{"id":45694079,"url":"https://github.com/hops-ops/stack-istio","last_synced_at":"2026-02-24T19:02:35.244Z","repository":{"id":332384738,"uuid":"1133329597","full_name":"hops-ops/stack-istio","owner":"hops-ops","description":"Crossplane configuration for istio Helm chart","archived":false,"fork":false,"pushed_at":"2026-02-19T19:55:10.000Z","size":45,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-19T21:56:51.740Z","etag":null,"topics":["crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","helm","istio","kubernetes","xrd"],"latest_commit_sha":null,"homepage":null,"language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hops-ops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-13T07:44:18.000Z","updated_at":"2026-02-19T19:55:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hops-ops/stack-istio","commit_stats":null,"previous_names":["hops-ops/helm-istio","hops-ops/stack-istio"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/hops-ops/stack-istio","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fstack-istio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fstack-istio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fstack-istio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fstack-istio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hops-ops","download_url":"https://codeload.github.com/hops-ops/stack-istio/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fstack-istio/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29796784,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T16:37:37.581Z","status":"ssl_error","status_checked_at":"2026-02-24T16:37:37.074Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","helm","istio","kubernetes","xrd"],"created_at":"2026-02-24T19:02:29.979Z","updated_at":"2026-02-24T19:02:35.226Z","avatar_url":"https://github.com/hops-ops.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# stack-istio\n\nA Crossplane Configuration package that installs Istio (base, istiod, and gateways) via Helm with a minimal, stable interface.\n\n## Overview\n\n`stack-istio` renders three categories of Helm releases:\n\n- **istio-base** — CRDs and cluster-wide resources\n- **istiod** — Istio control plane with observability defaults (Prometheus, Tempo)\n- **gateways** — Ingress and egress gateway instances (both included by default)\n\nOptionally, `egress.allowedHosts` restricts outbound traffic to an explicit allowlist — no Istio knowledge required.\n\nDeletion protection (Usages) ensures correct teardown order: gateways before istiod, istiod before base.\n\n## Prerequisites\n\n- Crossplane installed in the cluster\n- Crossplane providers:\n  - `provider-helm` (\u003e=v1.0.6)\n  - `provider-kubernetes` (\u003e=v0.15.0) — only needed when using `egress.allowedHosts`\n- Crossplane function:\n  - `function-auto-ready` (\u003e=v0.6.0)\n\n## Quick Start\n\n```yaml\napiVersion: pkg.crossplane.io/v1\nkind: Configuration\nmetadata:\n  name: stack-istio\nspec:\n  package: ghcr.io/hops-ops/stack-istio:latest\n```\n\n```yaml\napiVersion: stacks.hops.ops.com.ai/v1alpha1\nkind: IstioStack\nmetadata:\n  name: istio\n  namespace: example-env\nspec:\n  clusterName: example-cluster\n```\n\nThis minimal spec installs istio-base, istiod, and default ingress + egress gateways in `istio-system`.\n\n## Egress Allowlist\n\nTo restrict outbound traffic to specific hosts, list them under `egress.allowedHosts`. This automatically:\n\n1. Sets `outboundTrafficPolicy.mode: REGISTRY_ONLY` on istiod (blocks all unlisted egress)\n2. Creates a `ServiceEntry` per host allowing HTTPS on port 443\n\n```yaml\nspec:\n  clusterName: example-cluster\n  egress:\n    allowedHosts:\n    - \"*.googleapis.com\"\n    - \"api.github.com\"\n    - \"registry.npmjs.org\"\n```\n\nWildcard hosts (e.g. `*.googleapis.com`) use `resolution: NONE`. Specific hosts use `resolution: DNS`.\n\n\u003e **Note:** Requires a `provider-kubernetes` ProviderConfig with the same name as your Helm ProviderConfig.\n\n## Full Example\n\n```yaml\napiVersion: stacks.hops.ops.com.ai/v1alpha1\nkind: IstioStack\nmetadata:\n  name: istio\n  namespace: example-env\nspec:\n  clusterName: example-cluster\n  labels:\n    team: platform\n  namespace: istio-system\n  istiod:\n    values:\n      pilot:\n        resources:\n          requests:\n            cpu: 100m\n            memory: 128Mi\n  gateways:\n  - name: istio-ingressgateway\n    type: LoadBalancer\n  - name: istio-egressgateway\n    type: ClusterIP\n  egress:\n    allowedHosts:\n    - \"*.googleapis.com\"\n    - \"api.github.com\"\n```\n\n## Spec Reference\n\n| Field | Type | Default | Description |\n|-------|------|---------|-------------|\n| `clusterName` | string | **required** | Target cluster name, used for provider config |\n| `labels` | map | `{}` | Labels merged with defaults on all resources |\n| `namespace` | string | `istio-system` | Namespace for all Helm releases |\n| `providerConfigRef.name` | string | `\u003cclusterName\u003e` | Helm ProviderConfig name |\n| `providerConfigRef.kind` | string | `ProviderConfig` | ProviderConfig or ClusterProviderConfig |\n| `base.values` | object | `{}` | Helm values merged with istio-base defaults |\n| `base.overrideAllValues` | object | | Replaces all istio-base defaults |\n| `istiod.values` | object | `{}` | Helm values merged with istiod defaults |\n| `istiod.overrideAllValues` | object | | Replaces all istiod defaults |\n| `gateways` | array | ingress + egress | List of gateway instances |\n| `gateways[].name` | string | `istio-ingressgateway` | Gateway name |\n| `gateways[].type` | string | `LoadBalancer` | Service type |\n| `gateways[].ports` | array | `[]` | Custom port definitions |\n| `gateways[].values` | object | `{}` | Per-gateway Helm values |\n| `gateways[].overrideAllValues` | object | | Replaces all gateway defaults |\n| `egress.allowedHosts` | string[] | `[]` | Hosts to allow egress to (enables REGISTRY_ONLY) |\n\n## Development\n\n```bash\nmake render        # Render all examples\nmake validate      # Validate against XRD schema\nmake test          # Run unit tests\nmake e2e           # Run E2E tests\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Fstack-istio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhops-ops%2Fstack-istio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Fstack-istio/lists"}