- iptables
    - ip6tables
    - libnetfilter_conntrack
    - libnfnetlink
    - libmnl
    - libgcc
archs:
  - x86_64
  - aarch64
paths:
- path: /run
  type: directory
  permissions: 0o755
accounts:
  users:
    - username: nonroot
      uid: 65532
    - username: nobody
      uid: 65534
  run-as: 65532

meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_ENABLE_HBONE: "true"
global:
  variant: distroless
pilot:
  env:
    PILOT_ENABLE_AMBIENT: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
cni:
  ambient:
    enabled: true

# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel

meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_ENABLE_HBONE: "true"
global:
  variant: distroless
pilot:
  env:
    PILOT_ENABLE_AMBIENT: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
cni:
  ambient:
    enabled: true

# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel

    PILOT_ENABLE_AMBIENT: "true"
    # Allow sidecars/ingress to send/receive HBONE. This is required for interop.
    PILOT_ENABLE_SENDING_HBONE: "true"
    PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
platform: openshift
variant: distroless
seLinuxOptions:

contexts:
- context:
    cluster: local
    user: istio-cni
  name: istio-cni-context
current-context: istio-cni-context
kind: Config
preferences: {}
users:
- name: istio-cni
  user:

// how this struct is updated on heartbeats and can guide customized reporter implementations.
message EventSeries {
  // count is the number of occurrences in this series up to the last heartbeat time.
  optional int32 count = 1;

  // lastObservedTime is the time when last Event from the series was seen before last heartbeat.

-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minize upgrade risks

- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.

- simplified label structure. Label change is not supported on upgrade.

- for 'internal load balancer' you should deploy a separate gateway, in a different
namespace.

-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks

- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.

- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades

For a standard Kubernetes deployment, both CA and discovery will use JWT authentication, with a token automatically
[generated and rotated by Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).

For discovery, the JWT token will be read directly from a file and sent as is. For CA, this logic is a bit more complex,

meshConfig:
  defaultConfig:
    proxyMetadata:
      ISTIO_META_ENABLE_HBONE: "true"
global:
  variant: distroless
pilot:
  env:
    PILOT_ENABLE_AMBIENT: "true"
    CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
cni:
  ambient:
    enabled: true

# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel