From 7fb60f4a9a13301ac74c0bf1d7c6489ecc568ef3 Mon Sep 17 00:00:00 2001
From: Samuel Attwood <samuel.attwood@suse.com>
Date: Mon, 22 Nov 2021 18:15:23 -0500
Subject: [PATCH] Make charts - citrix-cpx-istio-sidecar-injector

---
 ...trix-cpx-istio-sidecar-injector-1.11.1.tgz | Bin 0 -> 13738 bytes
 .../1.11.1/.helmignore                        |  22 ++
 .../1.11.1/Chart.yaml                         |  22 ++
 .../1.11.1/README.md                          | 280 +++++++++++++++++
 .../1.11.1/app-readme.md                      |  28 ++
 .../create-certs-for-cpx-istio-chart.sh       | 127 ++++++++
 .../1.11.1/questions.yml                      | 291 ++++++++++++++++++
 .../1.11.1/templates/_helpers.tpl             |  20 ++
 .../cpx-sidecar-injector-configmap.yaml       | 221 +++++++++++++
 ...x-sidecar-injector-deployment-service.yaml | 108 +++++++
 .../cpx-sidecar-injector-istioConfigMap.yaml  |  16 +
 .../cpx-sidecar-injector-serviceaccount.yaml  |  48 +++
 .../templates/cpx-sidecar-networkpolicy.yaml  |  15 +
 .../1.11.1/templates/mutatingwebhook.yaml     |  37 +++
 .../1.11.1/values.yaml                        |  60 ++++
 index.yaml                                    |  26 ++
 16 files changed, 1321 insertions(+)
 create mode 100644 assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/README.md
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml
 create mode 100644 charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml

diff --git a/assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz b/assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..e8fc32d0170d7b57e1caea6d88243290c130f23f
GIT binary patch
literal 13738
zcmV;bHC4(ViwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMZ%cH20zC_H~RpQ1+2+Oa(*B{>&oH0^v_ZL8DX?c1{KzI@(U
zHbg=aVv1k`plwa;v(9Ur*E>&g7H%X+QL-E->A8eI5{ty8ssI$K3RQ)W2u5!GFunB&
z7litpL^wpuC&>pK3d)*0W5h%-MU(hXpZK&|t=8+8FV+98R;&7d`{j$xKeb=BUv9NF
zH`^~?|Ebm9di~<%pP==r9X{sCxIpYrtta<YMed*EK}kXd5`-qa;{k+7pqP$=5D5|E
zfY4@$nIJ=gqYk8qi3GFSViDnKjHZ5qCb$DTYF5EcdJB7URzY9SD%dl#s<sV=V~jX9
zZ9F(LJ(QB4G2?_L9k|}~P@3jH+d;b>w7dxOkdaiVcU|}q#}f$Ud<H=w!f8yWz%Zv7
z3o(bAF$u>&5-w02TO7K(JFs*7E09E^;sNwAyCxxq1I)*OI2gcW5tODe2^BpdrI9zL
z5|yzKDep9!H#awdMk@&E#3P{u%YJ0&CKwSh&ITFBEToCRiIC-*x{CSFzm2$$B9zLt
zIYC@t){JP#n-d%n)YMR4?9&mwIAtip6U459G#PnU*#PJCdH#0$x*fD%2Q9z#+?ybh
z2t*Rhc*pYrPY{Va5RC~#AA%8%(B!`yumSV{MPrN^`jCu@Dm)t?J`N(3jA&d}M;C~S
z8t4PY0tI}Gt}qsLRdfmNEjugBXi7vZX*F3F)6%;x&7HRQN3YDU^E}M|uTh*~{*(>i
z0sg<a^`ceg|C_DW);IqDRh|{t#Y2?E0`xe;kTS?;L*T8z>6maJ91#50J=ph$lueKj
zID#RGu`IBQ!x%9P*N71`h%uMUb$}s7oZ|>cA}CC0#z5dn8Y6*u;CZ*Z{jOeka@zqQ
z6Ewmd_&q~Ywd>4Vrkz&s*Wj;3mE$aqk7-Q8X$SU(hg2Lh%yA-AiImaX>FG3;j7Lvv
z^_t@_V|a%q2@XXE1k12`AJfr3zQ%C}c6;BSy;JW#aGLDXQ3r-7=GgN>iZ#F?#b+n`
z`QN7ug(S(#fv4zqOkyf@8O^@b+bDm*Qxw{_KA&=dCk}+~SQ;KvCOXi5)oO2Qq?5XD
zE%mM6J?y|rgQsLT#GPg{j5E1C1ThU!+)Q}W?Wf6+{vG*T?`J*=Lz*R`;dye?KW6lr
zMA(c^h`Le4ECPYsQoyf6Q>F^7U>O&?RPHYwD1oCZU?xsa_et_2%^2^%)}}_pl-!Ft
z@KZLxEWrYEJsdZ}j`j*qaY%+!5M#n3UkWEv|HF*{GIVO$wt#18N}1qpaS-$hC*1SG
z^!8ZJ6*E*=@DRnAow2wB4Y`YSn$7m+R?rGsLA&wrguQyhHA_uK40GOTzX)3Xn-{_6
z){--~cedZ{z~PZ5M|x}Irvn<{4*b^ZtM`-9MEod3YN+07y=j%+bNk`t%NMqxUBcxW
zJ!W)(JJ9&8*VpK*#3aNC$5OVzZ11=u>BKctkgH#yE1bZP(Ft^S5BgXLl8kuJ-96Yl
z_B^w?e!+tuDZSEEyupJprB{3Pbeg;0blQQG+#V*A?Q{n-!QbHoGxQKQNpEMm^W_{I
z;bi%49rSf)iU#`6DiLR2>LJ<OYPED{1C&I+kVuU8b*Y?zxZgUSXQ*k=Q@|6N?4tpW
z54B*Vrki>1EiJt~y#ME1yLmCjaf%raMEWRE;356*^;UKN-`srh;@kfJHJ*<jo9pmB
zj_C~yvqViEx!g0ka|;S2!ikVfHgcr|pu>U_OMaVBAvasOUqpeNqU-PjWk3@@Wq9JU
z<Lh>?+5XE05TUqAnRN%yi#diNVO%(Gb%Tdg;12B4<hg(k85a;yXpE&sXJ=?bLOjx(
z0D}}*wTz-$tx*PKZT%17Jj1-X_1C|)L3c+uq?B_qkPV!1T<HsZ{~E<4Qr%K!zFOVU
z_aip-S(eDZ@E{vC93(b7ia23Rvj}i<O&CokI1zjUIG$W%wnHbW6sY)^W^p7%DH356
z$5V)Cg5idUF*LrDgbZ%|+lEv@b?YvjwKgNs&=ir?=@7&igBIb`P_%+AA763*Ry_gq
zsT!IgA~9EG8`rv@283fAUcn#}AjU{M=P)D**8L(bb>CTpX18VzIFb8L6o9whyubIn
zj~{(Gxk!Sc@!>}NEaz7P{QG<Lg$yD1St}r}OcE5c&z4LXNyO5nv78Z3CuPE0;x-`I
zK`9!Lm<WP-@Kd2e2j>53|BcGzZPa&ZOIHZwlun|Be}As^{}}#XzkkwXNJbNs&esqZ
z^Z)i%>(y3;|G$3qy8Vs+e~riJcljs+7nEVW_N`q@sZl_ZAqA8~fY>P0%R9k1!co}{
z*Y>VR5_MolwRnJ1Z-NDikU*W>q_e<!Q__n*ehf~uO)xmLZ}0CtfLO{sM*Ko)s#~mS
z3$(RQwgiDTWXp!&{@yR%*p++-45u*)F*N?tfW}1wR9^tbE~#5_0kQ=YF1e0b0AR7!
z)a}5Xuhmi`R~lBR<!{&<%3YU1L@|f;!=ux6xIu}sRO$xv@t_HCI>C_Ah{FKMt(qp9
zCL5+PF~$kVL6V5^EF2q>Nk08N!BRR^ZT4}jKz$B45o{Wm>UyuWn!noUfF|)2Ze+U(
z-RFD;UoAPy8Z1i^l8geQPR(?uM-IS;2@>JBcbiHz$r_>Uw~tqNYAt?hzfNdi`rH7T
z8i5~rw}cCRZ$SSMGrS>LdP*Z0BMwNTKCc}`DNETKC0)o3SAmNoWe$=1oor5{WBFk|
zoN9b?^Qi^i(f4x`qeacACvrNO?W!<`1e%CuX4UE=3+ffc;Qk)+CUA1?5>~@@e6)LU
z*gfdwA3#fYKQKD!I4=Q)1jo?{9+uyl_s2+#J75=iAlshXRsXoV^9A}-jA5qJy~F-#
z_i(3ov3LAgy5s_hj0Y)=oCa-Yhex};&qqz3;xI^Pgb(Ye**!kq-`nY)?j0R|fdSNv
z;`}*E)93GJ`tJ8me%{;ZU37PLj?NBGKfUY9rm>h5#zNKA1}a6AMbe=*R=I1)g1^(f
z=<e>GRKYH-srsfm^Gisb{{9|T=GewMg+0s#<@DsNe|oWdbkN;9Tpk|Bq9#}P%B)eX
zgzo-X|Fm~<v9}A4K-pT~R0kCUT&eZm$?3)E>Hfvu;l+<fXD9u~bW$??)eY5u|8jb9
ze6+u}^IL7JBnjgzDk%*C+`;b|6<7iO8SH{q;I4u0uzzvZ@6}ACgfmJ-UHRi~zyHh8
z$?n`bW=iAV3zAVB6vky`sji*XN4<;FlkU#m;k((!8>c5{y~ZM3_K)7}_kQl}FC0B*
zr?GZ&xXaA~4P`NJI0I0FjnjlNtIx&gzxzjr`$vz$2C-2|dhk)im1!HZ#juo)18N|0
zh)@{y)xL9oAAI~c=bPG-;Qn55fchrNmV7;F7xR!@kNi3SRu3B<2C-E?&&*iJwxq%+
z3B6rEw@QOi*M=NVzu!H45dVJnumXgJSZOo9n5MYC2?v<`{K%c@Mpi7%b*B@fP@^bx
z-Zmsv@<nY98v^&7LGLg%g<K;)+<~Bd!6YxZzi-rc>!*nG8_FWL|K>Gf%?Qg)RO)d}
zhLVU*E=bg<Zlp8T{dxFJ>d9AI-<cE(x~o{v>pM1u?8<%+hMGp_Lu2^u*~xyjb2?|X
zlxx&X{%aa%6MP`$mJ)lK$TwQVsSJ+8^a^!3y@^!o&pzA;tv^C%yM7Za@m{C=tg)$t
zV-+BlB~6Y)h6Qh${jds{UQp^|{knJC#3F1aJf<U(z)VZ#gY%wY6dfh;)H$C8XM>RP
zg9}i#r}FobIu`jMQpY|Es>}UY7HQ^X6k{S{x<eCzZ$+mD)Dud@4<yE#CsqIlsT6nl
zJ4Um#11~mPn=h;1&Nyb~6Rg15-Y(D~IA`C5p7~r^=vlRaLz+k!N<I7TB$6CuffkxG
zoriVMnG?$gXp}N?O=3L4QH3tGs%fKlw%={k?EZDY%CZ%9Xj<7h{`I22x7*w4o?ILp
z?e=O~tZT4*-dfM+ogQ}g`rYsMdl$ziN8i_VQ44hCD7GH{gLem~7eAh!9$y?Eot!QS
zePzR#4}0Ev|5KXh54Qi)+4sGZ!`^AHe{tIF|8%jpTSuH4v=93ilCJxEr*-6PTkb|#
z9T#45A1k`*9jehg?EP}s-#>acx5qicb7Q}Mv3I<fc#HNUN3v+lYyaWlncIWbO&__*
z7sOF>MC$y#ljQ+e*y0zP&Zh0pGnp3-_|d!m=}E79aItf=zu((AJvw>R4AA7Mj=LEl
zlti$))WlhXRY#w3OICdf6vJJs#pV0%;qEVcyQe=kU`1BDk=2w17yq6SW(=U}Xjj?D
zi!$2otbtOxDXn_UT4#}3!sP8Y4vdw$Xj*nTx1+{ll;;d$!7^6o4#`^mw+h{B>1bC<
zok?KUB&MaRpYXKCEM|OOqe)dBl8>^7%Z<O*$ZCN&?)Lj%8i-uSSX$z(ii2T#+YD(k
zY<jajOIbyJn_GFVz+4rX7xvB&AJ6Sxe)L>~W^DU2P~u4{rn`i7;NyLr^yR?wKvB2%
zg@vnfvmRBK>Qs5Zqj*Lf)kP0$nyHtuOHh0PRRo~Yy{lbVAW}y4!HkPy?(yx8cG+Zn
zDqEQ`L1z)cN#TGQqDldLn-Zp+`TIDeNyIzw^2Mg{+$x?_&8daT&;trcXb($W5Y7Ie
zeg0ZoTU&GVuMqiCU9l}{Ki>Rw>Z7UE7{zpe;zlQb18S_aK;P)hj>(28r*XLVeBb{!
