apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://10.96.0.1:443
  name: local
contexts:
- context:
    cluster: local
    user: istio-cni
  name: istio-cni-context
current-context: istio-cni-context
kind: Config
preferences: {}
users:
- name: istio-cni
  user:

  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
  verbs: ["create"]
  resources: ["gateways"]

# For storing CA secret
- apiGroups: [""]
  resources: ["secrets"]

1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.

1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.

  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Status is filled in by the server with the user attributes.
  optional SelfSubjectReviewStatus status = 2;
}

// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
message SelfSubjectReviewStatus {

                        "http2_protocol_options": {
                          "max_concurrent_streams": 100,
                          "allow_connect": true
                        },
                        "server_name": "istio-envoy",
                        "use_remote_address": false,
                        "forward_client_cert_details": "APPEND_FORWARD",
                        "set_current_client_cert_details": {

defaults:
  cni:
    hub: ""
    tag: ""
    variant: ""
    image: install-cni
    pullPolicy: ""

    # Configuration log level of istio-cni binary
    # by default istio-cni send all logs to UDS server
    # if want to see them you need change global.logging.level with cni:debug
    logLevel: debug

    # Configuration file to insert istio-cni plugin configuration
    # by default this will be the first file found in the cni-conf-dir

      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:
      # The service port used by Security Token Service (STS) server to handle token exchange requests.
      # Setting this port to a non-zero value enables STS server.
      servicePort: 0
    # The name of the CA for workload certificates.
    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates

  // +optional
  optional string requestSubResource = 15;

  // Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
  // rely on the server to generate the name.  If that is the case, this field will contain an empty string.
  // +optional
  optional string name = 5;

  // Namespace is the namespace associated with the request (if any).
  // +optional

error rate, and request latency at p50, p90, and p99 percentiles. The
query results are printed to the console, organized by workload name.

All metrics returned are from server-side reports. This means that latencies
and error rates are from the perspective of the service itself and not of an
individual client (or aggregate set of clients). Rates and latencies are