policy: {{ .Values.global.proxy.autoInject }}
+ alwaysInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
+ neverInjectSelector:
+{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
+ injectedAnnotations:
+ {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
+ "{{ $key }}": {{ $val | quote }}
+ {{- end }}
+ {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
+ which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
+ This should make it obvious that their installation is broken.
+ */}}
+ template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
+ templates:
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
+ sidecar: |
+{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
+ gateway: |
+{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
+ grpc-simple: |
+{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
+ grpc-agent: |
+{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }}
+ waypoint: |
+{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }}
+{{- end }}
+{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }}
+ kube-gateway: |
+{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }}
+{{- end }}
+{{- with .Values.sidecarInjectorWebhook.templates }}
+{{ toYaml . | trim | indent 6 }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/mutatingwebhook.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/mutatingwebhook.yaml
new file mode 100644
index 00000000..c39151c6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/mutatingwebhook.yaml
@@ -0,0 +1,149 @@
+{{- /* Core defines the common configuration used by all webhook segments */}}
+{{/* Copy just what we need to avoid expensive deepCopy */}}
+{{- $whv := dict "revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath "injectionURL" .Values.istiodRemote.injectionURL "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy "namespace" .Release.Namespace }}
+{{- define "core" }}
+{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
+a unique prefix to each. */}}
+- name: {{.Prefix}}sidecar-injector.istio.io
+ clientConfig:
+ {{- if .injectionURL }}
+ url: "{{ .injectionURL }}"
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }}
+ namespace: {{ .namespace }}
+ path: "{{ .injectionPath }}"
+ port: 443
+ {{- end }}
+ sideEffects: None
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+ reinvocationPolicy: "{{ .reinvocationPolicy }}"
+ admissionReviewVersions: ["v1beta1", "v1"]
+{{- end }}
+{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
+{{- if not .Values.global.operatorManageWebhooks }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+{{- if eq .Release.Namespace "istio-system"}}
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+{{- else }}
+ name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+{{- end }}
+ labels:
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+ install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
+ operator.istio.io/component: "Pilot"
+ app: sidecar-injector
+ release: {{ .Release.Name }}
+webhooks:
+{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
+
+{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
+{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+
+
+{{- /* Webhooks for default revision */}}
+{{- if (eq .Values.revision "") }}
+
+{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+
+{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - "true"
+ - key: istio.io/rev
+ operator: DoesNotExist
+
+{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
+{{- /* Special case 3: no labels at all */}}
+{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }}
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: "kubernetes.io/metadata.name"
+ operator: "NotIn"
+ values: ["kube-system","kube-public","kube-node-lease","local-path-storage"]
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+{{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrole.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrole.yaml
new file mode 100644
index 00000000..d3d53d6a
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrole.yaml
@@ -0,0 +1,58 @@
+{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+rules:
+ - apiGroups:
+ - "config.istio.io"
+ - "security.istio.io"
+ - "networking.istio.io"
+ - "authentication.istio.io"
+ - "rbac.istio.io"
+ resources: ["*"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.istio.io"]
+ verbs: [ "get", "watch", "list" ]
+ resources: [ "workloadentries" ]
+ - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
+ resources: ["gateways"]
+ verbs: ["get", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["discovery.k8s.io"]
+ resources: ["endpointslices"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceexports"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["{{ $mcsAPIGroup }}"]
+ resources: ["serviceimports"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["apps"]
+ resources: ["replicasets"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+{{- if .Values.global.externalIstiod }}
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "list", "watch", "update"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["mutatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["admissionregistration.k8s.io"]
+ resources: ["validatingwebhookconfigurations"]
+ verbs: ["get", "list", "watch", "update"]
+{{- end}}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrolebinding.yaml
new file mode 100644
index 00000000..4f9925c9
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-serviceaccount.yaml
new file mode 100644
index 00000000..d9ce18c2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/reader-serviceaccount.yaml
@@ -0,0 +1,16 @@
+# This service account aggregates reader permissions for the revisions in a given cluster
+# Should be used for remote secret creation.
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istio-reader-service-account
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istio-reader
+ release: {{ .Release.Name }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/role.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/role.yaml
new file mode 100644
index 00000000..c3af8c07
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/role.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.global.configCluster }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+rules:
+# permissions to verify the webhook is ready and rejecting
+# invalid config. We use --server-dry-run so no config is persisted.
+- apiGroups: ["networking.istio.io"]
+ verbs: ["create"]
+ resources: ["gateways"]
+
+# For storing CA secret
+- apiGroups: [""]
+ resources: ["secrets"]
+ # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
+ verbs: ["create", "get", "watch", "list", "update", "delete"]
+
+# For status controller, so it can delete the distribution report configmap
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["delete"]
+
+# For gateway deployment controller
+- apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "update", "patch", "create"]
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/rolebinding.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/rolebinding.yaml
new file mode 100644
index 00000000..f65b3b12
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/rolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.global.configCluster }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
+subjects:
+ - kind: ServiceAccount
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/serviceaccount.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/serviceaccount.yaml
new file mode 100644
index 00000000..4f8d20f6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/serviceaccount.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.global.configCluster }}
+apiVersion: v1
+kind: ServiceAccount
+ {{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/services.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/services.yaml
new file mode 100644
index 00000000..fc1fa1a2
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/services.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.global.remotePilotAddress }}
+apiVersion: v1
+kind: Service
+metadata:
+ {{- if .Values.pilot.enabled }}
+ # when local istiod is enabled, we can't use istiod service name to reach the remote control plane
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote
+ {{- else }}
+ # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane
+ name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}
+ {{- end }}
+ namespace: {{ .Release.Namespace }}
+spec:
+ ports:
+ - port: 15012
+ name: tcp-istiod
+ protocol: TCP
+ - port: 443
+ targetPort: 15017
+ name: tcp-webhook
+ protocol: TCP
+ {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }}
+ # if the remotePilotAddress is not an IP addr, we use ExternalName
+ type: ExternalName
+ externalName: {{ .Values.global.remotePilotAddress }}
+ {{- end }}
+{{- if .Values.global.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.global.ipFamilies }}
+ ipFamilies:
+{{- range .Values.global.ipFamilies }}
+ - {{ . }}
+{{- end }}
+{{- end }}
+---
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/validatingwebhookconfiguration.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/validatingwebhookconfiguration.yaml
new file mode 100644
index 00000000..832ff04e
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/validatingwebhookconfiguration.yaml
@@ -0,0 +1,57 @@
+{{- if .Values.global.configCluster }}
+{{- if .Values.global.configValidation }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
+ labels:
+ app: istiod
+ release: {{ .Release.Name }}
+ istio: istiod
+ istio.io/rev: {{ .Values.revision | default "default" | quote }}
+webhooks:
+ # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
+ # are rejecting invalid configs on a per-revision basis.
+ - name: rev.validation.istio.io
+ clientConfig:
+ # Should change from base but cannot for API compat
+ {{- if .Values.base.validationURL }}
+ url: {{ .Values.base.validationURL }}
+ {{- else }}
+ service:
+ name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ namespace: {{ .Values.global.istioNamespace }}
+ path: "/validate"
+ {{- end }}
+ rules:
+ - operations:
+ - CREATE
+ - UPDATE
+ apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - "*"
+ resources:
+ - "*"
+ # Fail open until the validation webhook is ready. The webhook controller
+ # will update this to `Fail` and patch in the `caBundle` when the webhook
+ # endpoint is ready.
+ failurePolicy: Ignore
+ sideEffects: None
+ admissionReviewVersions: ["v1beta1", "v1"]
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ {{- if (eq .Values.revision "") }}
+ - "default"
+ {{- else }}
+ - "{{ .Values.revision }}"
+ {{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/istiod-remote/values.yaml b/charts/istio/1.21.6-tetrate-v1/istiod-remote/values.yaml
new file mode 100644
index 00000000..3ec53e18
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/istiod-remote/values.yaml
@@ -0,0 +1,423 @@
+defaults:
+ #.Values.pilot for discovery and mesh wide config
+
+ ## Discovery Settings
+ pilot:
+ autoscaleEnabled: true
+ autoscaleMin: 1
+ autoscaleMax: 5
+ autoscaleBehavior: {}
+ replicaCount: 1
+ rollingMaxSurge: 100%
+ rollingMaxUnavailable: 25%
+ hub: ""
+ tag: ""
+ variant: ""
+ # Can be a full hub/image:tag
+ image: pilot
+ traceSampling: 1.0
+ # Resources for a small pilot install
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+ # Set to `type: RuntimeDefault` to use the default profile if available.
