{{ $vals | toPrettyJson | indent 4 }}

  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
  # and istiod webhook functionality.
  #
  # New fields should not use Values - it is a 'primary' config object, users should be able
  # to fine tune it or use it with kube-inject.
  config: |-
    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template

webhooks:
  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
  # are rejecting invalid configs on a per-revision basis.
  - name: rev.validation.istio.io
    clientConfig:
      # Should change from base but cannot for API compat
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:

  ownerName: ""

  global:
    # set the default set of namespaces to which services, service entries, virtual services, destination
    # rules should be exported to. Currently only one value can be provided in this list. This value
    # should be one of the following two options:
    # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.

  ownerName: ""

  global:
    # set the default set of namespaces to which services, service entries, virtual services, destination
    # rules should be exported to. Currently only one value can be provided in this list. This value
    # should be one of the following two options:
    # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.

{{ $vals | toPrettyJson | indent 4 }}

  # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
  # and istiod webhook functionality.
  #
  # New fields should not use Values - it is a 'primary' config object, users should be able
  # to fine tune it or use it with kube-inject.
  config: |-
    # defaultTemplates defines the default template to use for pods that do not explicitly specify a template

      DenyOperatorAndIstioctl:
        files:
          # Tests can do anything
          - "!$test"
          # Main code should only be used by appropriate binaries
          - "!**/operator/**"
          - "!**/istioctl/**"
          - "!**/tools/bug-report/**"
          # This should only really import operator API, but that is hard to express without a larger refactoring
          - "!**/pkg/kube/**"

webhooks:
  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
  # are rejecting invalid configs on a per-revision basis.
  - name: rev.validation.istio.io
    clientConfig:
      # Should change from base but cannot for API compat
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:

        This is used to report product bugs:
        To report a security vulnerability, please visit <https://istio.io/about/security-vulnerabilities>.
        Any crashes are potentially security vulnerabilities and should be treated as such.
        To ask questions about how to use Istio, please visit <https://github.com/istio/istio/discussions>.
      options:
        - label: "This is not a security vulnerability or a crashing bug"

          {{- with .Values.pilot.volumeMounts }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
      volumes:
      # Technically not needed on this pod - but it helps debugging/testing SDS
      # Should be removed after everything works.
      - emptyDir:
          medium: Memory
        name: local-certs
      - name: istio-token
        projected:
          sources:
            - serviceAccountToken: