Switch to GHCR by default

Signed-off-by: Flynn <emissary@flynn.kodachi.com>

CHANGELOG.md

@@ -85,8 +85,8 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 
 ## RELEASE NOTES
 
-## [3.10.0] July 29, 2025
+## [3.10.0-dev] TBD
-[3.10.0]: https://github.com/emissary-ingress/emissary/compare/v3.9.0...v3.10.0
+[3.10.0-dev]: https://github.com/emissary-ingress/emissary/compare/v3.9.0...v3.10.0-dev
 
 ### Emissary-ingress and Ambassador Edge Stack
 

Community/SUPPORT.md

@@ -1,12 +1,16 @@
-## Support for deploying and using Emissary
+## Support for deploying and using Ambassador
 
-Welcome to Emissary! The Emissary community is the best current resource for
+Welcome to Ambassador! We use GitHub for tracking bugs and feature requests. If you need support, the following resources are available. Thanks for understanding.
-Emissary support, with the best options being:
 
-- Checking out the [documentation] at https://emissary-ingress.dev/
+### Documentation
-- Joining the `#emissary-ingress` channel in the [CNCF Slack]
-- [Opening an issue][GitHub] in [GitHub]
 
-[CNCF Slack]: https://communityinviter.com/apps/cloud-native/cncf)
+* [User Documentation](https://www.getambassador.io/docs)
-[documentation]: https://emissary-ingress.dev/
+* [Troubleshooting Guide](https://www.getambassador.io/reference/debugging)
-[GitHub]: https://github.com/emissary-ingress/emissary/issues
+
+### Real-time Chat
+
+* [Slack](https://d6e.co/slack): The `#ambassador` channel is a good place to start.
+
+### Commercial Support
+
+* Commercial Support is available as part of [Ambassador Pro](https://www.getambassador.io/pro/).

DevDocumentation/ARCHITECTURE.md

@@ -172,7 +172,7 @@ Provides two main functions:
 - Generate IR and envoy configs (load_ir function)
   - Take each Resource generated in ResourceFetcher and add it to the Config object as strongly typed objects
   - Store Config Object in `/ambassador/snapshots/aconf-tmp.json`
-  - Check Deltas for Mappings cache and determine if we needs to be reset
+  - Check Deltas for Mappings cach and determine if we needs to be reset
   - Create IR with a Config, Cache, and invalidated items
     - IR is generated which basically just converts our stuff to strongly typed generic "envoy" items (handling filters, clusters, listeners, removing duplicates, etc...)
   - IR is updated in-memory for diagd process

README.md

@@ -23,88 +23,64 @@ Emissary-ingress
 
 ---
 
-## QUICKSTART
+## Want to try an Emissary 3.10.0 RC?
 
-Looking to get started as quickly as possible? Check out [the
+We have a release candidate for Emissary 3.10.0 available for testing. If you're interested in giving it a shot, wonderful! Check out [trying 3.10].
-QUICKSTART](https://emissary-ingress.dev/docs/3.10/quick-start/)!
 
-### Latest Release
+[trying 3.10]: https://github.com/emissary-ingress/emissary/tree/master/TRY-3.10.md
-
-The latest production version of Emissary is **3.10.0**.
-
-**Note well** that there is also an Ambassador Edge Stack 3.10.0, but
-**Emissary 3.10 and Edge Stack 3.10 are not equivalent**. Their codebases have
-diverged and will continue to do so.
 
 ---
 
-Emissary-ingress
+[Emissary-Ingress](https://www.getambassador.io/docs/open-source) is an open-source Kubernetes-native API Gateway +
-================
+Layer 7 load balancer + Kubernetes Ingress built on [Envoy Proxy](https://www.envoyproxy.io).
+Emissary-ingress is a CNCF incubation project (and was formerly known as Ambassador API Gateway).
 
-[Emissary-ingress](https://www.getambassador.io/docs/open-source) is an
+Emissary-ingress enables its users to:
-open-source, developer-centric, Kubernetes-native API gateway built on [Envoy
+* Manage ingress traffic with [load balancing], support for multiple protocols ([gRPC and HTTP/2], [TCP], and [web sockets]), and Kubernetes integration
-Proxy]. Emissary-ingress is a CNCF incubating project (and was formerly known
+* Manage changes to routing with an easy to use declarative policy engine and [self-service configuration], via Kubernetes [CRDs] or annotations
-as Ambassador API Gateway).
+* Secure microservices with [authentication], [rate limiting], and [TLS]
-
+* Ensure high availability with [sticky sessions], [rate limiting], and [circuit breaking]
-### Design Goals
+* Leverage observability with integrations with [Grafana], [Prometheus], and [Datadog], and comprehensive [metrics] support
-
+* Enable progressive delivery with [canary releases]
-The first problem faced by any organization trying to develop cloud-native
+* Connect service meshes including [Consul], [Linkerd], and [Istio]
-applications is the _ingress problem_: allowing users outside the cluster to
-access the application running inside the cluster. Emissary is built around
-the idea that the application developers should be able to solve the ingress
-problem themselves, without needing to become Kubernetes experts and without
-needing dedicated operations staff: a self-service, developer-centric workflow
-is necessary to develop at scale.
-
-Emissary is open-source, developer-centric, role-oriented, opinionated, and
-Kubernatives-native.
-
-- open-source: Emissary is licensed under the Apache 2 license, permitting use
-  or modification by anyone.
-- developer-centric: Emissary is designed taking the application developer
-  into account first.
-- role-oriented: Emissary's configuration deliberately tries to separate
-  elements to allow separation of concerns between developers and operations.
-- opinionated: Emissary deliberately tries to make easy things easy, even if
-  that comes of the cost of not allowing some uncommon features.
-
-### Features
-
-Emissary supports all the table-stakes features needed for a modern API
-gateway:
-
-* Per-request [load balancing]
-* Support for routing [gRPC], [HTTP/2], [TCP], and [web sockets]
-* Declarative configuration via Kubernetes [custom resources]
-* Fine-grained [authentication] and [authorization]
-* Advanced routing features like [canary releases], [A/B testing], [dynamic routing], and [sticky sessions]
-* Resilience features like [retries], [rate limiting], and [circuit breaking]
-* Observability features including comprehensive [metrics] support using the [Prometheus] stack
-* Easy service mesh integration with [Linkerd], [Istio], [Consul], etc.
 * [Knative serverless integration]
 
 See the full list of [features](https://www.getambassador.io/docs/emissary) here.
 
-### Branches
+Branches
+========
 
 (If you are looking at this list on a branch other than `master`, it
 may be out of date.)
 
-- [`main`](https://github.com/emissary-ingress/emissary/tree/main): Emissary 4 development work
+- [`master`](https://github.com/emissary-ingress/emissary/tree/master) - branch for Emissary-ingress dev work ( :heavy_check_mark: upcoming release)
+- [`release/v3.9`](https://github.com/emissary-ingress/emissary/tree/release/v3.9) - branch for Emissary-ingress 3.9.z work
+- [`release/v2.5`](https://github.com/emissary-ingress/emissary/tree/release/v2.5) - branch for Emissary-ingress 2.5.z work ( :heavy_check_mark: maintenance)
 
-**No further development is planned on any branches listed below.**
+Architecture
+============
 
-- [`master`](https://github.com/emissary-ingress/emissary/tree/master) - **Frozen** at Emissary 3.10.0
+Emissary is configured via Kubernetes CRDs, or via annotations on Kubernetes `Service`s. Internally,
-- [`release/v3.10`](https://github.com/emissary-ingress/emissary/tree/release/v3.10) - Emissary-ingress 3.10.0 release branch
+it uses the [Envoy Proxy] to actually handle routing data; externally, it relies on Kubernetes for
-- [`release/v3.9`](https://github.com/emissary-ingress/emissary/tree/release/v3.9)
+scaling and resiliency. For more on Emissary's architecture and motivation, read [this blog post](https://blog.getambassador.io/building-ambassador-an-open-source-api-gateway-on-kubernetes-and-envoy-ed01ed520844).
-  - Emissary-ingress 3.9.1 release branch
-- [`release/v2.5`](https://github.com/emissary-ingress/emissary/tree/release/v2.5) - Emissary-ingress 2.5.1 release branch
 
-**Note well** that there is also an Ambassador Edge Stack 3.10.0, but
+Getting Started
-**Emissary 3.10 and Edge Stack 3.10 are not equivalent**. Their codebases have
+===============
-diverged and will continue to do so.
 
-#### Community
+You can get Emissary up and running in just three steps. Follow the instructions here: https://www.getambassador.io/docs/emissary/latest/tutorials/getting-started/
+
+If you are looking for a Kubernetes ingress controller, Emissary provides a superset of the functionality of a typical ingress controller. (It does the traditional routing, and layers on a raft of configuration options.) This blog post covers [Kubernetes ingress](https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d).
+
+For other common questions, view this [FAQ page](https://www.getambassador.io/docs/emissary/latest/about/faq/).
+
+You can also use Helm to install Emissary. For more information, see the instructions in the [Helm installation documentation](https://www.getambassador.io/docs/emissary/latest/topics/install/helm/)
+
+Check out the full [Emissary
+documentation](https://www.getambassador.io/docs/emissary/) at
+www.getambassador.io/docs/open-source.
+
+Community
+=========
 
 Emissary-ingress is a CNCF Incubating project and welcomes any and all
 contributors.
@@ -119,21 +95,21 @@ the way the community is run, including:
    regular trouble-shooting meetings and contributor meetings
  - how to get [`SUPPORT.md`](Community/SUPPORT.md).
 
-The best way to join the community is to join the `#emissary-ingress` channel
+The best way to join the community is to join the [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf)
-in the [CNCF Slack]. This is also the best place for technical information
+#emissary-ingress channel.
-about Emissary's architecture or development.
+
+Check out the [`DevDocumentation/`](DevDocumentation/) directory for
+information on the technicals of Emissary, most notably the
+[`CONTRIBUTING.md`](DevDocumentation/CONTRIBUTING.md) contributor's guide.
 
 If you're interested in contributing, here are some ways:
 * Write a blog post for [our blog](https://blog.getambassador.io)
 * Investigate an [open issue](https://github.com/emissary-ingress/emissary/issues)
-* Add [more tests](https://github.com/emissary-ingress/emissary/tree/main/ambassador/tests)
+* Add [more tests](https://github.com/emissary-ingress/emissary/tree/master/ambassador/tests)
+
+The Ambassador Edge Stack is a superset of Emissary-ingress that provides additional functionality including OAuth/OpenID Connect, advanced rate limiting, Swagger/OpenAPI support, integrated ACME support for automatic TLS certificate management, and a cloud-based UI. For more information, visit https://www.getambassador.io/editions/.
 
 <!-- Please keep this list sorted. -->
-[CNCF Slack]: https://communityinviter.com/apps/cloud-native/cncf
-[Envoy Proxy]: https://www.envoyproxy.io
-
-<!-- Legacy: clean up these links! -->
-
 [authentication]: https://www.getambassador.io/docs/emissary/latest/topics/running/services/auth-service/
 [canary releases]: https://www.getambassador.io/docs/emissary/latest/topics/using/canary/
 [circuit breaking]: https://www.getambassador.io/docs/emissary/latest/topics/using/circuit-breakers/

TRY-3.10.md

@@ -1,48 +1,40 @@
-# Emissary-ingress 3.10 Quickstart
+# Emissary-ingress 3.10.0
 
-**We recommend using Helm** to install Emissary.
+Emissary 3.10 encompasses:
 
-### Installing if you're starting fresh
+- all the changes made in this repo by Ambassador Labs after Emissary 3.9.1;
+- updates to Go dependencies;
+- updates to the included Envoy Proxy; and
+- community updates (with huge thanks to [Ajay Choudhary], [Billy Lynch], and
+  [Luke Shumaker]!)
 
-**If you are already running Emissary and just want to upgrade, DO NOT FOLLOW
+**Note well** that there is also an Ambassador Edge Stack 3.10.0, but
-THESE DIRECTIONS.** Instead, check out "Upgrading from an earlier Emissary"
+**Emissary 3.10 and Edge Stack 3.10 are not equivalent**. Their codebases have
-below.
+diverged and will continue to do so.
 
-If you're starting from scratch and you don't need to worry about older CRD
+[Ajay Choudhary]: https://github.com/ajaychoudhary-hotstar
-versions, install using `--set enableLegacyVersions=false` to avoid install
+[Billy Lynch]: https://github.com/wlynch
-the old versions of the CRDs and the conversion webhook:
+[Luke Shumaker]: https://github.com/lukeshu
 
-```bash
+## Trying 3.10
-helm install emissary-crds \
- --namespace emissary --create-namespace \
- oci://ghcr.io/emissary-ingress/emissary-crds-chart --version=3.10.0 \
- --set enableLegacyVersions=false \
- --wait
-```
 
-This will install only v3alpha1 CRDs and skip the conversion webhook entirely.
+The most current Emissary 3.10 is Emissary 3.10.0-rc.3. This is a **release
-It will create the `emissary` namespace for you, but there won't be anything
+candidate**: it passes CI and is believed to be stable, but we'd like more
-in it at this point.
+people to try it out before we call it a final release.
 
-Next up, install Emissary itself, with `--set waitForApiext.enabled=false` to
+**3.10.0-rc.3 is the final RC planned for Emissary 3.10.0.**
-tell Emissary not to wait for the conversion webhook to be ready:
 
-```bash
+By far the easiest way to try things is with Helm -- and note that Emissary
-helm install emissary \
+3.10 includes a Helm chart for CRDs.
- --namespace emissary \
- oci://ghcr.io/emissary-ingress/emissary-ingress --version=3.10.0 \
- --set waitForApiext.enabled=false \
- --wait
-```
 
-### Upgrading from an earlier Emissary
+### Installing if you're already running an earlier Emissary
 
 First, install the CRDs and the conversion webhook:
 
 ```bash
 helm install emissary-crds \
  --namespace emissary-system --create-namespace \
- oci://ghcr.io/emissary-ingress/emissary-crds-chart --version=3.10.0 \
+ oci://docker.io/dwflynn/emissary-crds-chart --version=3.10.0-rc.3 \
  --wait
 ```
 
@@ -52,7 +44,32 @@ conversion webhook into the `emissary-system` namespace. Once that's done, you'l
 ```bash
 helm install emissary \
  --namespace emissary --create-namespace \
- oci://ghcr.io/emissary-ingress/emissary-ingress --version=3.10.0 \
+ oci://docker.io/dwflynn/emissary-ingress --version=3.10.0-rc.3 \
+ --wait
+```
+
+### Installing if you're starting fresh
+
+If you're starting from scratch and you don't need to worry about older CRD
+versions, you can do things differently:
+
+```bash
+helm install emissary-crds \
+ --namespace emissary --create-namespace \
+ oci://docker.io/dwflynn/emissary-crds-chart --version=3.10.0-rc.3 \
+ --set enableLegacyVersions=false \
+ --wait
+```
+
+This will install only v3alpha1 CRDs and skip the conversion webhook entirely.
+It will create the `emissary` namespace for you, but there won't be anything
+in it until you install Emissary itself:
+
+```bash
+helm install emissary \
+ --namespace emissary \
+ oci://docker.io/dwflynn/emissary-ingress --version=3.10.0-rc.3 \
+ --set waitForApiext.enabled=false \
  --wait
 ```
 

build-aux/main.mk

@@ -136,7 +136,9 @@ build-output/chart-%.tgz: build-output/chart-%.d
 # Convenience aliases for the Helm chart
 chart_dir = build-output/chart-$(patsubst v%,%,$(VERSION))_$(patsubst v%,%,$(CHART_VERSION)).d
 chart_tgz = $(patsubst %.d,%.tgz,$(chart_dir))
-chart: $(chart_tgz)
+# chart: $(chart_tgz)
+chart:
+	@echo "Don't use make chart -- instead, cd charts && make"
 PHONY: chart
 
 _major_version = $(firstword $(subst ., ,$(patsubst v%,%,$(VERSION))))

charts/Makefile

@@ -0,0 +1,44 @@
+IMAGE_REPO ?= ghcr.io/emissary-ingress/emissary
+
+all: charts
+
+charts: emissary-crds-chart emissary-ingress
+
+# These are just aliases
+emissary-crds-chart: emissary-crds-chart-$(VERSION).tgz
+emissary-ingress: emissary-ingress-$(VERSION).tgz
+
+version-check:
+	@if [ -z "$(VERSION)" ]; then \
+		echo "VERSION must be set (e.g. VERSION=1.0.0-alpha.3)" >&2 ;\
+		exit 1; \
+	fi
+.PHONY: version-check
+
+helm-registry-check:
+	@if [ -z "$(HELM_REGISTRY)" ]; then \
+		echo "HELM_REGISTRY must be set (e.g. HELM_REGISTRY=oci://docker.io/dwflynn)" >&2 ;\
+		exit 1; \
+	fi
+.PHONY: helm-registry-check
+
+emissary-crds-chart-$(VERSION).tgz: version-check emissary-crds
+	bash bin/build-chart emissary-crds $(VERSION) $(IMAGE_REPO) $$(pwd)
+	ls -l emissary-crds-chart-$(VERSION).tgz
+
+emissary-ingress-$(VERSION).tgz: version-check emissary-chart
+	bash bin/build-chart emissary-chart $(VERSION) $(IMAGE_REPO) $$(pwd)
+	ls -l emissary-ingress-$(VERSION).tgz
+
+push-chart: version-check helm-registry-check charts
+	if [ -n "$(HELM_REGISTRY)" ]; then \
+		helm push emissary-crds-chart-$(VERSION).tgz $(HELM_REGISTRY); \
+		helm push emissary-ingress-$(VERSION).tgz $(HELM_REGISTRY); \
+	else \
+		echo "HELM_REGISTRY not set, not pushing"; \
+	fi
+
+clean:
+	rm -rf emissary-crds-chart-*
+	rm -rf emissary-ingress-*
+

charts/bin/build-chart

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+check_arg () {
+	if [ -z "$2" ]; then
+		echo "$1 cannot be unset" >&2
+		exit 1
+	fi
+}
+
+if [ $# -ne 4 ]; then
+  echo "Usage: $0 <chart-source> <version> <image-repo> <output-dir>" >&2
+  exit 1
+fi
+
+set -e
+
+chart_source="$1"
+version="$2"
+image_repo="$3"
+output_dir="$4"
+
+check_arg chart_source "$chart_source"
+check_arg version "$version"
+check_arg image_repo "$image_repo"
+check_arg output_dir "$output_dir"
+
+# set -x
+
+workdir=$(mktemp -d -t build-chart)
+trap "rm -rf $workdir" EXIT
+
+cp -pr "$chart_source"/* "$workdir"
+
+for file in "$workdir/Chart.yaml" "$workdir/values.yaml"; do
+	sed \
+		-e "s/@version@/$version/g" \
+		-e "s/@chartVersion@/$version/g" \
+		-e "s,@imageRepo@,${image_repo},g" \
+		< ${file}.in > ${file}
+	rm -f ${file}.in
+done
+
+go run kubepack.dev/chart-doc-gen@v0.5.0 \
+	-d "$workdir/doc.yaml" \
+	-t "$workdir/readme.tpl" \
+	-v "$workdir/values.yaml" \
+	> $workdir/README.md
+
+helm package --destination="$output_dir" "$workdir"
+

charts/emissary-chart/Chart.yaml.in

@@ -16,10 +16,8 @@ keywords:
 - emissary
 - emissary ingress
 maintainers:
-- name: flydiverny
-  email: markus@maga.se
 - name: kflynn
-  email: flynn@datawire.io
+  email: flynn@buoyant.io
-- name: nbkrause
+- name: aliceproxy
-  email: nkrause@datawire.io
+  email:
 engine: gotpl

charts/emissary-chart/doc.yaml

@@ -12,7 +12,7 @@ chart:
   values: "-- generate from values file --"
   valuesExample: "-- generate from values file --"
 prerequisites:
-- "Kubernetes v1.11+"
+  - "Kubernetes v1.11+"
 release:
   name: emissary-ingress
   namespace: ambassador

charts/emissary-chart/templates/NOTES.txt

@@ -1,5 +1,5 @@
 -------------------------------------------------------------------------------
-  Congratulations! You've successfully installed Emissary Ingress!
+  Congratulations! You've successfully installed Emissary-ingress!
 