zaf<&pdY<h6p`&OfI1$#5c*YUr0sp^OTdj)!$BWj>Z~lK@=c)DGFab_;JU1Tl*??K6
z4VdxTnCCJ93q3k`ibGjno!H1feD!Asw1+b<xfjgqLNT%x*v%(y$$<r>DR1VKa0-1v
zVkm@7OEyC87wz!-1Y()5!Bu|f6%g7~E{aJVaCWzvtusLh8sW$vOv|-wAl&_ZJ~9le
z05~qS=IVebUypqU?}wmYgn90Up__IFM?P_>m&FuZ298RYq>(#xS$*iBY5PG%lr)qN
zccBsTaEzlY#w<W_Iz|=hhKvXjqS#Mqlp91WJ=Nbcr{DFkRs%UK4HF`EW;|31nZ!1u
z#65pxJ?R~3W7bkw>w7<IHeBqyvY?TYAB(HZ%+)RG&BA5Nu9&1=E^s|akDRPG&Qg4U
zASMDLaDyKnO%U72LQ0g6J2m{iA0kQ3A4rV1l^t76O>GQU{{|_Z%v2IF|Fl{^;c0!P
zD?F{Oqe-e=1KnEseN&6UGqom|k7w)X!cF;crp6efSd4eZIK0|R1ZLML-fp+}OgS@5
zx^cO%wiob#rRJY%$=Ai^&ciAarGj$~K9-&1m7#cC(;8#H2CDilbou4_h{-ihFy}h-
zs8k2v7R=5*A)QQ65>;PISVJUg-Zu51m%a=Ui8F>z#|-l^jiU~{Dt(u%k)U`N$7oup
zc%>pKW`suh$F{5dNnFXl7*0zxkVnjSDkJ}UhPmJ~Sf`onqs$E+Fs;-sqgpN5(S(;b
zUz7{h&-w+uE%aZ`$tduo!Xval>+Isv285Xprh-=JYbuxzPtwbutpBN6xwCg|5WoZa
zU+eXYR~7&Ntyi1h^uMq2Jlc2PuC!0oa{jR$^`$V8Th3PCP{lW>^N2jO66mmc&J84i
zV;c2S972>S?;Mngd?^)mwPYXhvxw`hG)u^B$JtNS0e!Q-+xNbfwe894-{>4h<@l8K
zzxld7v;JRizWTQQzs9p-jXhRpTx1Y38t9UykQ#OLb21HM#@W$+yeBlqCD_>jg#pUM
zm@@KrrMU-JZ<M}WusNsdk|<R&H7o}y%VM362Bk##|L_i+H`W{PJy({3^F|(p#nrcK
z%m(WH2#dxBG-ATl|2Ig4<Hq}HgD9F16-2}Eh;YGNq-Xn@WC972jEoATyUui_WxC&h
zMp_St$ru%?Ods>QcMFkGq7o%&@lm!s|7#PaDWlgYUI=2yFcP=~Y=mR1UuCI^+Wj=R
zB{-Pz(g!tt<;SvJC&nWbPW>#oO6W}@doF*MzhZ36=E>;E2yH+^6G!1zT^!$&BqGV^
z32Vf*u;fya(=qWGjj=z_H9v9n&={LDYCBvDAol=f7x(f@nr8#~+SrzBnO|8ASjq;s
z4BPvIPS-wl|4*>Eq3lYZ=RS}e>LL06<&6CQYOD1v|I=4_Ty|i_lq91WHgKpvX+va*
z11u}yKl#YSTEuNm9koK0E}zn<|CECUJ&8}JDK@R{=`Q{qPP-qo{wpHG(kbB{lK)#T
z+LiVHV(VM}x3BZ8z=0W6xWVHArB`nHmlU%hWfPduWCQS4U{64Z;&?U?+-`z8TwIK?
z3Be{@FHIZ;<ulg>l54?(ETF%*MtdW%e(}@UKhADpR-0i>^+#0s5u^s#lJf*#6MSR3
zH`w?#+BS>{PRv<M<)pE&S}r7IQRHEQx^~NkIXAEeq#^n~OQN{&1~&?mwSwwUe}w{^
zLu2Qp*FEhu;JtHt>xl7<()%2FIB#6Hoo^+nKBW<NzVVQz5}I{$7E2=B8xECR2!~W>
zy|H$9dyMx3B5_&Rt0p@r?MfAgY|Bz-Gkdw@bB+oZRwz<S)CCNdGKE!&YM-@lo?ibp
z&%^tFFvjtOj1tQ5C-(7>{Qqk6^-TWPm*4jPukx(GF%kl^L}hK&!>qUMK}KS!wL^-+
zD>TA9PX?QZ%=0mhV;IGBpqU#<MjLW7LxNmm#q6E;D2cokNbpE!$6iet9+F!e>3n8?
zUJKwTiKjplRa1f_#Se%{f&(wu?O*f-W!PJR9XgrN1b*J>Lqr(&f)No-^{)os3kH8@
zP4%yRF&;JLKlUfTPMSqS0~B6msY(^cz4d_Kq~3ZkKv&*+ASS7|{=d8x_!%)mGY)&Z
zJ?;g@3)u@ugi%wMWAuX;T=S4dxcN`SJRe^FC%x|OK`)p@pWMgd_5Z59+1{$=|8IYj
z|G&;-{UEEsJ1TLKlh|IT@pqE@L8iifij?}?^D1qGD1iYsdG>KsZqp_e12mI0U%r(}
zgYMJn5);hFf#*pkBn1|rL)g(t^10Uz;QVy|Z?JpvxA&_nB97Raw;90sULqKcG9~G}
zUtJ;2&o%Ew0Otnz>h%Qb$ghG;72o%(D;l#|8{m*KHy~dwE>+u?TdA*VuX!&6I6oRl
z>~w;`sp-LVTmIC$l^hqd_p2+^{b1S+DPHql1#n)0*#>|e+W;<-jNY%VRA93q^{G>8
z&3hfdxpnY-$51+k(iwql#{I33He)rC#n-&80M6gpbeubdbzM=nTa5Yp)fJny(|3&U
zszqmNta)z&INv7|VmvY5udc+!uQl(lk^nJA37n-8Jo%@erE6ZhCBL}P!ZBiKf(2%L
z29Y%Xv?iz93Ver@P`}-f6RYvoOtkNs=&h%O>Z@#kLlJ{E(iaMVy{y1V?5+M$sX`e}
zDWE7ah4S>ICQX^iQko|(cBT$*dPOrf<7l0V2IZvG^Lae@{v4pe_c<0&inZSUt=F#*
z#$8yAx9+ObRH|VNC=_)JLC`8g$XzvaHWa{bG*gY3#CVcfRJxd;B-1%hnL3Q0Amw8l
z+f^p3oErvHGHy`ze$|de?%1m?*x*=XX|p)PX`(11I=IT$-^z3)G-<8{(6znKT2X8i
zBzG<$(Q#DDhrmr&bUrD}G)nU;wEP0z^7)bin&Ba4I0<nRg(2qLN0}HW>fgUN@vXp#
zN^$Gwt@)DPjK(o$ytxL&uMM62(emQ}&I}<5cevsPOwHJs)lgto3Mnm*iDsk@_p9B8
z)C>tcZ!alt4RU8tiTs?UH_5n4<fjZdF^*t>hf=haGiz!mKoPrQvISEH=V<<Tea@M&
zlK11!d{nY<h$|=&o@29NVdJohlWVG``OfjLYj8v2xRk)~W=vwN2SW+-G~$8hs|>_D
z$G>hYBH3lhQm}0d1(&9FPxiaGzUDSHEqE6fI>qGP5KujeS}hn*F`jAXQq9CNbe9_%
zAZKw2bcN;gNg1Jxi0Pm6Yl)73t;zH#YtYo@NJcTkD4G_Zb?esUUs0g6U&|R=+y%4&
zIN=$?I(OtO0=Yeu;R(H#Yl6{9dAx&*3(u3?L|7matD7`*=4R!Elt4s=YHbU59_w&V
zl}Z|0@kV{<vT#fU4n@XrF^}ioj8jTn*&M`lP`Yf$A|&KqujVsy+7BktS|E1_rDLT?
z5F^GMAVsSI7B?6tmUOqf{XE5q99g}%O$KYv)7i;|68cP%ac;8F4rnHT;gC)yIEirN
zwrG+#<(aVcr6kI-E!X+A)#%*Lc;I<=iyFBrmxnv=&R_6UKi+wF%U*F(bkz>pt-rwX
zRo}Q(-$=akUw?f>Gq2ocUc;Rp&trxaALm41?s=ywop>D68^v7QkAN61^ZZ&aU*hny
zyT3}i>iN)fmecxrc@QL)G`T@6;_E7LyAg_TRH>-8DaBW8)fd5Sse)YCv6^mjTRZ0h
zr%NmrS2lB(itO)VPq(emxiI}+ypT&or}owIo65J0COD{otS-*6xe9CYyB9g)+d=!a
zC4*W<vdPN_j#e%=9xO7z0<|xpd%WkQZ}&Vaf?Z>#FJZx|$iNk_ikXpnzUNkGD>S2&
z_;&Td9gG-GA3P7LOgoy1G!sCQNIUOn%2|jCpq<_y>S4)piZ*h3?o>tp%aRy<nKw9t
z{}M`rs^`P{`iTRC(tl^JsO#<?tgm~X0SB2Ne=9>vVs&>9@)Qzkn%GnhvN}fLxU~F=
z-Dq~?4CJN@rNNOf&l&-~FZVP*CIT}QZ`(e%zeCZ)x4+(2i&<!NG5hN+_(_E@CH><G
zig@Gg6KnulyIEiVUJI8}^!*->NFvAJwC0AvlH_aG{=DI=HNkA;XR_r5COK6Adx>UT
z_!dpl7;o5<MMWmL67-!(L>pr+>y*YzP_v>Wlc`NpRVYpB!1Mlf^jU4$7C5yaNb1ij
zU9Jk053Jg^%9|FqMyvu5CG$CypOuRP&s%RO!MFjE#my<^o~9=e5|m9{A9Xn!jCK&L
zdtNuO)4{p)(uEeqRAMN%#mWrKCm+vmcY*UUUP^#;$5$|n?Vf00;Z0{<l0*;Wnzrxd
z%X*HftML{dZ8!tHRE-GZyE05Wc%bU)&QWj8*=ciwrWs<JgW2;ogBcR$wM<U@lKjCz
z-3<2f&0nMf*WL`;{;Su2391GY%)vN`LJx5PzhEvvFf<%WEfpsb5W!)B1tX!^`x#0&
z(t1#Y1XAglj(X;bQ=Jyy9OI~|bIj-ji!si0_5YuwS0o9*^A1d-su5$*y(T<EG5Ncu
