The istio module: Custom Resources

This feature is available in Enterprise Edition only.

IngressIstioController

Scope: Cluster
Version: v1alpha1

specobject
Required value
- spec.hostPortobject
  HostPort inlet settings.
  - spec.hostPort.httpPortinteger
    Port for insecure HTTP connections.
    
    If the parameter is not set, the connection over HTTP cannot be established.
    
    This parameter is mandatory if httpsPort is not set.
    
    Example:
    httpPort: 80
  - spec.hostPort.httpsPortinteger
    Port for secure HTTPS connections.
    
    If the parameter is not set, the connection over HTTPS cannot be established.
    
    This parameter is mandatory if httpPort is not set.
    
    Example:
    httpsPort: 443
- spec.ingressGatewayClassstring
  Required value
  Ingress gateway class is used by application Gateway resources for identifying the right Ingress gateway setup.
  
  The identification is organized by setting the spec.selector: istio.deckhouse.io/ingress-gateway-class: <ingressGatewayClass value>.
  
  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  Example:
```
ingressGatewayClass: istio
```
- spec.inletstring
  Required value
  The way traffic goes to cluster from the outer network.
  - LoadBalancer — Ingress controller is deployed and the service of LoadBalancer type is provisioned.
  - NodePort — Ingress controller is deployed and available through nodes’ ports via nodePort.
  - HostPort — Ingress controller is deployed and available through nodes’ ports via hostPort.
    
    Caution! There can be only one controller with this inlet type on a host.
  Allowed values: LoadBalancer, HostPort, NodePort
- spec.loadBalancerobject
  Not required value.
  A section of parameters of the LoadBalancer inlet.
  - spec.loadBalancer.annotationsobject
    Annotations to assign to the service for flexible configuration of the load balancer.
- spec.nodePortobject
  HostPort inlet settings.
  - spec.nodePort.httpPortinteger
    Port for insecure HTTP connections.
    
    If the parameter is not set, the connection over HTTP cannot be established.
    
    This parameter is mandatory if httpsPort is not set.
    
    Example:
    httpPort: 30080
  - spec.nodePort.httpsPortinteger
    Port for secure HTTPS connections.
    
    If the parameter is not set, the connection over HTTPS cannot be established.
    
    This parameter is mandatory if httpPort is not set.
    
    Example:
    httpsPort: 30443
- spec.nodeSelectorobject
  The same as in the pods’ spec.nodeSelector parameter in Kubernetes.
  
  If the parameter is omitted or false, it will be determined automatically.
  
  Format: the standard nodeSelector list. Instance pods inherit this field as is.
- spec.resourcesRequestsobject
  Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).
  - spec.resourcesRequests.modestring
    Required value
    The mode for managing resource requests.
    
    Default: "VPA"
    Allowed values: VPA, Static
  - spec.resourcesRequests.staticobject
    Static mode settings.
    - spec.resourcesRequests.static.cpustring
      CPU requests.
      
      Default: "350m"
    - spec.resourcesRequests.static.memorystring
      Memory requests.
      
      Default: "500Mi"
  - spec.resourcesRequests.vpaobject
    Parameters of the vpa mode.
    - spec.resourcesRequests.vpa.cpuobject
      CPU-related parameters.
      - spec.resourcesRequests.vpa.cpu.maxstring
        Maximum allowed CPU requests.
        
        Default: "100m"
      - spec.resourcesRequests.vpa.cpu.minstring
        Minimum allowed CPU requests.
        
        Default: "50m"
    - spec.resourcesRequests.vpa.memoryobject
      The amount of memory requested.
      - spec.resourcesRequests.vpa.memory.maxstring
        Maximum allowed memory requests.
        
        Default: "200Mi"
      - spec.resourcesRequests.vpa.memory.minstring
        Minimum allowed memory requests.
        
        Default: "100Mi"
    - spec.resourcesRequests.vpa.modestring
      The VPA usage mode.
      
      Default: "Initial"
      Allowed values: Initial, Auto
- spec.tolerationsarray of objects
  The same as in the pods’ spec.tolerations parameter in Kubernetes;
  
  If the parameter is omitted or false, it will be determined automatically.
  
  Format: the standard toleration list. Instance pods inherit this field as is.
  - spec.tolerations.effectstring
    Allowed values: NoSchedule, PreferNoSchedule, NoExecute
  - spec.tolerations.keystring
  - spec.tolerations.operatorstring
    Default: "Equal"
    Allowed values: Exists, Equal
  - spec.tolerations.tolerationSecondsinteger
  - spec.tolerations.valuestring

IstioFederation

Scope: Cluster
Version: v1alpha1

CR for setting remote cluster as trusted one.

specobject
Required value
- spec.metadataEndpointstring
  Required value
  HTTPS endpoint with remote cluster metadata.
  
  Pattern: ^(https|file)://[0-9a-zA-Z._/-]+$
  Example:
```
metadataEndpoint: https://istio.k8s.example.com/metadata/
```
- spec.trustDomainstring
  Required value
  The TrustDomain of the remote cluster.
  
  A mandatory parameter, however, it isn’t used currently since Istio cannot match TrustDomain with the root CA.
  
  Pattern: ^[0-9a-zA-Z._-]+$
  Example:
```
trustDomain: cluster.local
```

IstioMulticluster

Scope: Cluster
Version: v1alpha1

CR for setting remote cluster as trusted one.

specobject
Required value
- spec.enableIngressGatewayboolean
  Should Istio use ingressgateways to access remote Pods?
  
  If remote Pods are accessible directly from our cluster (“flat” network), it is efficient not to use extra hop.
  
  Default: true
- spec.metadataEndpointstring
  Required value
  HTTPS endpoint with remote cluster metadata.
  
  Pattern: ^(https|file)://[0-9a-zA-Z._/-]+$
  Example:
```
metadataEndpoint: https://istio.k8s.example.com/metadata/
```