 -------------------------------------------------------------------------------
 To get the IP address of Emissary, run the following commands:

charts/emissary-chart/values.yaml.in

@@ -208,7 +208,7 @@ adminService:
   type: ClusterIP
   port: 8877
   snapshotPort: 8005
-  goPluginMetricsPort: 
+  goPluginMetricsPort:
   # If explicit NodePort for admin service is required
   nodePort:
   # Annotations to apply to Ambassador admin service

charts/emissary-crds/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+OWNERS
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/emissary-crds/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Change Log
+
+This file documents all notable changes to Ambassador Helm Chart. The release
+numbering uses [semantic versioning](http://semver.org).
+
+## v3.10.0 - TBD
+
+Initial release of the CRDs chart.

charts/emissary-crds/Chart.yaml.in

@@ -0,0 +1,22 @@
+apiVersion: "v2"
+appVersion: "@version@"
+description: |
+  Emissary-ingress is a CNCF API Gateway built on Envoy Proxy, specializing
+  in self-service operation with minimal operational complexity.
+type: application
+home: https://emissary-ingress.dev/
+keywords:
+  - emissary-ingress
+  - crds
+  - ingress-controller
+  - conversion-webhook
+kubeVersion: ">=1.25.0-0"
+name: "emissary-crds-chart"
+sources:
+  - https://github.com/emissary-ingress/emissary/
+version: "@version@"
+#icon: https://linkerd.io/images/logo-only-200h.png
+maintainers:
+  - name: Emissary authors
+    email: cncf-emissary-ingress-maintainers@lists.cncf.io
+    url: https://github.com/emissary-ingress/emissary/

charts/emissary-crds/doc.yaml

@@ -0,0 +1,18 @@
+project:
+  name: Emissary-ingress CRDs
+  shortName: emissary-crds
+  url: https://github.com/emissary-ingress/emissary
+  description: CRDs for the Emissary-ingress project
+  app: Emissary-ingress
+repository:
+  url: oci://ghcr.io/emissary-ingress/emissary-crds
+  name: emissary-crds
+chart:
+  name: emissary-crds
+  values: "-- generate from values file --"
+  valuesExample: "-- generate from values file --"
+prerequisites:
+  - "Kubernetes v1.11+"
+release:
+  name: emissary-crds
+  namespace: emissary-system

charts/emissary-crds/readme.tpl

@@ -0,0 +1,66 @@
+# {{ .Project.ShortName }}
+
+[{{ .Project.Name }}]({{ .Project.URL }}) - {{ .Project.Description }}
+
+## Introduction
+
+This chart deploys the Emissary-ingress CRDS and (optionally) conversion
+webhook on a [Kubernetes](http://kubernetes.io) cluster using the
+[Helm](https://helm.sh) package manager.
+
+## Prerequisites
+{{ range .Prerequisites }}
+- {{ . }}
+{{- end }}
+
+## Installing the Chart
+
+A typical installation will use the `emissary-system` namespace:
+
+```console
+helm install {{ .Release.Name }} \
+     --namespace emissary-system --create-namespace \
+     {{ .Repository.Name }}/{{ .Chart.Name }} \
+     --version {{ .Chart.Version }} \
+     --wait
+```
+
+The command deploys the Emissary-ingress CRDs on the Kubernetes cluster in the
+default configuration. The [configuration](#configuration) section lists the
+parameters that can be configured during installation.
+
+## Changelog
+
+Notable chart changes are listed in the [CHANGELOG](./CHANGELOG.md)
+
+{{ if .Chart.Values -}}
+## Configuration
+
+The following table lists the configurable parameters of the `{{ .Chart.Name }}` chart and their default values.
+
+{{ .Chart.Values }}
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
+
+```console
+helm install {{ .Release.Name }} \
+     --namespace emissary-system --create-namespace \
+     {{ .Repository.Name }}/{{ .Chart.Name }} \
+     --version {{ .Chart.Version }} \
+     --set {{ .Chart.ValuesExample }} \
+     --wait
+```
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while
+installing the chart. For example:
+
+
+```console
+helm install {{ .Release.Name }} \
+     --namespace emissary-system --create-namespace \
+     {{ .Repository.Name }}/{{ .Chart.Name }} \
+     --version {{ .Chart.Version }} \
+     --values values.yaml \
+     --wait
+```
+{{- end }}

charts/emissary-crds/templates/NOTES.txt

@@ -0,0 +1,14 @@
+The emissary-crds chart was successfully installed! 🎉
+
+To complete the Emissary-ingress installation, please now proceed to install
+the emissary-ingress chart in the {{ .Release.Namespace }} namespace.
+
+{{- if .Values.enableLegacyVersions }}
+The V2 CRDs and apiext are installed and available for use.
+{{- if .Values.enableV1 }}
+The V1 CRDs are available, too.
+{{- end -}}
+{{- end }}
+
+Looking for more? Visit https://emissary-ingress.dev/ !
+

charts/emissary-crds/templates/_helpers.yaml

@@ -0,0 +1,23 @@
+{{- define "partials.conversion" -}}
+{{- if .Values.enableLegacyVersions }}
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: emissary-apiext
+          namespace: {{ .Release.Namespace }}
+          path: /webhooks/crd-convert
+          port: 443
+      conversionReviewVersions:
+      - v1
+{{- end -}}
+{{- end -}}
+
+{{- define "partials.v3alpha1storage" -}}
+{{- if .Values.enableLegacyVersions -}}
+  false
+{{- else -}}
+  true
+{{- end -}}
+{{- end -}}

charts/emissary-crds/templates/apiext.yaml

@@ -0,0 +1,218 @@
+{{- if .Values.enableLegacyVersions }}
+---
+################################################################################
+# ServiceAccount                                                               #
+################################################################################
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: emissary-apiext
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+---
+################################################################################
+# Cluster permissions                                                          #
+################################################################################
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: emissary-apiext
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+rules:
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    verbs: [ "list", "watch" ]
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions", "customresourcedefinitions/status" ]
+    resourceNames:
+      - authservices.getambassador.io
+      - consulresolvers.getambassador.io
+      - devportals.getambassador.io
+      - hosts.getambassador.io
+      - kubernetesendpointresolvers.getambassador.io
+      - kubernetesserviceresolvers.getambassador.io
+      - listeners.getambassador.io
+      - logservices.getambassador.io
+      - mappings.getambassador.io
+      - modules.getambassador.io
+      - ratelimitservices.getambassador.io
+      - tcpmappings.getambassador.io
+      - tlscontexts.getambassador.io
+      - tracingservices.getambassador.io
+    verbs: [ "update" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: emissary-apiext
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: emissary-apiext
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: emissary-apiext
+---
+################################################################################
+# Namespaced permissions                                                       #
+################################################################################
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: emissary-apiext
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "create", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    resourceNames: [ "emissary-ingress-webhook-ca" ]
+    verbs: [ "get", "update" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "create" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    resourceNames: [ "emissary-ca-mgr-leader" ]
+    verbs: [ "get", "update" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "create" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: emissary-apiext
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: emissary-apiext
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: emissary-apiext
+---
+################################################################################
+# Main                                                                         #
+################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+  name: emissary-apiext
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: https
+      port: 443
+      targetPort: https
+  selector:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: emissary-apiext
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: emissary-apiext
+    app.kubernetes.io/managed-by: helm
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: emissary-apiext
+      app.kubernetes.io/name: emissary-apiext
+      app.kubernetes.io/part-of: emissary-apiext
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: emissary-apiext
+        app.kubernetes.io/managed-by: helm
+        app.kubernetes.io/name: emissary-apiext
+        app.kubernetes.io/part-of: emissary-apiext
+        helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+        emissary-ingress.dev/control-plane-ns: {{ .Values.emissary.namespace }}
+    spec:
+      serviceAccountName: emissary-apiext
+      containers:
+        - name: emissary-apiext
+          image: {{ .Values.apiext.repository }}:{{ .Values.apiext.tag }}
+          imagePullPolicy: {{ .Values.apiext.pullPolicy }}
+          command: [ "apiext", "emissary-apiext" ]
+          args: [ "--crd-label-selector", "app.kubernetes.io/part-of=emissary-apiext" ]
+          ports:
+            - name: http
+              containerPort: 8080
+            - name: https
+              containerPort: 8443
+          startupProbe:
+            httpGet:
+              path: /probes/live
+              port: 8080
+            failureThreshold: 10
+            periodSeconds: 3
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /probes/live
+              port: 8080
+            periodSeconds: 3
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /probes/ready
+              port: 8080
+            periodSeconds: 3
+            failureThreshold: 3
+{{- end -}}

charts/emissary-crds/templates/authservices.yaml

@@ -0,0 +1,375 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: authservices.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: AuthService
+    listKind: AuthServiceList
+    plural: authservices
+    singular: authservice
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: AuthService is the Schema for the authservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AuthServiceSpec defines the desired state of AuthService
+            properties:
+              add_auth_headers:
+                additionalProperties:
+                  type: string
+                type: object
+              add_linkerd_headers:
+                type: boolean
+              allow_request_body:
+                type: boolean
+              allowed_authorization_headers:
+                items:
+                  type: string
+                type: array
+              allowed_request_headers:
+                items:
+                  type: string
+                type: array
+              auth_service:
+                type: string
+              failure_mode_allow:
+                type: boolean
+              include_body:
+                properties:
+                  allow_partial:
+                    type: boolean
+                  max_bytes:
+                    description: These aren't pointer types because they are required.
+                    type: integer
+                required:
+                - allow_partial
+                - max_bytes
+                type: object
+              path_prefix:
+                type: string
+              proto:
+                enum:
+                - http
+                - grpc
+                type: string
+              protocol_version:
+                enum:
+                - v2
+                - v3
+                type: string
+              status_on_error:
+                description: Why isn't this just an int??
+                properties:
+                  code:
+                    type: integer
+                type: object
+              timeout_ms:
+                type: integer
+              v3CircuitBreakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              v3StatsName:
+                type: string
+            required:
+            - auth_service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: AuthService is the Schema for the authservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AuthServiceSpec defines the desired state of AuthService
+            properties:
+              add_auth_headers:
+                additionalProperties:
+                  type: string
+                type: object
+              add_linkerd_headers:
+                type: boolean
+              allow_request_body:
+                type: boolean
+              allowed_authorization_headers:
+                items:
+                  type: string
+                type: array
+              allowed_request_headers:
+                items:
+                  type: string
+                type: array
+              auth_service:
+                type: string
+              failure_mode_allow:
+                type: boolean
+              include_body:
+                properties:
+                  allow_partial:
+                    type: boolean
+                  max_bytes:
+                    description: These aren't pointer types because they are required.
+                    type: integer
+                required:
+                - allow_partial
+                - max_bytes
+                type: object
+              path_prefix:
+                type: string
+              proto:
+                enum:
+                - http
+                - grpc
+                type: string
+              protocol_version:
+                enum:
+                - v2
+                - v3
+                type: string
+              status_on_error:
+                description: Why isn't this just an int??
+                properties:
+                  code:
+                    type: integer
+                type: object
+              timeout_ms:
+                type: integer
+              v3CircuitBreakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              v3StatsName:
+                type: string
+            required:
+            - auth_service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: AuthService is the Schema for the authservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: AuthServiceSpec defines the desired state of AuthService
+            properties:
+              add_auth_headers:
+                additionalProperties:
+                  type: string
+                type: object
+              add_linkerd_headers:
+                type: boolean
+              allow_request_body:
+                type: boolean
+              allowed_authorization_headers:
+                items:
+                  type: string
+                type: array
+              allowed_request_headers:
+                items:
+                  type: string
+                type: array
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              auth_service:
+                type: string
+              circuit_breakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              failure_mode_allow:
+                type: boolean
+              include_body:
+                properties:
+                  allow_partial:
+                    type: boolean
+                  max_bytes:
+                    description: These aren't pointer types because they are required.
+                    type: integer
+                required:
+                - allow_partial
+                - max_bytes
+                type: object
+              path_prefix:
+                type: string
+              proto:
+                enum:
+                - http
+                - grpc
+                type: string
+              protocol_version:
+                description: ProtocolVersion is the envoy api transport protocol version
+                enum:
+                - v2
+                - v3
+                type: string
+              stats_name:
+                type: string
+              status_on_error:
+                properties:
+                  code:
+                    type: integer
+                type: object
+              timeout_ms:
+                type: integer
+              tls:
+                type: string
+              v2ExplicitTLS:
+                description: V2ExplicitTLS controls some vanity/stylistic elements
+                  when converting from v3alpha1 to v2.  The values in an V2ExplicitTLS
+                  should not in any way affect the runtime operation of Emissary;
+                  except that it may affect internal names in the Envoy config, which
+                  may in turn affect stats names.  But it should not affect any end-user
+                  observable behavior.
+                properties:
+                  serviceScheme:
+                    description: "ServiceScheme specifies how to spell and capitalize\
+                      \ the scheme-part of the service URL. \n Acceptable values are\
+                      \ \"http://\" (case-insensitive), \"https://\" (case-insensitive),\
+                      \ or \"\".  The value is used if it agrees with whether or not\
+                      \ this resource enables TLS origination, or if something else\
+                      \ in the resource overrides the scheme."
+                    pattern: ^([hH][tT][tT][pP][sS]?://)?$
+                    type: string
+                  tls:
+                    description: "TLS controls whether and how to represent the \"\
+                      tls\" field when its value could be implied by the \"service\"\
+                      \ field.  In v2, there were a lot of different ways to spell\
+                      \ an \"empty\" value, and this field specifies which way to\
+                      \ spell it (and will therefore only be used if the value will\
+                      \ indeed be empty). \n | Value        | Representation     \
+                      \                   | Meaning of representation          | |--------------+---------------------------------------+------------------------------------|\
+                      \ | \"\"           | omit the field                        |\
+                      \ defer to service (no TLSContext)   | | \"null\"       | store\
+                      \ an explicit \"null\" in the field | defer to service (no TLSContext)\
+                      \   | | \"string\"     | store an empty string in the field\
+                      \    | defer to service (no TLSContext)   | | \"bool:false\"\
+                      \ | store a Boolean \"false\" in the field  | defer to service\
+                      \ (no TLSContext)   | | \"bool:true\"  | store a Boolean \"\
+                      true\" in the field   | originate TLS (no TLSContext)      |\
+                      \ \n If the meaning of the representation contradicts anything\
+                      \ else (if a TLSContext is to be used, or in the case of \"\
+                      bool:true\" if TLS is not to be originated), then this field\
+                      \ is ignored."
+                    enum:
+                    - ''
+                    - 'null'
+                    - bool:true
+                    - bool:false
+                    - string
+                    type: string
+                type: object
+            required:
+            - auth_service
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/consulresolvers.yaml

@@ -0,0 +1,127 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: consulresolvers.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: ConsulResolver
+    listKind: ConsulResolverList
+    plural: consulresolvers
+    singular: consulresolver
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ConsulResolver is the Schema for the ConsulResolver API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConsulResolver tells Ambassador to use Consul to resolve
+              services. In addition to the AmbassadorID, it needs information about
+              which Consul server and DC to use.
+            properties:
+              address:
+                type: string
+              datacenter:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: ConsulResolver is the Schema for the ConsulResolver API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConsulResolver tells Ambassador to use Consul to resolve
+              services. In addition to the AmbassadorID, it needs information about
+              which Consul server and DC to use.
+            properties:
+              address:
+                type: string
+              datacenter:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: ConsulResolver is the Schema for the ConsulResolver API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ConsulResolver tells Ambassador to use Consul to resolve
+              services. In addition to the AmbassadorID, it needs information about
+              which Consul server and DC to use.
+            properties:
+              address:
+                type: string
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              datacenter:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/devportals.yaml

@@ -0,0 +1,376 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: devportals.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: DevPortal
+    listKind: DevPortalList
+    plural: devportals
+    singular: devportal
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: "DevPortal is the Schema for the DevPortals API \n DevPortal\
+          \ resources specify the `what` and `how` is shown in a DevPortal: \n 1.\
+          \ `what` is in a DevPortal can be controlled with \n - a `selector`, that\
+          \ can be used for filtering `Mappings`. \n - a `docs` listing of (services,\
+          \ url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git\
+          \ repository with go-templates/markdown/css). \n Multiple `DevPortal`s can\
+          \ exist in the cluster, and the Dev Portal server will show them at different\
+          \ endpoints. A `DevPortal` resource with a special name, `ambassador`, will\
+          \ be used for configuring the default Dev Portal (served at `/docs/` by\
+          \ default)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DevPortalSpec defines the desired state of DevPortal
+            properties:
+              content:
+                description: Content specifies where the content shown in the DevPortal
+                  come from
+                properties:
+                  branch:
+                    type: string
+                  dir:
+                    type: string
+                  url:
+                    type: string
+                type: object
+              default:
+                description: Default must be true when this is the default DevPortal
+                type: boolean
+              docs:
+                description: Docs is a static docs definition
+                items:
+                  description: 'DevPortalDocsSpec is a static documentation definition:
+                    instead of using a Selector for finding documentation for services,
+                    users can provide a static list of <service>:<URL> tuples. These
+                    services will be shown in the Dev Portal with the documentation
+                    obtained from this URL.'
+                  properties:
+                    service:
+                      description: Service is the service being documented
+                      type: string
+                    timeout_ms:
+                      description: Timeout specifies the amount of time devportal
+                        will wait for the downstream service to report an openapi
+                        spec back
+                      type: integer
+                    url:
+                      description: URL is the URL used for obtaining docs
+                      type: string
+                  type: object
+                type: array
+              naming_scheme:
+                description: Describes how to display "services" in the DevPortal.
+                  Default namespace.name
+                enum:
+                - namespace.name
+                - name.prefix
+                type: string
+              preserve_servers:
+                description: Configures this DevPortal to use server definitions from
+                  the openAPI doc instead of rewriting them based on the url used
+                  for the connection.
+                type: boolean
+              search:
+                description: DevPortalSearchSpec allows configuration over search
+                  functionality for the DevPortal
+                properties:
+                  enabled:
+                    type: boolean
+                  type:
+                    description: 'Type of search. "title-only" does a fuzzy search
+                      over openapi and page titles "all-content" will fuzzy search
+                      over all openapi and page content. "title-only" is the default.
+                      warning:  using all-content may incur a larger memory footprint'
+                    enum:
+                    - title-only
+                    - all-content
+                    type: string
+                type: object
+              selector:
+                description: Selector is used for choosing what is shown in the DevPortal
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: MatchLabels specifies the list of labels that must
+                      be present in Mappings for being present in this DevPortal.
+                    type: object
+                  matchNamespaces:
+                    description: MatchNamespaces is a list of namespaces that will
+                      be included in this DevPortal.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: "DevPortal is the Schema for the DevPortals API \n DevPortal\
+          \ resources specify the `what` and `how` is shown in a DevPortal: \n 1.\
+          \ `what` is in a DevPortal can be controlled with \n - a `selector`, that\
+          \ can be used for filtering `Mappings`. \n - a `docs` listing of (services,\
+          \ url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git\
+          \ repository with go-templates/markdown/css). \n Multiple `DevPortal`s can\
+          \ exist in the cluster, and the Dev Portal server will show them at different\
+          \ endpoints. A `DevPortal` resource with a special name, `ambassador`, will\
+          \ be used for configuring the default Dev Portal (served at `/docs/` by\
+          \ default)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DevPortalSpec defines the desired state of DevPortal
+            properties:
+              content:
+                description: Content specifies where the content shown in the DevPortal
+                  come from
+                properties:
+                  branch:
+                    type: string
+                  dir:
+                    type: string
+                  url:
+                    type: string
+                type: object
+              default:
+                description: Default must be true when this is the default DevPortal
+                type: boolean
+              docs:
+                description: Docs is a static docs definition
+                items:
+                  description: 'DevPortalDocsSpec is a static documentation definition:
+                    instead of using a Selector for finding documentation for services,
+                    users can provide a static list of <service>:<URL> tuples. These
+                    services will be shown in the Dev Portal with the documentation
+                    obtained from this URL.'
+                  properties:
+                    service:
+                      description: Service is the service being documented
+                      type: string
+                    timeout_ms:
+                      description: Timeout specifies the amount of time devportal
+                        will wait for the downstream service to report an openapi
+                        spec back
+                      type: integer
+                    url:
+                      description: URL is the URL used for obtaining docs
+                      type: string
+                  type: object
+                type: array
+              naming_scheme:
+                description: Describes how to display "services" in the DevPortal.
+                  Default namespace.name
+                enum:
+                - namespace.name
+                - name.prefix
+                type: string
+              preserve_servers:
+                description: Configures this DevPortal to use server definitions from
+                  the openAPI doc instead of rewriting them based on the url used
+                  for the connection.
+                type: boolean
+              search:
+                description: DevPortalSearchSpec allows configuration over search
+                  functionality for the DevPortal
+                properties:
+                  enabled:
+                    type: boolean
+                  type:
+                    description: 'Type of search. "title-only" does a fuzzy search
+                      over openapi and page titles "all-content" will fuzzy search
+                      over all openapi and page content. "title-only" is the default.
+                      warning:  using all-content may incur a larger memory footprint'
+                    enum:
+                    - title-only
+                    - all-content
+                    type: string
+                type: object
+              selector:
+                description: Selector is used for choosing what is shown in the DevPortal
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: MatchLabels specifies the list of labels that must
+                      be present in Mappings for being present in this DevPortal.
+                    type: object
+                  matchNamespaces:
+                    description: MatchNamespaces is a list of namespaces that will
+                      be included in this DevPortal.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: "DevPortal is the Schema for the DevPortals API \n DevPortal\
+          \ resources specify the `what` and `how` is shown in a DevPortal: \n 1.\
+          \ `what` is in a DevPortal can be controlled with \n - a `selector`, that\
+          \ can be used for filtering `Mappings`. \n - a `docs` listing of (services,\
+          \ url) \n 2. `how` is a pointer to some `contents` (a checkout of a Git\
+          \ repository with go-templates/markdown/css). \n Multiple `DevPortal`s can\
+          \ exist in the cluster, and the Dev Portal server will show them at different\
+          \ endpoints. A `DevPortal` resource with a special name, `ambassador`, will\
+          \ be used for configuring the default Dev Portal (served at `/docs/` by\
+          \ default)."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DevPortalSpec defines the desired state of DevPortal
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              content:
+                description: Content specifies where the content shown in the DevPortal
+                  come from
+                properties:
+                  branch:
+                    type: string
+                  dir:
+                    type: string
+                  url:
+                    type: string
+                type: object
+              default:
+                description: Default must be true when this is the default DevPortal
+                type: boolean
+              docs:
+                description: Docs is a static docs definition
+                items:
+                  description: 'DevPortalDocsSpec is a static documentation definition:
+                    instead of using a Selector for finding documentation for services,
+                    users can provide a static list of <service>:<URL> tuples. These
+                    services will be shown in the Dev Portal with the documentation
+                    obtained from this URL.'
+                  properties:
+                    service:
+                      description: Service is the service being documented
+                      type: string
+                    timeout_ms:
+                      description: Timeout specifies the amount of time devportal
+                        will wait for the downstream service to report an openapi
+                        spec back
+                      type: integer
+                    url:
+                      description: URL is the URL used for obtaining docs
+                      type: string
+                  type: object
+                type: array
+              naming_scheme:
+                description: Describes how to display "services" in the DevPortal.
+                  Default namespace.name
+                enum:
+                - namespace.name
+                - name.prefix
+                type: string
+              preserve_servers:
+                description: Configures this DevPortal to use server definitions from
+                  the openAPI doc instead of rewriting them based on the url used
+                  for the connection.
+                type: boolean
+              search:
+                description: DevPortalSearchSpec allows configuration over search
+                  functionality for the DevPortal
+                properties:
+                  enabled:
+                    type: boolean
+                  type:
+                    description: 'Type of search. "title-only" does a fuzzy search
+                      over openapi and page titles "all-content" will fuzzy search
+                      over all openapi and page content. "title-only" is the default.
+                      warning:  using all-content may incur a larger memory footprint'
+                    enum:
+                    - title-only
+                    - all-content
+                    type: string
+                type: object
+              selector:
+                description: Selector is used for choosing what is shown in the DevPortal
+                properties:
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: MatchLabels specifies the list of labels that must
+                      be present in Mappings for being present in this DevPortal.
+                    type: object
+                  matchNamespaces:
+                    description: MatchNamespaces is a list of namespaces that will
+                      be included in this DevPortal.
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/hosts.yaml

@@ -0,0 +1,657 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: hosts.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: Host
+    listKind: HostList
+    plural: hosts
+    singular: host
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions }}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.hostname
+      name: Hostname
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .status.phaseCompleted
+      name: Phase Completed
+      type: string
+    - jsonPath: .status.phasePending
+      name: Phase Pending
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: Host is the Schema for the hosts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HostSpec defines the desired state of Host
+            properties:
+              acmeProvider:
+                description: Specifies whether/who to talk ACME with to automatically
+                  manage the $tlsSecret.
+                properties:
+                  authority:
+                    description: Specifies who to talk ACME with to get certs. Defaults
+                      to Let's Encrypt; if "none" (case-insensitive), do not try to
+                      do ACME for this Host.
+                    type: string
+                  email:
+                    type: string
+                  privateKeySecret:
+                    description: "Specifies the Kubernetes Secret to use to store\
+                      \ the private key of the ACME account (essentially, where to\
+                      \ store the auto-generated password for the auto-created ACME\
+                      \ account).  You should not normally need to set this--the default\
+                      \ value is based on a combination of the ACME authority being\
+                      \ registered wit and the email address associated with the account.\
+                      \ \n Note that this is a native-Kubernetes-style core.v1.LocalObjectReference,\
+                      \ not an Ambassador-style `{name}.{namespace}` string.  Because\
+                      \ we're opinionated, it does not support referencing a Secret\
+                      \ in another namespace (because most native Kubernetes resources\
+                      \ don't support that), but if we ever abandon that opinion and\
+                      \ decide to support non-local references it, it would be by\
+                      \ adding a `namespace:` field by changing it from a core.v1.LocalObjectReference\
+                      \ to a core.v1.SecretReference, not by adopting the `{name}.{namespace}`\
+                      \ notation."
+                    properties:
+                      name:
+                        default: ''
+                        description: 'Name of the referent. This field is effectively
+                          required, but due to backwards compatibility is allowed
+                          to be empty. Instances of this type with an empty value
+                          here are almost certainly wrong. TODO: Add other useful
+                          fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Drop `kubebuilder:default` when controller-gen doesn''t
+                          need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.'
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  registration:
+                    description: This is normally set automatically
+                    type: string
+                type: object
+              hostname:
+                description: Hostname by which the Ambassador can be reached.
+                type: string
+              previewUrl:
+                description: Configuration for the Preview URL feature of Service
+                  Preview. Defaults to preview URLs not enabled.
+                properties:
+                  enabled:
+                    description: Is the Preview URL feature enabled?
+                    type: boolean
+                  type:
+                    description: What type of Preview URL is allowed?
+                    enum:
+                    - Path
+                    type: string
+                type: object
+              requestPolicy:
+                description: Request policy definition.
+                properties:
+                  insecure:
+                    properties:
+                      action:
+                        enum:
+                        - Redirect
+                        - Reject
+                        - Route
+                        type: string
+                      additionalPort:
+                        type: integer
+                    type: object
+                type: object
+              selector:
+                description: Selector by which we can find further configuration.
+                  Defaults to hostname=$hostname
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              tls:
+                description: TLS configuration.  It is not valid to specify both `tlsContext`
+                  and `tls`.
+                properties:
+                  alpn_protocols:
+                    type: string
+                  ca_secret:
+                    type: string
+                  cacert_chain_file:
+                    type: string
+                  cert_chain_file:
+                    type: string
+                  cert_required:
+                    type: boolean
+                  cipher_suites:
+                    items:
+                      type: string
+                    type: array
+                  ecdh_curves:
+                    items:
+                      type: string
+                    type: array
+                  max_tls_version:
+                    type: string
+                  min_tls_version:
+                    type: string
+                  private_key_file:
+                    type: string
+                  redirect_cleartext_from:
+                    type: integer
+                  sni:
+                    type: string
+                  v3CRLSecret:
+                    type: string
+                type: object
+              tlsContext:
+                description: "Name of the TLSContext the Host resource is linked with.\
+                  \ It is not valid to specify both `tlsContext` and `tls`. \n Note\
+                  \ that this is a native-Kubernetes-style core.v1.LocalObjectReference,\
+                  \ not an Ambassador-style `{name}.{namespace}` string.  Because\
+                  \ we're opinionated, it does not support referencing a Secret in\
+                  \ another namespace (because most native Kubernetes resources don't\
+                  \ support that), but if we ever abandon that opinion and decide\
+                  \ to support non-local references it, it would be by adding a `namespace:`\
+                  \ field by changing it from a core.v1.LocalObjectReference to a\
+                  \ core.v1.SecretReference, not by adopting the `{name}.{namespace}`\
+                  \ notation."
+                properties:
+                  name:
+                    default: ''
+                    description: 'Name of the referent. This field is effectively
+                      required, but due to backwards compatibility is allowed to be
+                      empty. Instances of this type with an empty value here are almost
+                      certainly wrong. TODO: Add other useful fields. apiVersion,
+                      kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Drop `kubebuilder:default` when controller-gen doesn''t
+                      need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.'
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              tlsSecret:
+                description: Name of the Kubernetes secret into which to save generated
+                  certificates.  If ACME is enabled (see $acmeProvider), then the
+                  default is $hostname; otherwise the default is "".  If the value
+                  is "", then we do not do TLS for this Host.
+                properties:
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: HostStatus defines the observed state of Host
+            properties:
+              errorBackoff:
+                type: string
+              errorReason:
+                description: errorReason, errorTimestamp, and errorBackoff are valid
+                  when state==Error.
+                type: string
+              errorTimestamp:
+                format: date-time
+                type: string
+              phaseCompleted:
+                description: phaseCompleted and phasePending are valid when state==Pending
+                  or state==Error.
+                enum:
+                - NA
+                - DefaultsFilled
+                - ACMEUserPrivateKeyCreated
+                - ACMEUserRegistered
+                - ACMECertificateChallenge
+                type: string
+              phasePending:
+                description: phaseCompleted and phasePending are valid when state==Pending
+                  or state==Error.
+                enum:
+                - NA
+                - DefaultsFilled
+                - ACMEUserPrivateKeyCreated
+                - ACMEUserRegistered
+                - ACMECertificateChallenge
+                type: string
+              state:
+                enum:
+                - Initial
+                - Pending
+                - Ready
+                - Error
+                type: string
+              tlsCertificateSource:
+                enum:
+                - Unknown
+                - None
+                - Other
+                - ACME
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+{{- end }}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.hostname
+      name: Hostname
+      type: string
+    - jsonPath: .status.state
+      name: State
+      type: string
+    - jsonPath: .status.phaseCompleted
+      name: Phase Completed
+      type: string
+    - jsonPath: .status.phasePending
+      name: Phase Pending
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: Host is the Schema for the hosts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HostSpec defines the desired state of Host
+            properties:
+              acmeProvider:
+                description: Specifies whether/who to talk ACME with to automatically
+                  manage the $tlsSecret.
+                properties:
+                  authority:
+                    description: Specifies who to talk ACME with to get certs. Defaults
+                      to Let's Encrypt; if "none" (case-insensitive), do not try to
+                      do ACME for this Host.
+                    type: string
+                  email:
+                    type: string
+                  privateKeySecret:
+                    description: "Specifies the Kubernetes Secret to use to store\
+                      \ the private key of the ACME account (essentially, where to\
+                      \ store the auto-generated password for the auto-created ACME\
+                      \ account).  You should not normally need to set this--the default\
+                      \ value is based on a combination of the ACME authority being\
+                      \ registered wit and the email address associated with the account.\
+                      \ \n Note that this is a native-Kubernetes-style core.v1.LocalObjectReference,\
+                      \ not an Ambassador-style `{name}.{namespace}` string.  Because\
+                      \ we're opinionated, it does not support referencing a Secret\
+                      \ in another namespace (because most native Kubernetes resources\
+                      \ don't support that), but if we ever abandon that opinion and\
+                      \ decide to support non-local references it, it would be by\
+                      \ adding a `namespace:` field by changing it from a core.v1.LocalObjectReference\
+                      \ to a core.v1.SecretReference, not by adopting the `{name}.{namespace}`\
+                      \ notation."
+                    properties:
+                      name:
+                        default: ''
+                        description: 'Name of the referent. This field is effectively
+                          required, but due to backwards compatibility is allowed
+                          to be empty. Instances of this type with an empty value
+                          here are almost certainly wrong. TODO: Add other useful
+                          fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                          TODO: Drop `kubebuilder:default` when controller-gen doesn''t
+                          need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.'
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  registration:
+                    description: This is normally set automatically
+                    type: string
+                type: object
+              ambassador_id:
+                description: Common to all Ambassador objects (and optional).
+                items:
+                  type: string
+                type: array
+              hostname:
+                description: Hostname by which the Ambassador can be reached.
+                type: string
+              mappingSelector:
+                description: Selector for Mappings we'll associate with this Host.
+                  At the moment, Selector and MappingSelector are synonyms, but that
+                  will change soon.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              previewUrl:
+                description: Configuration for the Preview URL feature of Service
+                  Preview. Defaults to preview URLs not enabled.
+                properties:
+                  enabled:
+                    description: Is the Preview URL feature enabled?
+                    type: boolean
+                  type:
+                    description: What type of Preview URL is allowed?
+                    enum:
+                    - Path
+                    type: string
+                type: object
+              requestPolicy:
+                description: Request policy definition.
+                properties:
+                  insecure:
+                    properties:
+                      action:
+                        enum:
+                        - Redirect
+                        - Reject
+                        - Route
+                        type: string
+                      additionalPort:
+                        type: integer
+                    type: object
+                type: object
+              selector:
+                description: 'DEPRECATED: Selector by which we can find further configuration.
+                  Use MappingSelector instead.'
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              tls:
+                description: TLS configuration.  It is not valid to specify both `tlsContext`
+                  and `tls`.
+                properties:
+                  alpn_protocols:
+                    type: string
+                  ca_secret:
+                    type: string
+                  cacert_chain_file:
+                    type: string
+                  cert_chain_file:
+                    type: string
+                  cert_required:
+                    type: boolean
+                  cipher_suites:
+                    items:
+                      type: string
+                    type: array
+                  crl_secret:
+                    type: string
+                  ecdh_curves:
+                    items:
+                      type: string
+                    type: array
+                  max_tls_version:
+                    type: string
+                  min_tls_version:
+                    type: string
+                  private_key_file:
+                    type: string
+                  redirect_cleartext_from:
+                    type: integer
+                  sni:
+                    type: string
+                type: object
+              tlsContext:
+                description: "Name of the TLSContext the Host resource is linked with.\
+                  \ It is not valid to specify both `tlsContext` and `tls`. \n Note\
+                  \ that this is a native-Kubernetes-style core.v1.LocalObjectReference,\
+                  \ not an Ambassador-style `{name}.{namespace}` string.  Because\
+                  \ we're opinionated, it does not support referencing a Secret in\
+                  \ another namespace (because most native Kubernetes resources don't\
+                  \ support that), but if we ever abandon that opinion and decide\
+                  \ to support non-local references it, it would be by adding a `namespace:`\
+                  \ field by changing it from a core.v1.LocalObjectReference to a\
+                  \ core.v1.SecretReference, not by adopting the `{name}.{namespace}`\
+                  \ notation."
+                properties:
+                  name:
+                    default: ''
+                    description: 'Name of the referent. This field is effectively
+                      required, but due to backwards compatibility is allowed to be
+                      empty. Instances of this type with an empty value here are almost
+                      certainly wrong. TODO: Add other useful fields. apiVersion,
+                      kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Drop `kubebuilder:default` when controller-gen doesn''t
+                      need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.'
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              tlsSecret:
+                description: Name of the Kubernetes secret into which to save generated
+                  certificates.  If ACME is enabled (see $acmeProvider), then the
+                  default is $hostname; otherwise the default is "".  If the value
+                  is "", then we do not do TLS for this Host.
+                properties:
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+            type: object
+          status:
+            description: HostStatus defines the observed state of Host
+            properties:
+              errorBackoff:
+                type: string
+              errorReason:
+                description: errorReason, errorTimestamp, and errorBackoff are valid
+                  when state==Error.
+                type: string
+              errorTimestamp:
+                format: date-time
+                type: string
+              phaseCompleted:
+                description: phaseCompleted and phasePending are valid when state==Pending
+                  or state==Error.
+                enum:
+                - NA
+                - DefaultsFilled
+                - ACMEUserPrivateKeyCreated
+                - ACMEUserRegistered
+                - ACMECertificateChallenge
+                type: string
+              phasePending:
+                description: phaseCompleted and phasePending are valid when state==Pending
+                  or state==Error.
+                enum:
+                - NA
+                - DefaultsFilled
+                - ACMEUserPrivateKeyCreated
+                - ACMEUserRegistered
+                - ACMECertificateChallenge
+                type: string
+              state:
+                enum:
+                - Initial
+                - Pending
+                - Ready
+                - Error
+                type: string
+              tlsCertificateSource:
+                enum:
+                - Unknown
+                - None
+                - Other
+                - ACME
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}
+    subresources:
+      status: {}

charts/emissary-crds/templates/kubernetesendpointresolvers.yaml

@@ -0,0 +1,116 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: kubernetesendpointresolvers.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: KubernetesEndpointResolver
+    listKind: KubernetesEndpointResolverList
+    plural: kubernetesendpointresolvers
+    singular: kubernetesendpointresolver
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: KubernetesEndpointResolver is the Schema for the kubernetesendpointresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesEndpointResolver tells Ambassador to use Kubernetes
+              Endpoints resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: KubernetesEndpointResolver is the Schema for the kubernetesendpointresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesEndpointResolver tells Ambassador to use Kubernetes
+              Endpoints resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: KubernetesEndpointResolver is the Schema for the kubernetesendpointresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesEndpointResolver tells Ambassador to use Kubernetes
+              Endpoints resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/kubernetesserviceresolvers.yaml

@@ -0,0 +1,116 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: kubernetesserviceresolvers.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: KubernetesServiceResolver
+    listKind: KubernetesServiceResolverList
+    plural: kubernetesserviceresolvers
+    singular: kubernetesserviceresolver
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: KubernetesServiceResolver is the Schema for the kubernetesserviceresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesServiceResolver tells Ambassador to use Kubernetes
+              Service resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: KubernetesServiceResolver is the Schema for the kubernetesserviceresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesServiceResolver tells Ambassador to use Kubernetes
+              Service resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: KubernetesServiceResolver is the Schema for the kubernetesserviceresolver
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KubernetesServiceResolver tells Ambassador to use Kubernetes
+              Service resources to resolve services. It actually has no spec other
+              than the AmbassadorID.
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/listeners.yaml

@@ -0,0 +1,195 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: listeners.getambassador.io
+spec:
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: Listener
+    listKind: ListenerList
+    plural: listeners
+    singular: listener
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.port
+      name: Port
+      type: string
+    - jsonPath: .spec.protocol
+      name: Protocol
+      type: string
+    - jsonPath: .spec.protocolStack
+      name: Stack
+      type: string
+    - jsonPath: .spec.statsPrefix
+      name: StatsPrefix
+      type: string
+    - jsonPath: .spec.securityModel
+      name: Security
+      type: string
+    - jsonPath: .spec.l7Depth
+      name: L7Depth
+      type: string
+    name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: Listener is the Schema for the hosts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ListenerSpec defines the desired state of this Port
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              hostBinding:
+                description: HostBinding allows restricting which Hosts will be used
+                  for this Listener.
+                properties:
+                  namespace:
+                    description: NamespaceBindingType defines we we specify which
+                      namespaces to look for Hosts in.
+                    properties:
+                      from:
+                        description: NamespaceFromType defines how we evaluate a NamespaceBindingType.
+                        enum:
+                        - SELF
+                        - ALL
+                        - SELECTOR
+                        type: string
+                    type: object
+                  selector:
+                    description: A label selector is a label query over a set of resources.
+                      The result of matchLabels and matchExpressions are ANDed. An
+                      empty label selector matches all objects. A null label selector
+                      matches no objects.
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                    x-kubernetes-map-type: atomic
+                type: object
+              l7Depth:
+                description: L7Depth specifies how many layer 7 load balancers are
+                  between us and the edge of the network.
+                format: int32
+                type: integer
+              port:
+                description: Port is the network port. Only one Listener can use a
+                  given port.
+                format: int32
+                maximum: 65535
+                minimum: 1
+                type: integer
+              protocol:
+                description: Protocol is a shorthand for certain predefined stacks.
+                  Exactly one of Protocol or ProtocolStack must be supplied.
+                enum:
+                - HTTP
+                - HTTPS
+                - HTTPPROXY
+                - HTTPSPROXY
+                - TCP
+                - TLS
+                - UDP
+                type: string
+              protocolStack:
+                description: ProtocolStack explicitly specifies the protocol stack
+                  to set up. Exactly one of Protocol or ProtocolStack must be supplied.
+                items:
+                  description: ProtocolStackElement defines specific layers that may
+                    be combined in a protocol stack for processing connections to
+                    a port.
+                  enum:
+                  - HTTP
+                  - PROXY
+                  - TLS
+                  - TCP
+                  - UDP
+                  type: string
+                type: array
+              securityModel:
+                description: SecurityModel specifies how to determine whether connections
+                  to this port are secure or insecure.
+                enum:
+                - XFP
+                - SECURE
+                - INSECURE
+                type: string
+              statsPrefix:
+                description: 'StatsPrefix specifies the prefix for statistics sent
+                  by Envoy about this Listener. The default depends on the protocol:
+                  "ingress-http", "ingress-https", "ingress-tls-$port", or "ingress-$port".'
+                type: string
+            required:
+            - hostBinding
+            - port
+            - securityModel
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}

charts/emissary-crds/templates/logservices.yaml

@@ -0,0 +1,218 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: logservices.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: LogService
+    listKind: LogServiceList
+    plural: logservices
+    singular: logservice
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: LogService is the Schema for the logservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: LogServiceSpec defines the desired state of LogService
+            properties:
+              driver:
+                enum:
+                - tcp
+                - http
+                type: string
+              driver_config:
+                properties:
+                  additional_log_headers:
+                    items:
+                      properties:
+                        during_request:
+                          type: boolean
+                        during_response:
+                          type: boolean
+                        during_trailer:
+                          type: boolean
+                        header_name:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              flush_interval_byte_size:
+                type: integer
+              flush_interval_time:
+                type: integer
+              grpc:
+                type: boolean
+              service:
+                type: string
+              v3ProtocolVersion:
+                enum:
+                - v2
+                - v3
+                type: string
+              v3StatsName:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: LogService is the Schema for the logservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: LogServiceSpec defines the desired state of LogService
+            properties:
+              driver:
+                enum:
+                - tcp
+                - http
+                type: string
+              driver_config:
+                properties:
+                  additional_log_headers:
+                    items:
+                      properties:
+                        during_request:
+                          type: boolean
+                        during_response:
+                          type: boolean
+                        during_trailer:
+                          type: boolean
+                        header_name:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              flush_interval_byte_size:
+                type: integer
+              flush_interval_time:
+                type: integer
+              grpc:
+                type: boolean
+              service:
+                type: string
+              v3ProtocolVersion:
+                enum:
+                - v2
+                - v3
+                type: string
+              v3StatsName:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: LogService is the Schema for the logservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: LogServiceSpec defines the desired state of LogService
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              driver:
+                enum:
+                - tcp
+                - http
+                type: string
+              driver_config:
+                properties:
+                  additional_log_headers:
+                    items:
+                      properties:
+                        during_request:
+                          type: boolean
+                        during_response:
+                          type: boolean
+                        during_trailer:
+                          type: boolean
+                        header_name:
+                          type: string
+                      type: object
+                    type: array
+                type: object
+              flush_interval_byte_size:
+                type: integer
+              flush_interval_time:
+                type: integer
+              grpc:
+                type: boolean
+              protocol_version:
+                description: ProtocolVersion is the envoy api transport protocol version
+                enum:
+                - v2
+                - v3
+                type: string
+              service:
+                type: string
+              stats_name:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/modules.yaml

@@ -0,0 +1,126 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: modules.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: Module
+    listKind: ModuleList
+    plural: modules
+    singular: module
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: "A Module defines system-wide configuration.  The type of module\
+          \ is controlled by the .metadata.name; valid names are \"ambassador\" or\
+          \ \"tls\". \n https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#the-ambassador-module\
+          \ https://www.getambassador.io/docs/edge-stack/latest/topics/running/tls/#tls-module-deprecated"
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              config:
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: "A Module defines system-wide configuration.  The type of module\
+          \ is controlled by the .metadata.name; valid names are \"ambassador\" or\
+          \ \"tls\". \n https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#the-ambassador-module\
+          \ https://www.getambassador.io/docs/edge-stack/latest/topics/running/tls/#tls-module-deprecated"
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              config:
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: "A Module defines system-wide configuration.  The type of module\
+          \ is controlled by the .metadata.name; valid names are \"ambassador\" or\
+          \ \"tls\". \n https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador/#the-ambassador-module\
+          \ https://www.getambassador.io/docs/edge-stack/latest/topics/running/tls/#tls-module-deprecated"
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              config:
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            required:
+            - config
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/ratelimitservices.yaml

@@ -0,0 +1,236 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: ratelimitservices.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: RateLimitService
+    listKind: RateLimitServiceList
+    plural: ratelimitservices
+    singular: ratelimitservice
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: RateLimitService is the Schema for the ratelimitservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RateLimitServiceSpec defines the desired state of RateLimitService
+            properties:
+              domain:
+                type: string
+              failure_mode_deny:
+                description: FailureModeDeny when set to true, envoy will deny traffic
+                  if it is unable to communicate with the rate limit service.
+                type: boolean
+              protocol_version:
+                enum:
+                - v2
+                - v3
+                type: string
+              service:
+                type: string
+              timeout_ms:
+                type: integer
+              v3GRPC:
+                properties:
+                  use_resource_exhausted_code:
+                    description: UseResourceExhaustedCode, when set to true, will
+                      cause envoy to return a `RESOURCE_EXHAUSTED` gRPC code instead
+                      of the default `UNAVAILABLE` gRPC code.
+                    type: boolean
+                type: object
+              v3StatsName:
+                type: string
+            required:
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: RateLimitService is the Schema for the ratelimitservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RateLimitServiceSpec defines the desired state of RateLimitService
+            properties:
+              domain:
+                type: string
+              failure_mode_deny:
+                description: FailureModeDeny when set to true, envoy will deny traffic
+                  if it is unable to communicate with the rate limit service.
+                type: boolean
+              protocol_version:
+                enum:
+                - v2
+                - v3
+                type: string
+              service:
+                type: string
+              timeout_ms:
+                type: integer
+              v3GRPC:
+                properties:
+                  use_resource_exhausted_code:
+                    description: UseResourceExhaustedCode, when set to true, will
+                      cause envoy to return a `RESOURCE_EXHAUSTED` gRPC code instead
+                      of the default `UNAVAILABLE` gRPC code.
+                    type: boolean
+                type: object
+              v3StatsName:
+                type: string
+            required:
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: RateLimitService is the Schema for the ratelimitservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RateLimitServiceSpec defines the desired state of RateLimitService
+            properties:
+              ambassador_id:
+                description: Common to all Ambassador objects.
+                items:
+                  type: string
+                type: array
+              domain:
+                type: string
+              failure_mode_deny:
+                description: FailureModeDeny when set to true, envoy will deny traffic
+                  if it is unable to communicate with the rate limit service.
+                type: boolean
+              grpc:
+                properties:
+                  use_resource_exhausted_code:
+                    description: UseResourceExhaustedCode, when set to true, will
+                      cause envoy to return a `RESOURCE_EXHAUSTED` gRPC code instead
+                      of the default `UNAVAILABLE` gRPC code.
+                    type: boolean
+                type: object
+              protocol_version:
+                description: ProtocolVersion is the envoy api transport protocol version
+                enum:
+                - v2
+                - v3
+                type: string
+              service:
+                type: string
+              stats_name:
+                type: string
+              timeout_ms:
+                type: integer
+              tls:
+                type: string
+              v2ExplicitTLS:
+                description: V2ExplicitTLS controls some vanity/stylistic elements
+                  when converting from v3alpha1 to v2.  The values in an V2ExplicitTLS
+                  should not in any way affect the runtime operation of Emissary;
+                  except that it may affect internal names in the Envoy config, which
+                  may in turn affect stats names.  But it should not affect any end-user
+                  observable behavior.
+                properties:
+                  serviceScheme:
+                    description: "ServiceScheme specifies how to spell and capitalize\
+                      \ the scheme-part of the service URL. \n Acceptable values are\
+                      \ \"http://\" (case-insensitive), \"https://\" (case-insensitive),\
+                      \ or \"\".  The value is used if it agrees with whether or not\
+                      \ this resource enables TLS origination, or if something else\
+                      \ in the resource overrides the scheme."
+                    pattern: ^([hH][tT][tT][pP][sS]?://)?$
+                    type: string
+                  tls:
+                    description: "TLS controls whether and how to represent the \"\
+                      tls\" field when its value could be implied by the \"service\"\
+                      \ field.  In v2, there were a lot of different ways to spell\
+                      \ an \"empty\" value, and this field specifies which way to\
+                      \ spell it (and will therefore only be used if the value will\
+                      \ indeed be empty). \n | Value        | Representation     \
+                      \                   | Meaning of representation          | |--------------+---------------------------------------+------------------------------------|\
+                      \ | \"\"           | omit the field                        |\
+                      \ defer to service (no TLSContext)   | | \"null\"       | store\
+                      \ an explicit \"null\" in the field | defer to service (no TLSContext)\
+                      \   | | \"string\"     | store an empty string in the field\
+                      \    | defer to service (no TLSContext)   | | \"bool:false\"\
+                      \ | store a Boolean \"false\" in the field  | defer to service\
+                      \ (no TLSContext)   | | \"bool:true\"  | store a Boolean \"\
+                      true\" in the field   | originate TLS (no TLSContext)      |\
+                      \ \n If the meaning of the representation contradicts anything\
+                      \ else (if a TLSContext is to be used, or in the case of \"\
+                      bool:true\" if TLS is not to be originated), then this field\
+                      \ is ignored."
+                    enum:
+                    - ''
+                    - 'null'
+                    - bool:true
+                    - bool:false
+                    - string
+                    type: string
+                type: object
+            required:
+            - service
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/tcpmappings.yaml

@@ -0,0 +1,288 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: tcpmappings.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: TCPMapping
+    listKind: TCPMappingList
+    plural: tcpmappings
+    singular: tcpmapping
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: TCPMapping is the Schema for the tcpmappings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TCPMappingSpec defines the desired state of TCPMapping
+            properties:
+              address:
+                type: string
+              circuit_breakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              cluster_tag:
+                type: string
+              enable_ipv4:
+                type: boolean
+              enable_ipv6:
+                type: boolean
+              host:
+                type: string
+              idle_timeout_ms:
+                type: string
+              port:
+                description: Port isn't a pointer because it's required.
+                type: integer
+              resolver:
+                type: string
+              service:
+                type: string
+              v3StatsName:
+                type: string
+              weight:
+                type: integer
+            required:
+            - port
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: TCPMapping is the Schema for the tcpmappings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TCPMappingSpec defines the desired state of TCPMapping
+            properties:
+              address:
+                type: string
+              circuit_breakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              cluster_tag:
+                type: string
+              enable_ipv4:
+                type: boolean
+              enable_ipv6:
+                type: boolean
+              host:
+                type: string
+              idle_timeout_ms:
+                type: string
+              port:
+                description: Port isn't a pointer because it's required.
+                type: integer
+              resolver:
+                type: string
+              service:
+                type: string
+              v3StatsName:
+                type: string
+              weight:
+                type: integer
+            required:
+            - port
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: TCPMapping is the Schema for the tcpmappings API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TCPMappingSpec defines the desired state of TCPMapping
+            properties:
+              address:
+                type: string
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              circuit_breakers:
+                items:
+                  properties:
+                    max_connections:
+                      type: integer
+                    max_pending_requests:
+                      type: integer
+                    max_requests:
+                      type: integer
+                    max_retries:
+                      type: integer
+                    priority:
+                      enum:
+                      - default
+                      - high
+                      type: string
+                  type: object
+                type: array
+              cluster_tag:
+                type: string
+              enable_ipv4:
+                type: boolean
+              enable_ipv6:
+                type: boolean
+              host:
+                type: string
+              idle_timeout_ms:
+                type: string
+              port:
+                description: Port isn't a pointer because it's required.
+                type: integer
+              resolver:
+                type: string
+              service:
+                type: string
+              stats_name:
+                type: string
+              tls:
+                type: string
+              v2ExplicitTLS:
+                description: V2ExplicitTLS controls some vanity/stylistic elements
+                  when converting from v3alpha1 to v2.  The values in an V2ExplicitTLS
+                  should not in any way affect the runtime operation of Emissary;
+                  except that it may affect internal names in the Envoy config, which
+                  may in turn affect stats names.  But it should not affect any end-user
+                  observable behavior.
+                properties:
+                  serviceScheme:
+                    description: "ServiceScheme specifies how to spell and capitalize\
+                      \ the scheme-part of the service URL. \n Acceptable values are\
+                      \ \"http://\" (case-insensitive), \"https://\" (case-insensitive),\
+                      \ or \"\".  The value is used if it agrees with whether or not\
+                      \ this resource enables TLS origination, or if something else\
+                      \ in the resource overrides the scheme."
+                    pattern: ^([hH][tT][tT][pP][sS]?://)?$
+                    type: string
+                  tls:
+                    description: "TLS controls whether and how to represent the \"\
+                      tls\" field when its value could be implied by the \"service\"\
+                      \ field.  In v2, there were a lot of different ways to spell\
+                      \ an \"empty\" value, and this field specifies which way to\
+                      \ spell it (and will therefore only be used if the value will\
+                      \ indeed be empty). \n | Value        | Representation     \
+                      \                   | Meaning of representation          | |--------------+---------------------------------------+------------------------------------|\
+                      \ | \"\"           | omit the field                        |\
+                      \ defer to service (no TLSContext)   | | \"null\"       | store\
+                      \ an explicit \"null\" in the field | defer to service (no TLSContext)\
+                      \   | | \"string\"     | store an empty string in the field\
+                      \    | defer to service (no TLSContext)   | | \"bool:false\"\
+                      \ | store a Boolean \"false\" in the field  | defer to service\
+                      \ (no TLSContext)   | | \"bool:true\"  | store a Boolean \"\
+                      true\" in the field   | originate TLS (no TLSContext)      |\
+                      \ \n If the meaning of the representation contradicts anything\
+                      \ else (if a TLSContext is to be used, or in the case of \"\
+                      bool:true\" if TLS is not to be originated), then this field\
+                      \ is ignored."
+                    enum:
+                    - ''
+                    - 'null'
+                    - bool:true
+                    - bool:false
+                    - string
+                    type: string
+                type: object
+              weight:
+                type: integer
+            required:
+            - port
+            - service
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/tlscontexts.yaml

@@ -0,0 +1,253 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: tlscontexts.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: TLSContext
+    listKind: TLSContextList
+    plural: tlscontexts
+    singular: tlscontext
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: TLSContext is the Schema for the tlscontexts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSContextSpec defines the desired state of TLSContext
+            properties:
+              alpn_protocols:
+                type: string
+              ca_secret:
+                type: string
+              cacert_chain_file:
+                type: string
+              cert_chain_file:
+                type: string
+              cert_required:
+                type: boolean
+              cipher_suites:
+                items:
+                  type: string
+                type: array
+              ecdh_curves:
+                items:
+                  type: string
+                type: array
+              hosts:
+                items:
+                  type: string
+                type: array
+              max_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              min_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              private_key_file:
+                type: string
+              redirect_cleartext_from:
+                type: integer
+              secret:
+                type: string
+              secret_namespacing:
+                type: boolean
+              sni:
+                type: string
+              v3CRLSecret:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: TLSContext is the Schema for the tlscontexts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSContextSpec defines the desired state of TLSContext
+            properties:
+              alpn_protocols:
+                type: string
+              ca_secret:
+                type: string
+              cacert_chain_file:
+                type: string
+              cert_chain_file:
+                type: string
+              cert_required:
+                type: boolean
+              cipher_suites:
+                items:
+                  type: string
+                type: array
+              ecdh_curves:
+                items:
+                  type: string
+                type: array
+              hosts:
+                items:
+                  type: string
+                type: array
+              max_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              min_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              private_key_file:
+                type: string
+              redirect_cleartext_from:
+                type: integer
+              secret:
+                type: string
+              secret_namespacing:
+                type: boolean
+              sni:
+                type: string
+              v3CRLSecret:
+                type: string
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: TLSContext is the Schema for the tlscontexts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TLSContextSpec defines the desired state of TLSContext
+            properties:
+              alpn_protocols:
+                type: string
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              ca_secret:
+                type: string
+              cacert_chain_file:
+                type: string
+              cert_chain_file:
+                type: string
+              cert_required:
+                type: boolean
+              cipher_suites:
+                items:
+                  type: string
+                type: array
+              crl_secret:
+                type: string
+              ecdh_curves:
+                items:
+                  type: string
+                type: array
+              hosts:
+                items:
+                  type: string
+                type: array
+              max_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              min_tls_version:
+                enum:
+                - v1.0
+                - v1.1
+                - v1.2
+                - v1.3
+                type: string
+              private_key_file:
+                type: string
+              redirect_cleartext_from:
+                type: integer
+              secret:
+                type: string
+              secret_namespacing:
+                type: boolean
+              sni:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/templates/tracingservices.yaml

@@ -0,0 +1,424 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    emissary-ingress.dev/control-plane-ns: {{ .Release.Namespace }}
+    app.kubernetes.io/name: emissary-apiext
+    app.kubernetes.io/part-of: emissary-apiext
+  name: tracingservices.getambassador.io
+spec:
+  {{- include "partials.conversion" . }}
+  group: getambassador.io
+  names:
+    categories:
+    - ambassador-crds
+    kind: TracingService
+    listKind: TracingServiceList
+    plural: tracingservices
+    singular: tracingservice
+  preserveUnknownFields: false
+  scope: Namespaced
+  versions:
+{{- if .Values.enableLegacyVersions -}}
+{{- if .Values.enableV1 }}
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: TracingService is the Schema for the tracingservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TracingServiceSpec defines the desired state of TracingService
+            properties:
+              config:
+                properties:
+                  access_token_file:
+                    type: string
+                  collector_cluster:
+                    type: string
+                  collector_endpoint:
+                    type: string
+                  collector_endpoint_version:
+                    enum:
+                    - HTTP_JSON_V1
+                    - HTTP_JSON
+                    - HTTP_PROTO
+                    type: string
+                  collector_hostname:
+                    type: string
+                  service_name:
+                    type: string
+                  shared_span_context:
+                    type: boolean
+                  trace_id_128bit:
+                    type: boolean
+                  v3PropagationModes:
+                    items:
+                      enum:
+                      - ENVOY
+                      - LIGHTSTEP
+                      - B3
+                      - TRACE_CONTEXT
+                      type: string
+                    type: array
+                type: object
+              driver:
+                enum:
+                - lightstep
+                - zipkin
+                - datadog
+                - opentelemetry
+                type: string
+              sampling:
+                properties:
+                  client:
+                    type: integer
+                  overall:
+                    type: integer
+                  random:
+                    type: integer
+                type: object
+              service:
+                type: string
+              tag_headers:
+                items:
+                  type: string
+                type: array
+              v3CustomTags:
+                items:
+                  description: TracingCustomTag provides a data structure for capturing
+                    envoy's `type.tracing.v3.CustomTag`
+                  properties:
+                    environment:
+                      description: Environment explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    literal:
+                      description: Literal explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        value:
+                          type: string
+                      required:
+                      - value
+                      type: object
+                    request_header:
+                      description: Header explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    tag:
+                      type: string
+                  required:
+                  - tag
+                  type: object
+                type: array
+              v3StatsName:
+                type: string
+            required:
+            - driver
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: false
+{{- end }}
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: TracingService is the Schema for the tracingservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TracingServiceSpec defines the desired state of TracingService
+            properties:
+              config:
+                properties:
+                  access_token_file:
+                    type: string
+                  collector_cluster:
+                    type: string
+                  collector_endpoint:
+                    type: string
+                  collector_endpoint_version:
+                    enum:
+                    - HTTP_JSON_V1
+                    - HTTP_JSON
+                    - HTTP_PROTO
+                    type: string
+                  collector_hostname:
+                    type: string
+                  service_name:
+                    type: string
+                  shared_span_context:
+                    type: boolean
+                  trace_id_128bit:
+                    type: boolean
+                  v3PropagationModes:
+                    items:
+                      enum:
+                      - ENVOY
+                      - LIGHTSTEP
+                      - B3
+                      - TRACE_CONTEXT
+                      type: string
+                    type: array
+                type: object
+              driver:
+                enum:
+                - lightstep
+                - zipkin
+                - datadog
+                - opentelemetry
+                type: string
+              sampling:
+                properties:
+                  client:
+                    type: integer
+                  overall:
+                    type: integer
+                  random:
+                    type: integer
+                type: object
+              service:
+                type: string
+              tag_headers:
+                items:
+                  type: string
+                type: array
+              v3CustomTags:
+                items:
+                  description: TracingCustomTag provides a data structure for capturing
+                    envoy's `type.tracing.v3.CustomTag`
+                  properties:
+                    environment:
+                      description: Environment explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    literal:
+                      description: Literal explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        value:
+                          type: string
+                      required:
+                      - value
+                      type: object
+                    request_header:
+                      description: Header explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    tag:
+                      type: string
+                  required:
+                  - tag
+                  type: object
+                type: array
+              v3StatsName:
+                type: string
+            required:
+            - driver
+            - service
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+{{- end }}
+  - name: v3alpha1
+    schema:
+      openAPIV3Schema:
+        description: TracingService is the Schema for the tracingservices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TracingServiceSpec defines the desired state of TracingService
+            properties:
+              ambassador_id:
+                description: "AmbassadorID declares which Ambassador instances should\
+                  \ pay attention to this resource. If no value is provided, the default\
+                  \ is: \n ambassador_id: - \"default\""
+                items:
+                  type: string
+                type: array
+              config:
+                properties:
+                  access_token_file:
+                    type: string
+                  collector_cluster:
+                    type: string
+                  collector_endpoint:
+                    type: string
+                  collector_endpoint_version:
+                    enum:
+                    - HTTP_JSON_V1
+                    - HTTP_JSON
+                    - HTTP_PROTO
+                    type: string
+                  collector_hostname:
+                    type: string
+                  propagation_modes:
+                    items:
+                      enum:
+                      - ENVOY
+                      - LIGHTSTEP
+                      - B3
+                      - TRACE_CONTEXT
+                      type: string
+                    type: array
+                  service_name:
+                    type: string
+                  shared_span_context:
+                    type: boolean
+                  trace_id_128bit:
+                    type: boolean
+                type: object
+              custom_tags:
+                items:
+                  description: TracingCustomTag provides a data structure for capturing
+                    envoy's `type.tracing.v3.CustomTag`
+                  properties:
+                    environment:
+                      description: Environment explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    literal:
+                      description: Literal explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        value:
+                          type: string
+                      required:
+                      - value
+                      type: object
+                    request_header:
+                      description: Header explicitly specifies the protocol stack
+                        to set up. Exactly one of Literal, Environment or Header must
+                        be supplied.
+                      properties:
+                        default_value:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    tag:
+                      type: string
+                  required:
+                  - tag
+                  type: object
+                type: array
+              driver:
+                enum:
+                - lightstep
+                - zipkin
+                - datadog
+                - opentelemetry
+                type: string
+              sampling:
+                properties:
+                  client:
+                    type: integer
+                  overall:
+                    type: integer
+                  random:
+                    type: integer
+                type: object
+              service:
+                type: string
+              stats_name:
+                type: string
+              tag_headers:
+                description: 'Deprecated: tag_headers is deprecated. Use custom_tags
+                  instead. `tag_headers: ["header"]` can be defined as `custom_tags:
+                  [{"request_header": {"name": "header"}}]`.'
+                items:
+                  type: string
+                type: array
+            required:
+            - driver
+            - service
+            type: object
+        type: object
+    served: true
+    storage: {{ include "partials.v3alpha1storage" . }}

charts/emissary-crds/values.yaml.in

@@ -0,0 +1,16 @@
+# Set to true to include the v2 versions and the conversion webhook.
+enableLegacyVersions: true
+# Set to true to also include v1 versions; requires enableLegacyVersions to be true.
+enableV1: true
+
+emissary:
+  # Namespace for the main Emissary installation
+  namespace: emissary
+
+apiext:
+  # Repository and image name for apiext images
+  repository: @imageRepo@
+  # Version tag for apiext images
+  tag: @version@
+  # imagePullPolicy for apiext images
+  pullPolicy: IfNotPresent

docs/releaseNotes.yml

@@ -32,9 +32,9 @@
 
 changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
 items:
-  - version: 3.10.0
+  - version: 3.10.0-dev
     prevVersion: 3.9.0
-    date: "2025-07-29"
+    date: "TBD"
     notes:
       - title: Upgrade to Envoy 1.30.2
         type: feature