zfKxR>d_16tMY5)D!|c5}Um@259*U=b#}Y)9)L3>evGNsGc4>*i@GE79EHSfHE)lsx
z);rb)kQ4Ykm*VE>=>qX9-Ym_kW+Zo1GROpud;?PR?+WzhinbZ}Q=0h$$=28O;2F#i
z&vC#>lv0w2!1FFIFTKye5dTPKxKX6j+x{-3IQMB)J9hA0-rQS-t@nL?J=BJpWQtvo
z31UQ<+l=(@%o9g%46J*tvKiaCtB6WCj8PIP<BfAZaiEzON<tjKDK!(!4vMKP^<R<S
zR05afMB3YeW%yD~UPWdjoCf8qFy)Ty<ldIM16H?jsNnv8w~^kcp`a##vQgv$2N~Ka
z;2!%(`YU=@B#2^nG#7CUl&<fNineH(ZL4ak&G%)^*R1htt~t@QBobvsnAx{CtnS3|
zOmW-3JulEsa+nJ=hzTE;IhB+UlLW`yY^_JVf4w=Q{w#^*YDTQ@P2|pk60zP<2R&0W
zu;xY@IVp;S8bA{@XB;aQr&@<|c!u12c*szS^<Jb5W{Rk?%iO^%uOMls%Xgq5XKQ0l
zA)P>`@#@v<7Y$f(yOdv4>#nM?#MxQn?fUu>2XX7`N+v0B&*NXEoM5KRW(y7mDR*)q
zhH870E9zVpHTUKe+g<sB@g`1uk~C9&7~@J@%9S7M+QC>%;x!o48+?tm)-%9D$~{KY
zkepU)iutLIJ62)F1)X4~ZiC|Xw#&$9q&nFQcaJ6y9t&@=Lj4HG<QlW7uT#=U0GeyA
z$Ev=ij%LCF!fW)nK<RArGEA<oE0*StsFUZCCY8qQU514$E~pik^KsYNBTE)sDUluj
z8kqaH%uzW_u-xppPCg0i>kBebuB(gpDn0BSD=p9-K*(OCMz~RFs+uBneccS7wvwuy
zj%9k-Bg~Zv&z*)T3Z;ll5<No;Axzes)7AQVP~Iz)j3;38oooW}nhrJ$->`duA(I^J
ze+_18-Y*#C?e9u2F7}S!ZY&zf?Nd2!v(4t^wl`a?mf5;XjBVj*zT{~Oya5a^190Uu
zTV9KHM5-20623uD8f#9E;+WoOEg@GD<PQ9hI-vAqUhT-b6DY}1f|61$Af$0z1aUhm
z5{jKYMO*qXD^3&SLU%aX0cF@6%5ZZ8L4=)}Lz*QsO0rZwDts<mmc7|gXu9PTc?1c$
zkCMpcg;su3l+c_#D2>WaX`Sa<z1nXip)6jKX}UH~%?Tutuu_W+-{OXzG2y~o8YpmT
zZw7P>4z9&NiE<)K%GtiPiBW3fCBtInl<fezBem@?tnQ{oG2f_&e`+rnOe?1hazBzA
zL_U3R#pYpJ?s(pRd=3*Ql8r5E=+uRCbEl%jW-!M$YeovzB&tZwVhoqv-GfUzq!O=x
zFjlA1E^mL=-97LX>HWRqx1RSF)|HCiSzq_w!rsvF08wO;3w(ej#%iGDQY-KA2OD7T
zhQB<f(cbZ;*5xX#XyeW03_zEVdjJJx7P*X<QseD1E>FfB<-XDD@^rrsZtGWg3MnF5
zF3U9yW#dyf<<#pOdibdrOKgiicmO@bVj_90QgGamXSk7sR2Lzu)uYWTJ4B!e$7<0I
zGOdl1#65}9iz6sudxJQ{6h(!Ntm@)7m_kG)8al_1&M#$hYpCW9=?z>uN3fTQ!{)a;
z6TyMrBrXOD#t~NBScPe;UJ6G-i^{6{8Lb%>hGQ}zi8(jIY8VPQw858i8WOdgoHN3&
z_(G4HkR~Bc1#gx%NOP4+b44|<7J%ou=gae%vSr9FdAmCBSxjMdr@N-62G5jx&oGO@
zM9ixb1*cNqygt#9^su_qKUoW)q<(be+Pa)`!PBK-vnW*f!A}1~>2Au1sP3l<z&oYD
zuSlwoAyP&qP#aRNeV*SC4k(!#6U(Z~$^=|pX{63WFKce!yVN?~e|)BMhClkO!M>kG
zbi2{8a+$+*wB6gy&RmHx*GZ>&<E?dZ#Bye{2#(cdc2*2C0qmf1VROxZ_7b2h(lS@R
zw!#YEa@Xz+Wmj@#Z$RzzRmNz2U#u0%43PRxz0zUBLz7c0FLwDFPc%qllwer3t9hrp
z7SxtNnHWm}A<UPy3vpIBul@HgrvZ2_N6W7SyrJr{bZ)$YI5sx}c06z0(Ad2&a3i;`
zU#r8{kfu^wH)+NdFDX)r2i`jTKo}SEn@Ffr-rT)xSf%2uQc#X#<I@G6+$(EtICT9R
zH04DN<idt(a&=VbD5|x*seF<->)AM%s)J=o<jb1*o+lpPo=H1?S>{PvxxTDitA1(J
zztVdC*JcfKxN@Ve&I0lp%}<?93(O`Y!9a#(Ka=vEn3ahVQ+j2tMaG(!*hSkt-ZSf}
zq_qcfUW&1nF65ln{u*Y=%^P3XOCUsCnc*)hNL+4MpAReY$K(p@Ud_Z<$=wvBMBw`j
z-9Qtiq<P(jJNWQBJP-0?`SbU1XHpffs;d#<4oDK=+to%nyOp^Jt+BTD-1BrA{e~>x
z=)jzkI){Ek5+#cfJ2Zvu`+Ryt4V^F3ydN=|rLv&I#GGV4rj$8El;y75_T?2xWMd6?
