emedina/istiooperator.yaml

## istiooperator.yaml
---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istiocontrolplane

# https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
spec:
  # see profiles on https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: demo
  tag: 1.5.2
  hub: docker.io/istio
  namespace: istio-system

  # Make sure no sidecar is ever injected for CronJobs for PostgreSQL backups.
  # Use it as a placeholder for other workloads requiring this behaviour.
  components:
    sidecarInjector:
      spec:
        neverInjectSelector:
          matchExpressions:
            - {key: application, operator: In, values: [spilo-logical-backup]}

  # https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig
#  meshConfig:
#    disablePolicyChecks: true
#    connectTimeout: 10s
#    enableTracing: true
#    enableEnvoyAccessLogService: true
#    outboundTrafficPolicy:
#      mode: ALLOW_ANY
#    enableAutoMtls: false

  # Used for customized values not belonging to the official Istio.
  unvalidatedValues:
    k8s:
      host: {{ .Values.k8s.host }}
    vault:
      host: {{ .Values.vault.address }}

  values:
    # https://istio.io/docs/reference/config/installation-options/#global-options
    global:
      sds:
        enabled: true

    # https://istio.io/docs/reference/config/installation-options/#kiali-options
    kiali:
      enabled: true
      tag: v1.18.1
      createDemoSecret: true
      contextPath: /kiali
      dashboard:
        auth:
          strategy: login # Can be anonymous, login, or openshift
        secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
        grafanaURL: 'https://{{ .Values.k8s.host }}/istio/grafana'
        jaegerURL: 'https://tracing.{{ .Values.k8s.host }}'
        viewOnlyMode: false # Bind the service account to a role with only read access
    #      prometheusAddr: http://prometheus-server.monitoring:80

    # https://istio.io/docs/reference/config/installation-options/#grafana-options
    grafana:
      enabled: true
      env:
        GF_SERVER_ROOT_URL: 'https://{{ .Values.k8s.host }}/istio/grafana'
      # This requires a Secret in place.
      security:
        enabled: true
        secretName: grafana
        usernameKey: username
        passphraseKey: passphrase

    # https://istio.io/docs/reference/config/installation-options/#prometheus-options
    prometheus:
      enabled: true
      retention: 6h
      scrapeInterval: 15s
      security:
        enabled: true

    # https://istio.io/docs/reference/config/installation-options/#tracing-options
    tracing:
      enabled: true
      jaeger:
        resources:
          requests:
            cpu: 256m
            memory: 512m
            ephemeral-storage: 1Mi

    # https://istio.io/docs/reference/config/installation-options/#gateways-options
    gateways:
      enabled: true
      istio-ingressgateway:
        enabled: true
        autoscaleEnabled: true
        autoscaleMin: 3
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 4096Mi
        type: NodePort
        ports:
          ## You can add custom gateway ports
          # Note that AWS ELB will by default perform health checks on the first port
          # on this list. Setting this to the health check port will ensure that health
          # checks always work. https://github.com/istio/istio/issues/12503
          - port: 15020
            targetPort: 15020
            name: status-port
          - port: 80
            targetPort: 80
            name: http2
            nodePort: 30500
          - port: 443
            targetPort: 443
            name: https2
            nodePort: 31381
          - port: 444
            targetPort: 444
            name: https
            nodePort: 31380
          - name: tls
            port: 15443
            targetPort: 15443
        sds:
          enabled: true
      istio-egressgateway:
        enabled: true

    # https://istio.io/docs/reference/config/installation-options/#pilot-options
    pilot:
      autoscaleEnabled: true
      autoscaleMin: 3
      traceSampling: 100.0

    # This makes liveness check work even when mTLS is enabled.
    sidecarInjectorWebhook:
      rewriteAppHTTPProbe: true
	---
	apiVersion: install.istio.io/v1alpha1
	kind: IstioOperator
	metadata:
	namespace: istio-system
	name: istiocontrolplane

	# https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
	spec:
	# see profiles on https://istio.io/docs/setup/additional-setup/config-profiles/
	profile: demo
	tag: 1.5.2
	hub: docker.io/istio
	namespace: istio-system

	# Make sure no sidecar is ever injected for CronJobs for PostgreSQL backups.
	# Use it as a placeholder for other workloads requiring this behaviour.
	components:
	sidecarInjector:
	spec:
	neverInjectSelector:
	matchExpressions:
	- {key: application, operator: In, values: [spilo-logical-backup]}

	# https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig
	# meshConfig:
	# disablePolicyChecks: true
	# connectTimeout: 10s
	# enableTracing: true
	# enableEnvoyAccessLogService: true
	# outboundTrafficPolicy:
	# mode: ALLOW_ANY
	# enableAutoMtls: false

	# Used for customized values not belonging to the official Istio.
	unvalidatedValues:
	k8s:
	host: {{ .Values.k8s.host }}
	vault:
	host: {{ .Values.vault.address }}

	values:
	# https://istio.io/docs/reference/config/installation-options/#global-options
	global:
	sds:
	enabled: true

	# https://istio.io/docs/reference/config/installation-options/#kiali-options
	kiali:
	enabled: true
	tag: v1.18.1
	createDemoSecret: true
	contextPath: /kiali
	dashboard:
	auth:
	strategy: login # Can be anonymous, login, or openshift
	secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
	grafanaURL: 'https://{{ .Values.k8s.host }}/istio/grafana'
	jaegerURL: 'https://tracing.{{ .Values.k8s.host }}'
	viewOnlyMode: false # Bind the service account to a role with only read access
	# prometheusAddr: http://prometheus-server.monitoring:80

	# https://istio.io/docs/reference/config/installation-options/#grafana-options
	grafana:
	enabled: true
	env:
	GF_SERVER_ROOT_URL: 'https://{{ .Values.k8s.host }}/istio/grafana'
	# This requires a Secret in place.
	security:
	enabled: true
	secretName: grafana
	usernameKey: username
	passphraseKey: passphrase

	# https://istio.io/docs/reference/config/installation-options/#prometheus-options
	prometheus:
	enabled: true
	retention: 6h
	scrapeInterval: 15s
	security:
	enabled: true

	# https://istio.io/docs/reference/config/installation-options/#tracing-options
	tracing:
	enabled: true
	jaeger:
	resources:
	requests:
	cpu: 256m
	memory: 512m
	ephemeral-storage: 1Mi

	# https://istio.io/docs/reference/config/installation-options/#gateways-options
	gateways:
	enabled: true
	istio-ingressgateway:
	enabled: true
	autoscaleEnabled: true
	autoscaleMin: 3
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 2000m
	memory: 4096Mi
	type: NodePort
	ports:
	## You can add custom gateway ports
	# Note that AWS ELB will by default perform health checks on the first port
	# on this list. Setting this to the health check port will ensure that health
	# checks always work. https://github.com/istio/istio/issues/12503
	- port: 15020
	targetPort: 15020
	name: status-port
	- port: 80
	targetPort: 80
	name: http2
	nodePort: 30500
	- port: 443
	targetPort: 443
	name: https2
	nodePort: 31381
	- port: 444
	targetPort: 444
	name: https
	nodePort: 31380
	- name: tls
	port: 15443
	targetPort: 15443
	sds:
	enabled: true
	istio-egressgateway:
	enabled: true

	# https://istio.io/docs/reference/config/installation-options/#pilot-options
	pilot:
	autoscaleEnabled: true
	autoscaleMin: 3
	traceSampling: 100.0

	# This makes liveness check work even when mTLS is enabled.
	sidecarInjectorWebhook:
	rewriteAppHTTPProbe: true