+ seccompProfile: {}
+ # Additional container arguments
+ extraContainerArgs: []
+ env: {}
+ affinity: {}
+ tolerations: []
+ cpu:
+ targetAverageUtilization: 80
+ memory: {}
+ # targetAverageUtilization: 80
+
+ # Additional volumeMounts to the istiod container
+ volumeMounts: []
+ # Additional volumes to the istiod pod
+ volumes: []
+ nodeSelector: {}
+ podAnnotations: {}
+ serviceAnnotations: {}
+ topologySpreadConstraints: []
+ # You can use jwksResolverExtraRootCA to provide a root certificate
+ # in PEM format. This will then be trusted by pilot when resolving
+ # JWKS URIs.
+ jwksResolverExtraRootCA: ""
+ # This is used to set the source of configuration for
+ # the associated address in configSource, if nothing is specified
+ # the default MCP is assumed.
+ configSource:
+ subscribedResources: []
+ plugins: []
+ # The following is used to limit how long a sidecar can be connected
+ # to a pilot. It balances out load across pilot instances at the cost of
+ # increasing system churn.
+ keepaliveMaxServerConnectionAge: 30m
+ # Additional labels to apply to the deployment.
+ deploymentLabels: {}
+ ## Mesh config settings
+
+ # Install the mesh config map, generated from values.yaml.
+ # If false, pilot wil use default values (by default) or user-supplied values.
+ configMap: false
+ # Additional labels to apply on the pod level for monitoring and logging configuration.
+ podLabels: {}
+ # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+ ipFamilyPolicy: ""
+ ipFamilies: []
+ sidecarInjectorWebhook:
+ # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+ # always skip the injection on pods that match that label selector, regardless of the global policy.
+ # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+ neverInjectSelector: []
+ alwaysInjectSelector: []
+ # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+ # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+ #
+ # annotations:
+ # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+ # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+ #
+ # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+ # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+ # injectedAnnotations:
+ # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+ # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+ injectedAnnotations: {}
+ # This enables injection of sidecar in all namespaces,
+ # with the exception of namespaces with "istio-injection:disabled" annotation
+ # Only one environment should have this enabled.
+ enableNamespacesByDefault: false
+ # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+ # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+ # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+ reinvocationPolicy: Never
+ rewriteAppHTTPProbe: true
+ # Templates defines a set of custom injection templates that can be used. For example, defining:
+ #
+ # templates:
+ # hello: |
+ # metadata:
+ # labels:
+ # hello: world
+ #
+ # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+ # being injected with the hello=world labels.
+ # This is intended for advanced configuration only; most users should use the built in template
+ templates: {}
+ # Default templates specifies a set of default templates that are used in sidecar injection.
+ # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+ # To inject other additional templates, define it using the `templates` option, and add it to
+ # the default templates list.
+ # For example:
+ #
+ # templates:
+ # hello: |
+ # metadata:
+ # labels:
+ # hello: world
+ #
+ # defaultTemplates: ["sidecar", "hello"]
+ defaultTemplates: []
+ istiodRemote:
+ # Sidecar injector mutating webhook configuration clientConfig.url value.
+ # For example: https://$remotePilotAddress:15017/inject
+ # The host should not refer to a service running in the cluster; use a service reference by specifying
+ # the clientConfig.service field instead.
+ injectionURL: ""
+ # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+ # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+ injectionPath: "/inject"
+ telemetry:
+ enabled: false
+ v2:
+ # For Null VM case now.
+ # This also enables metadata exchange.
+ enabled: true
+ # Indicate if prometheus stats filter is enabled or not
+ prometheus:
+ enabled: true
+ # stackdriver filter settings.
+ stackdriver:
+ enabled: false
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+ # Revision tags are aliases to Istio control plane revisions
+ revisionTags: []
+ # For Helm compatibility.
+ ownerName: ""
+ # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+ # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+ meshConfig:
+ enablePrometheusMerge: true
+ global:
+ # Used to locate istiod.
+ istioNamespace: istio-system
+ # List of cert-signers to allow "approve" action in the istio cluster role
+ #
+ # certSigners:
+ # - clusterissuers.cert-manager.io/istio-ca
+ certSigners: []
+ # enable pod disruption budget for the control plane, which is used to
+ # ensure Istio control plane components are gradually upgraded or recovered.
+ defaultPodDisruptionBudget:
+ enabled: true
+ # The values aren't mutable due to a current PodDisruptionBudget limitation
+ # minAvailable: 1
+ # A minimal set of requested resources to applied to all deployments so that
+ # Horizontal Pod Autoscaler will be able to function (if set).
+ # Each component can overwrite these default values by adding its own resources
+ # block in the relevant section below and setting the desired resources values.
+ defaultResources:
+ requests:
+ cpu: 10m
+ # memory: 128Mi
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # Default hub for Istio images.
+ # Releases are published to docker hub under 'istio' project.
+ # Dev builds from prow are on gcr.io
+ hub: addon-containers.istio.tetratelabs.com
+ # Default tag for Istio images.
+ tag: 1.21.6-tetrate-v1
+ # Variant of the image to use.
+ # Currently supported are: [debug, distroless]
+ variant: ""
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ imagePullPolicy: ""
+ # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+ # to use for pulling any images in pods that reference this ServiceAccount.
+ # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+ # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+ # Must be set for any cluster configured with private docker registry.
+ imagePullSecrets: []
+ # - private-registry-key
+
+ # Enabled by default in master for maximising testing.
+ istiod:
+ enableAnalysis: false
+ # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+ logAsJson: false
+ # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+ # The control plane has different scopes depending on component, but can configure default log level across all components
+ # If empty, default scope and level will be used as configured in code
+ logging:
+ level: "default:info"
+ omitSidecarInjectorConfigMap: true
+ # Whether to restrict the applications namespace the controller manages;
+ # If not set, controller watches all namespaces
+ oneNamespace: false
+ # Configure whether Operator manages webhook configurations. The current behavior
+ # of Istiod is to manage its own webhook configurations.
+ # When this option is set as true, Istio Operator, instead of webhooks, manages the
+ # webhook configurations. When this option is set as false, webhooks manage their
+ # own webhook configurations.
+ operatorManageWebhooks: false
+ # Custom DNS config for the pod to resolve names of services in other
+ # clusters. Use this to add additional search domains, and other settings.
+ # see
+ # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+ # This does not apply to gateway pods as they typically need a different
+ # set of DNS settings than the normal application pods (e.g., in
+ # multicluster scenarios).
+ # NOTE: If using templates, follow the pattern in the commented example below.
+ #podDNSSearchNamespaces:
+ #- global
+ #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+ # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+ # system-node-critical, it is better to configure this in order to make sure your Istio pods
+ # will not be killed because of low priority class.
+ # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+ # for more detail.
+ priorityClassName: ""
+ proxy:
+ image: proxyv2
+ # This controls the 'policy' in the sidecar injector.
+ autoInject: enabled
+ # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+ # cluster domain. Default value is "cluster.local".
+ clusterDomain: "cluster.local"
+ # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+ # not set, then the global "logLevel" will be used.
+ componentLogLevel: "misc:error"
+ # If set, newly injected sidecars will have core dumps enabled.
+ enableCoreDump: false
+ # istio ingress capture allowlist
+ # examples:
+ # Redirect only selected ports: --includeInboundPorts="80,8080"
+ excludeInboundPorts: ""
+ includeInboundPorts: "*"
+ # istio egress capture allowlist
+ # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+ # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+ # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+ # be allowed by the sidecar
+ includeIPRanges: "*"
+ excludeIPRanges: ""
+ includeOutboundPorts: ""
+ excludeOutboundPorts: ""
+ # Log level for proxy, applies to gateways and sidecars.
+ # Expected values are: trace|debug|info|warning|error|critical|off
+ logLevel: warning
+ #If set to true, istio-proxy container will have privileged securityContext
+ privileged: false
+ # The number of successive failed probes before indicating readiness failure.
+ readinessFailureThreshold: 4
+ # The initial delay for readiness probes in seconds.
+ readinessInitialDelaySeconds: 0
+ # The period between readiness probes.
+ readinessPeriodSeconds: 15
+ # Enables or disables a startup probe.
+ # For optimal startup times, changing this should be tied to the readiness probe values.
+ #
+ # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+ # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+ # and doesn't spam the readiness endpoint too much
+ #
+ # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+ # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+ startupProbe:
+ enabled: true
+ failureThreshold: 600 # 10 minutes
+ # Resources for the sidecar.
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+ statusPort: 15020
+ # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+ # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+ tracer: "zipkin"
+ proxy_init:
+ # Base name for the proxy_init container, used to configure iptables.
+ image: proxyv2
+ # configure remote pilot and istiod service and endpoint
+ remotePilotAddress: ""
+ ##############################################################################################
+ # The following values are found in other charts. To effectively modify these values, make #
+ # make sure they are consistent across your Istio helm charts #
+ ##############################################################################################
+
+ # The customized CA address to retrieve certificates for the pods in the cluster.
+ # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+ # If not set explicitly, default to the Istio discovery address.
+ caAddress: ""
+ # Configure a remote cluster data plane controlled by an external istiod.
+ # When set to true, istiod is not deployed locally and only a subset of the other
+ # discovery charts are enabled.
+ externalIstiod: true
+ # Configure a remote cluster as the config cluster for an external istiod.
+ configCluster: false
+ # Configure the policy for validating JWT.
+ # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+ jwtPolicy: "third-party-jwt"
+ # Mesh ID means Mesh Identifier. It should be unique within the scope where
+ # meshes will interact with each other, but it is not required to be
+ # globally/universally unique. For example, if any of the following are true,
+ # then two meshes must have different Mesh IDs:
+ # - Meshes will have their telemetry aggregated in one place
+ # - Meshes will be federated together
+ # - Policy will be written referencing one mesh from the other
+ #
+ # If an administrator expects that any of these conditions may become true in
+ # the future, they should ensure their meshes have different Mesh IDs
+ # assigned.
+ #
+ # Within a multicluster mesh, each cluster must be (manually or auto)
+ # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+ # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+ # of migration TBD, and it may be a disruptive operation to change the Mesh
+ # ID post-install.
+ #
+ # If the mesh admin does not specify a value, Istio will use the value of the
+ # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+ # value.
+ meshID: ""
+ # Configure the mesh networks to be used by the Split Horizon EDS.
+ #
+ # The following example defines two networks with different endpoints association methods.
+ # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+ # mapped to network1. The gateway for this network example is specified by its public IP
+ # address and port.
+ # The second network, `network2`, in this example is defined differently with all endpoints
+ # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+ # gateway is also defined differently with the name of the gateway service on the remote
+ # cluster. The public IP for the gateway will be determined from that remote service (only
+ # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+ # it still need to be configured manually).
+ #
+ # meshNetworks:
+ # network1:
+ # endpoints:
+ # - fromCidr: "192.168.0.1/24"
+ # gateways:
+ # - address: 1.1.1.1
+ # port: 80
+ # network2:
+ # endpoints:
+ # - fromRegistry: reg1
+ # gateways:
+ # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+ # port: 443
+ #
+ meshNetworks: {}
+ # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+ mountMtlsCerts: false
+ multiCluster:
+ # Set to true to connect two kubernetes clusters via their respective
+ # ingressgateway services when pods in each cluster cannot directly
+ # talk to one another. All clusters should be using Istio mTLS and must
+ # have a shared root CA for this model to work.
+ enabled: false
+ # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+ # to properly label proxies
+ clusterName: ""
+ # Network defines the network this cluster belong to. This name
+ # corresponds to the networks in the map of mesh networks.
+ network: ""
+ # Configure the certificate provider for control plane communication.
+ # Currently, two providers are supported: "kubernetes" and "istiod".
+ # As some platforms may not have kubernetes signing APIs,
+ # Istiod is the default
+ pilotCertProvider: istiod
+ sds:
+ # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+ # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+ # JWT is intended for the CA.
+ token:
+ aud: istio-ca
+ sts:
+ # The service port used by Security Token Service (STS) server to handle token exchange requests.
+ # Setting this port to a non-zero value enables STS server.
+ servicePort: 0
+ # The name of the CA for workload certificates.
+ # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+ # will be used as the certificates for workloads.
+ # The default value is "" and when caName="", the CA will be configured by other
+ # mechanisms (e.g., environmental variable CA_PROVIDER).
+ caName: ""
+ # whether to use autoscaling/v2 template for HPA settings
+ # for internal usage only, not to be configured by users.
+ autoscalingv2API: true
+ base:
+ # For istioctl usage to disable istio config crds in base
+ enableIstioConfigCRDs: true
+ # keep in sync with settings used when installing the Istio CNI chart
+ istio_cni:
+ enabled: false
+ chained: true
+ # Gateway Settings
+ gateways:
+ # Define the security context for the pod.
+ # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+ # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+ securityContext: {}
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/Chart.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/Chart.yaml
new file mode 100644
index 00000000..b8f9c008
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+name: ztunnel
+# This version is never actually shipped. istio/release-builder will replace it at build-time
+# with the appropriate version
+version: 1.21.6-tetrate-v1
+appVersion: 1.21.6-tetrate-v1
+description: Helm chart for istio ztunnel components
+keywords:
+ - istio-ztunnel
+ - istio
+sources:
+ - https://github.com/istio/istio
+engine: gotpl
+icon: https://istio.io/latest/favicons/android-192x192.png
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/README.md b/charts/istio/1.21.6-tetrate-v1/ztunnel/README.md
new file mode 100644
index 00000000..ffe0b94f
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/README.md
@@ -0,0 +1,50 @@
+# Istio Ztunnel Helm Chart
+
+This chart installs an Istio ztunnel.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart:
+
+```console
+helm install ztunnel istio/ztunnel
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the chart:
+
+```console
+helm delete ztunnel
+```
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/ztunnel
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-ambient.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-ambient.yaml
new file mode 100644
index 00000000..59dd9114
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-ambient.yaml
@@ -0,0 +1,25 @@
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_META_ENABLE_HBONE: "true"
+variant: distroless
+pilot:
+ variant: distroless
+ env:
+ # Setup more secure default that is off in 'default' only for backwards compatibility
+ VERIFY_CERTIFICATE_AT_CLIENT: "true"
+ ENABLE_AUTO_SNI: "true"
+
+ PILOT_ENABLE_HBONE: "true"
+ CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
+ PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
+cni:
+ logLevel: info
+ privileged: true
+ ambient:
+ enabled: true
+
+ # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
+ excludeNamespaces:
+ - kube-system
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-compatibility-version-1.20.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-compatibility-version-1.20.yaml
new file mode 100644
index 00000000..9f0fd563
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-compatibility-version-1.20.yaml
@@ -0,0 +1,6 @@
+pilot:
+ env:
+ ENABLE_EXTERNAL_NAME_ALIAS: "false"
+ PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
+ VERIFY_CERTIFICATE_AT_CLIENT: "false"
+ ENABLE_AUTO_SNI: "false"
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-demo.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-demo.yaml
new file mode 100644
index 00000000..4ed37fed
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-demo.yaml
@@ -0,0 +1,69 @@
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+ accessLogFile: /dev/stdout
+ extensionProviders:
+ - name: otel
+ envoyOtelAls:
+ service: opentelemetry-collector.istio-system.svc.cluster.local
+ port: 4317
+ - name: skywalking
+ skywalking:
+ service: tracing.istio-system.svc.cluster.local
+ port: 11800
+ - name: otel-tracing
+ opentelemetry:
+ port: 4317
+ service: opentelemetry-collector.otel-collector.svc.cluster.local
+
+global:
+ proxy:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+
+pilot:
+ autoscaleEnabled: false
+ traceSampling: 100
+ resources:
+ requests:
+ cpu: 10m
+ memory: 100Mi
+
+gateways:
+ istio-egressgateway:
+ autoscaleEnabled: false
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
+ istio-ingressgateway:
+ autoscaleEnabled: false
+ ports:
+ ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+ # Note that AWS ELB will by default perform health checks on the first port
+ # on this list. Setting this to the health check port will ensure that health
+ # checks always work. https://github.com/istio/istio/issues/12503
+ - port: 15021
+ targetPort: 15021
+ name: status-port
+ - port: 80
+ targetPort: 8080
+ name: http2
+ - port: 443
+ targetPort: 8443
+ name: https
+ - port: 31400
+ targetPort: 31400
+ name: tcp
+ # This is the port where sni routing happens
+ - port: 15443
+ targetPort: 15443
+ name: tls
+ resources:
+ requests:
+ cpu: 10m
+ memory: 40Mi
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-openshift.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-openshift.yaml
new file mode 100644
index 00000000..100ca578
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-openshift.yaml
@@ -0,0 +1,19 @@
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+# CNI must be installed.
+cni:
+ cniBinDir: /var/lib/cni/bin
+ cniConfDir: /etc/cni/multus/net.d
+ chained: false
+ cniConfFileName: "istio-cni.conf"
+ excludeNamespaces:
+ - istio-system
+ - kube-system
+ logLevel: info
+ privileged: true
+ provider: "multus"
+global:
+ platform: openshift
+istio_cni:
+ enabled: true
+ chained: false
+platform: openshift
\ No newline at end of file
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-preview.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-preview.yaml
new file mode 100644
index 00000000..390ed749
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/files/profile-preview.yaml
@@ -0,0 +1,9 @@
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ # Enable Istio agent to handle DNS requests for known hosts
+ # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+ ISTIO_META_DNS_CAPTURE: "true"
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/NOTES.txt b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/NOTES.txt
new file mode 100644
index 00000000..93297520
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/NOTES.txt
@@ -0,0 +1,5 @@
+ztunnel successfully installed!
+
+To learn more about the release, try:
+ $ helm status {{ .Release.Name }}
+ $ helm get all {{ .Release.Name }}
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/daemonset.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/daemonset.yaml
new file mode 100644
index 00000000..11daa5ab
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/daemonset.yaml
@@ -0,0 +1,160 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: ztunnel
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- .Values.labels | toYaml | nindent 4}}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+spec:
+ updateStrategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ app: ztunnel
+ template:
+ metadata:
+ labels:
+ sidecar.istio.io/inject: "false"
+ app: ztunnel
+{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }}
+ annotations:
+ ambient.istio.io/redirection: disabled
+ sidecar.istio.io/inject: "false"
+{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }}
+ spec:
+ nodeSelector:
+ kubernetes.io/os: linux
+ serviceAccountName: ztunnel
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ containers:
+ - name: istio-proxy
+{{- if contains "/" .Values.image }}
+ image: "{{ .Values.image }}"
+{{- else }}
+ image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}"
+{{- end }}
+ ports:
+ - containerPort: 15020
+ name: ztunnel-stats
+ protocol: TCP
+ resources:
+{{- if .Values.resources }}
+{{ toYaml .Values.resources | trim | indent 10 }}
+{{- end }}
+{{- with .Values.imagePullPolicy }}
+ imagePullPolicy: {{ . }}
+{{- end }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ privileged: false
+ capabilities:
+ drop:
+ - ALL
+ add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html
+ - NET_ADMIN # Required for TPROXY and setsockopt
+ - SYS_ADMIN # Required for `setns` - doing things in other netns
+ - NET_RAW # Required for RAW/PACKET sockets, TPROXY
+ readOnlyRootFilesystem: true
+ runAsGroup: 1337
+ runAsNonRoot: false
+ runAsUser: 0
+{{- if .Values.seLinuxOptions }}
+ seLinuxOptions:
+{{ toYaml .Values.seLinuxOptions | trim | indent 12 }}
+{{- end }}
+ readinessProbe:
+ httpGet:
+ port: 15021
+ path: /healthz/ready
+ args:
+ - proxy
+ - ztunnel
+ env:
+ - name: CA_ADDRESS
+ {{- if .Values.caAddress }}
+ value: {{ .Values.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: XDS_ADDRESS
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012
+ - name: RUST_LOG
+ value: {{ .Values.logLevel | quote }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }}
+ - name: INPOD_ENABLED
+ value: "true"
+ - name: ISTIO_META_DNS_PROXY_ADDR
+ value: "127.0.0.1:15053"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ {{- if .Values.meshConfig.defaultConfig.proxyMetadata }}
+ {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ {{- with .Values.env }}
+ {{- range $key, $val := . }}
+ - name: {{ $key }}
+ value: "{{ $val }}"
+ {{- end }}
+ {{- end }}
+ volumeMounts:
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - mountPath: /var/run/ztunnel
+ name: cni-ztunnel-sock-dir
+ {{- with .Values.volumeMounts }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ priorityClassName: system-node-critical
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ volumes:
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: istio-ca
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ - name: cni-ztunnel-sock-dir
+ hostPath:
+ path: /var/run/ztunnel
+ type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet.