zWSj~E-sr%2KG|(z8TI15cVA-{a9r#gZyoRZTF-78hFMA^^TA9?+d5OXIh__#6^bF_
zXoQXMHPJqr&IXg8t()Ug<?DzG2F$RO7L-e-Zkr^b@iC0CWp7n?@IZMCNhMV_Wa@Fp
z9IdC0twlJPL>S7?63dE8<fan~2~5xj$}D=;d2>Xru~vrlF@oZye2nxYMc0VL>adC=
zFw8`z9ORUP2G{PAD{xYvcT81K%^ma^98$PbcN86FlL2Oh+u>csyHL*VH!bDnw+VOf
zqSe+vUceo^diCm+`tec~QpL(9AQLgscx%Hb^dKu{5o4h}k_&ehJ$b5|L9q$sqfv50
znd5h|(6hzy5HXO{=LDN?&?=%j3OUKBBl#DDZK-?hcUsst@>Z2QYF^cz8WEP?>!j0j
zS_P<Z8VWo)sCfVi)IN8xi+RY1a_61%U3XLSZLw2oonz`_zRMYOS-p7vvK|SY0NX5?
z!mk#()f)}#t1s;=tB{_Bsz{!F>41}FN@!9!wdK@x{g3ZTHyb(>Ej3=crS{U|I@I!{
zR&9#&V#U`>o#cAFR-Yvw7@ZvNl(ly))2h2{Rr9AOXTAElG6SBypjjimPe%}|`<e^m
zeiiMQj$nd0S8={@Ou32*$?uXmJ?ZZBV0A*dP$|kN$7>s)?tI>Wy~7`lHsF`;$>9d{
zPEL+aU{$X6qNJRxvS>c6N9InVD%|E)XbpB>Qcuz|KgBn+l;VmDZ`sk9B<k{L(DEzX
z>ErtPu8Wh*OLx|(EDCg(A6d-{#e2{Ps_egnO~tibBQvZ)F+Dnj3$yo0_ElWbe4#+v
z+b^$-Iy}tTd<mB`j@99+)y+_v4wZj%Vf|LJeeSJe99iUS)}mQy7I$|Kz&#d#RWfvr
z!`G}CoJ>+AH?aUJBTxf<jR8)VGU9A$KX)XBU1KbVgWUcNtKHp$HP}0rY5>EW&yudX
zY!+RySE8hWVCK9n?`qL7J<ylj+ArN+^qB=ym)0Xl)X{)u_xi0l@cbgr9c*s3TCFEE
zP{lPrdnyrhcmBCznNiKUIjcj*$I-ibPF4ctl;#%W`8OQa%;cFKD|f8V?urF>DJ&bB
z$6LWymoj&i8}9$4k*K@({n7zO>!&wLL305jJQu>D1eMWYKO0o#OXe^0-uilLd?&X?
zHSKF*l%g3{P_9~$$Q+-qJ%MsL5bam3cKhk=R8X$otbb{{+cO`Q$NIBB8s{ghf7?z4
z=lnMP99ea>e%bNev9;&ggCnTS$R=|0&+}pFqeYqt%z~%Wp@d6u-A@&*e)q6$nfG-j
zQ9!X$dsRjhrT$2c<_@N|_YtjKm??i;c-ri#Q%*63AEdq@)lwaODR(}p7_at^_kQ@H
zw+8yUaHr*ENT6A$79y-MD#3z>D8}rJ83_^q&QA7$mbSaHP%p=>d<yG0$=TDSVicb=
z6jJW$G@I?st)LaOf_4S|sy=czvw<irzy>vx<IlgsGcN$|>J8V%M3dlBxrV=a5o~VN
zAy`&zini-j9ESp50G~RQ=~EjkVcI*}?_O4WgI*Fzxt8U!Sa-y*lK)m^g*6bEO|(WH
z(nLE#aV61Cv9)w7M-wFLDe+g`AzxqZ(@1i7R6(VDsr+TRbkE7Fa*Y^K#)TTcHQ1X8
zbF0qnV$*i!_Jl@QF5hH1uJDxS4u0$PKTAVZ^11ire=+)LZ)4q)WC;UF$!MCOi3+t)
zA{tli6h3bzE=P4Z$znlrJ31Cw`p-r11^1Zgz2IObB&ue|u6n2#!e3Jzk#9xaIRR)Y
zELLrvHU8Q)&IDhG!n1sO?nzIl9khd1Ed`gfLw!D|U1sb8RCmpu(K(%i*bz?Dce6=W
z2X}U0l^I_bwg<?3#w+6rPpwPXP$!<KODX$Bp4w5I2^5t8k8n~mj*D+6`~!w_e&)|h
zxjCv|QaDR0s$F5AU+7LI*OYVre*kyogrSBn*LZ2n%%zH(iWM9Q=b4HLcZya5C>IUq
zoO94cRmwVg1$M{wG9Pwhb$J5dxni}s7$CtiE_Uezk;K?Rm3$AU@;&Ge3wp4zh%pUi
z^9xbOOq`zXljKL5F|IrN8O0=$Skqw%&5}c{V}94CT)DHA_N+1<R@UKaO$A!XK8gq{
z!r?^=A~faNTSRtQ!DMT*^#J@D)xGG_#e6Tax|CLkoB&N%la7?LlX2<=hPlcrvTCht
zg&W0Mpz~a7|NK1ViU|=*^qF87(=38CM#8v@sDSN~Ea0Th<2rpz5i^xQHxXmX%L$E$
zfC(9mRhAlqh%su@AzX&ZcP0&`4%YI&V|YYp^49;(ba|oP>yvZ^%1#X^*1<xyo`=2Z
ztKtK<lBKq?UgcgO=C&&b?1~dkDa5@pz>cfR!g0=>8SJ@0*_}!I6^Utz1Gh;#7=<&#
zth0@py|ZpS+Gt&NNce{X@r>*IW@$EvNoZ!EHd#7djFEBTC}EPwovMV8m%H5Nxz#eR
zE$^4w(4w;aU#cvrHY02i0IiNSwJ4wpm}5O|vTW%!RXUHg<{RrsVopZ?=yaI>cF)84
zUs0O+45Mg*KQ#yJ1Nom{ym+-$&Hudl>RbNTukx(S<YKaUP;xtE$;sz@=lIuU16y>6
z<k~-Vy2s^mJbGUvIaY11+&Q_ibRH~Ym{^!oO70Lfd8OJx`*qNg<cyIDgm9X`aPGR9
z<{2VE2O>EXWhe>9Qh1;flaBHVH`Qe_qKOmZA@7@<bvAg3H&+U`dM6#FiF0CW|M!3Y
zA71P#j+Ck|XDeZDHn#Qkj*_`fe(IS`(%`=V_*O8KI~nNEr8;j{36ld&o(I#ryu7rK
zcRZ+;>*$nEs+S9OX}iq<Wgzg4zrNBzeYt&hprP&rbrMQ)9yfKvC`j?7F{g<uJYAv%
z-(1hGoz3T_7#zBp&|;EYE#dLts0Pa<4K(wkh@QrgZ#9@nw5C^89!w60N2k4x2R{6Q
zt@$mXa?ba34hX%#yP2RSi<62>lu~-PKBpD<Dt@pw&CVmT?8tWh0n+Ta1YeY9r%36(
z7MR3GArdI2qc4`U^|Ma0d8vgSlx5bw$(PmVVfjx_3B{ebPN<fb)j~TTKhVbm^50gw
zUA_P7<;%@)^50i^R{q=^kfb?4eC&A~3-Gb$DG%+{HP9~ZArkQ2cfF$@ymxgGLOdfP
zKW~vrqhfK$=4iIZ1o?KU<A#-Mt1Qmp>J5MH+TKhokQ-GX#l#{$33)S{zOp`Dz2UIa
zodZw_8m~CXQQ+ixxKqqb!bf#1XxJgrj&qD&W7z4R1klIWTMz=M^Gu1DH<ieu!na~B
z`7g5Dn*`3wIU>GIW0Vw8KDp4T3@A*y0&wlc&b8y&6`nRF87$W7Zz)xBL5&|IQr}EK
zr5@A{Jp0(Xhx4Q3)4ij^{`-oII*ie%ESm;4RKWLL2PO4bGe=@Pn(R=o;$RfiI%uys
z%@y`(^HhD2Dl<o$8g*2rw%6H?+{l`>62Pjk3$S{TyI~lzxhEBdy3Xrn9)dd`FU=j-
z0#B|IE$$HkZSUUmbpGx0b9lA_{zyOz-oO7FMAR%Tj^WwI_C1g!kIBd>z2><FGxKu0
z@ockE{xBv(QF`;Yzm*!3NLSmE?;hP$K4j(A^4E`SaJ}4&nxJ)MF-M_Sv=-3>d)_(t
ze}`uu4OQ;pJ^bf?<}|7e4#;ar-17>G5c9{>*2-}-6$_jzX-UZt&f(AC-$LWrs*T3?
zuYsmG;XGbz!27=`7X*!3IHu4r-;^+`5=b=MNi-y$7jk8J-7XLgT$sESF-arBwx6v|
zt^}T>;74noX0q~i<JoFNbjsJpv+uk8A20exXD2(o##%%1Qe7r5ug=I6`VDV#6%hu0
z3eP^8lJ}m5I?pMuN=k+k5vE8tbqYhn%Qp~s`_}o=47t<{lc9Ic@bB+EhJU{>Hxfwp
zyA9VbE*SpZi*)o&M)(*<%BT(7l0RL{eo!sdynpYVo7UjHH$a?(J5(}OM5M;I4LjY=
z58eHK&%46YGdT@m8xoqF;53Vf5>z)JA|oPDEO#d)GKM!K3+^Q$NynH;)zMSHM>zVa
zXhgG<ZYIX|YUyq)4mAq@g<_$g<KB7x=X-DWuphKx+nL+y)n@5cdGzJ?7xTXd{5n*e
z$+Ht}gcHUQ_%svlfEc|HHd`;><Ygt%`~=^C%0*C9+LxF?qq%c9Z+e<I#Y%6QHbKZ4
z_}UUsJ2|`+uyIK$ay(`Dn$V2L(>(rYr+=dOIn4^S9QO2GW|%R`IFO-QU8z1u4Llni
zXrqZZlb!2Tb`P6xn-RWlYCHKI=wx>*Rvd6Q3AH=O{^c^)F7|?|eYbnO=gj=OYT9If
z2!81j)SBz(^9<AGO7nR#QqAqB1v2@?$s>J5rn*K{bE}RUBOR$5?Nxgnc(y7*uOF;C
zWkGrU5+q^3kKp<LB+n%)R}9>AU{;Hg&eU?z7pmhaV0XzVSTr>yEP9r%*rei;u4BYu
zfU&(#Br+SS9Flw+bwfSNBdI<smfU#u|24qJzsn8SVZibkFpRGBou0((E-SgbC&zV&
zMQ9ycl(6ZHRX&qSl7y-30Foo+mdlaT?RqLKM{?3<s~rCh?bce3qo$Ia0^844=OYY0
zg%6x2DH7xD=N|(ukjQx8bb9}MEvL%4VHvvNd-(G<Jb$hPl=%cwz{D7*(ALDNYiN76
zA-!p+0HF?aheD?&VN|8HEhDipht?1gZSg^AiV;&+b~piv0lXusHOVPd2kjOhA@@VU
zg9g0)&&|rds$eQZerI=TJInnD{O%0%l7C3<=Q(^q0j)($ZRW93d0DQMEW=xzVW^N&
z{>Kr&RQ{kLiSf2!z1ub1xW0k~ce@6KQk95JeU>G18mTLB?n(>HPs*Z@x=ly3vOijp
z{q}s)^RWF#?FdT!oGy3W`^>Z0{<GQMe6?9U|9koR^*8&^*LaGH&It|j;~LF!anw;x
z2MK0gJ_|aYpS#$0pc-&%WC+4!T_rYw@_Xo*96uh|gPRUCmJIG~s7iS-bO#!)1CsW=
zD=znG*xTD(;B+Y~1IZSOPc}lVu@JGs<!?TUILRh1g0Ab{3=XA$h*=Lp2Mx6@Ewr=1
znA0;Yb~U>34Vv<X{^0^(ULE3V%o?9ai9CYmF~e*=&yI=PT4j7|3aR#OFshF6QAxyf
zH=l}8DUiE_l?wIC(Hc-Hb&#d-s<t^7x5tKotL)l!(dD0ty^RxJfOvIIt3d8rw4KK0
zVr<JaX6CJmFgJ5l^<k&*;SWdV&tJMHhvrWuMSd#QCdzyP(lxxwl6e;IqPa5KpCx|%
zQ8*Ui?91S0FbOG!yiyqh8>zbZb_`<$b|Kw4>MaJ*M5-^f;L30oHOsJ`nf%X>33A^c