+ {{- with .Values.volumes }}
+ {{- toYaml . | nindent 6}}
+ {{- end }}
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/rbac.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/rbac.yaml
new file mode 100644
index 00000000..5a569b64
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/rbac.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+ {{- with .Values.imagePullSecrets }}
+imagePullSecrets:
+ {{- range . }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+metadata:
+ name: ztunnel
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- .Values.labels | toYaml | nindent 4}}
+ annotations:
+ {{- .Values.annotations | toYaml | nindent 4 }}
+---
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/zzz_profile.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/zzz_profile.yaml
new file mode 100644
index 00000000..6588debf
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/templates/zzz_profile.yaml
@@ -0,0 +1,34 @@
+{{/*
+Complex logic ahead...
+We have three sets of values, in order of precedence (last wins):
+1. The builtin values.yaml defaults
+2. The profile the user selects
+3. Users input (-f or --set)
+
+Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
+
+However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
+We can then merge the profile onto the defaults, then the user settings onto that.
+Finally, we can set all of that under .Values so the chart behaves without awareness.
+*/}}
+{{- $defaults := $.Values.defaults }}
+{{- $_ := unset $.Values "defaults" }}
+{{- $profile := dict }}
+{{- with .Values.profile }}
+{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
+{{- $profile = (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown profile" $.Values.profile) }}
+{{- end }}
+{{- end }}
+{{- with .Values.compatibilityVersion }}
+{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
+{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
+{{- else }}
+{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
+{{- end }}
+{{- end }}
+{{- if $profile }}
+{{- $a := mustMergeOverwrite $defaults $profile }}
+{{- end }}
+{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
diff --git a/charts/istio/1.21.6-tetrate-v1/ztunnel/values.yaml b/charts/istio/1.21.6-tetrate-v1/ztunnel/values.yaml
new file mode 100644
index 00000000..2ecd57c6
--- /dev/null
+++ b/charts/istio/1.21.6-tetrate-v1/ztunnel/values.yaml
@@ -0,0 +1,85 @@
+defaults:
+ # Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+ hub: addon-containers.istio.tetratelabs.com
+ # Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+ tag: 1.21.6-tetrate-v1
+ # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+ variant: ""
+
+ # Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+ # If Image contains a "/", it will replace the entire `image` in the pod.
+ image: ztunnel
+
+ # Labels to apply to all top level resources
+ labels: {}
+ # Annotations to apply to all top level resources
+ annotations: {}
+
+ # Additional volumeMounts to the ztunnel container
+ volumeMounts: []
+
+ # Additional volumes to the ztunnel pod
+ volumes: []
+
+ # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+ podAnnotations:
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+
+ # Additional labels to apply on the pod level
+ podLabels: {}
+
+ # Pod resource configuration
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+
+ # List of secret names to add to the service account as image pull secrets
+ imagePullSecrets: []
+
+ # A `key: value` mapping of environment variables to add to the pod
+ env: {}
+
+ # Override for the pod imagePullPolicy
+ imagePullPolicy: ""
+
+ # Settings for multicluster
+ multiCluster:
+ # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+ # with Istiod configuration.
+ clusterName: ""
+
+ # meshConfig defines runtime configuration of components.
+ # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+ # components.
+ # TODO: https://github.com/istio/istio/issues/43248
+ meshConfig:
+ defaultConfig:
+ proxyMetadata: {}
+
+ # This value defines:
+ # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+ # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+ # Default K8S value is 30 seconds
+ terminationGracePeriodSeconds: 30
+
+ # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+ revision: ""
+
+ # The customized CA address to retrieve certificates for the pods in the cluster.
+ # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+ caAddress: ""
+
+ # Used to locate istiod.
+ istioNamespace: istio-system
+
+ # Configuration log level of ztunnel binary, default is info.
+ # Valid values are: trace, debug, info, warn, error
+ logLevel: info
+
+ # Set to `type: RuntimeDefault` to use the default profile if available.
+ seLinuxOptions: {}
+ # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+ #seLinuxOptions:
+ # type: spc_t