zLp>mmjcQ*G*Gk;&V|b<${ae`wOh~Y4&;sFpS_&8?zds(L{8FkpAlYW?=h2*q=f<ZZ
zQVyY=j}0-~uR%pc^wuobM}^&1_h$q13`l%TZ!XBNw0z6E&UTf9KZ*v`K;lPHp;eDW
zO`8?j<*`A^jpZnzSimQfqTfAy6i=^5Ubj-28;_3VogbCEBq<(0DQZG89wm*>%P;4!
zV5bMjdnl9Yv&4V6h?hED3iC%VgUz`p*3SN?hlxA|KPNuqQNvpb44F5m<;E+EU^Wir
zN#j(CK3RIawl-VyMyuLj8T>CC+43Y(*vOSf4QSzlId_RV?Usr04;U-s{qqIOcwaJF
z<|z{@4@X(vR?(=$yUd$YZqwyC^?3qYW;Meaz<iiZYg!^kT`G%5Ev{;ciCG)e@;N13
zQX0U3RP0gthdHBLO8xK|jBK^JCbs?>yngu)h3RLvy5+quGPspt|D49QWs&cl?ROu<
zxC*VxVPVpW&4Bt_uWx}m`V@%D=_?*J15MZEf%u9UFBZ+p&r77qXd-?TB7K|$+G@RN
z)qq%O>{DUkj|ArB%NGlP;hzXiC4I+Z=Fe}v{ui7*Um)K{-F%zH|Fg`z1=%{Dv`H*V
zbkPc04u)k2paMa8)ZC9|8!4aLSgb3JE`|H&+Ar$y`s_QwV^FM1LGh^JeS8XxuQbAC
z%pOmLf4cEr3gMZAsE;vg6(~8)fNiE;vU_AwRTnR}lZUaXBv^eqUb79>VmLQx>t{k`
zW{)i+Q`uxydetTHskc5oCPD0{qgPFr`na=ETc8HRnuf~=E|ZJ(GvM{~x#u=jM&XH>
zZ6Al-{Cq%<vk$s4kPiE|Q5dz&m(iY0J+v{Cdr0xYIk|>hyluAy&VRJ0%(v&;^X>We
U{A)e`F8~1l|C3^YBmn#X0JQ?`#sB~S

literal 0
HcmV?d00001

diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore
new file mode 100644
index 000000000..50af03172
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml
new file mode 100644
index 000000000..3168ec9d6
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/Chart.yaml
@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
+  catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
+apiVersion: v2
+appVersion: 1.11.0
+description: A Helm chart to deploy resources which install Citrix ADC CPX in Istio
+  Service Mesh as sidecar in application pod
+home: https://www.citrix.com
+icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
+kubeVersion: '>=v1.16.0-0'
+maintainers:
+- email: dhiraj.gedam@citrix.com
+  name: dheerajng
+- email: subash.dangol@citrix.com
+  name: subashd
+- email: ajeeta.shakeet@citrix.com
+  name: ajeetas
+name: citrix-cpx-istio-sidecar-injector
+sources:
+- https://github.com/citrix/citrix-xds-adaptor
+version: 1.11.1
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/README.md b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/README.md
new file mode 100644
index 000000000..83434ceca
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/README.md
@@ -0,0 +1,280 @@
+# Deploy Citrix ADC CPX as a sidecar in Istio environment using Helm charts
+
+Citrix ADC CPX can be deployed as a sidecar proxy in an application pod in the Istio service mesh.
+
+
+# Table of Contents
+1. [TL; DR;](#tldr)
+2. [Introduction](#introduction)
+3. [Deploy Sidecar Injector for Citrix ADC CPX using Helm chart](#deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart)
+4. [Observability using Citrix Observability Exporter](#observability-using-coe)
+5. [Citrix ADC CPX License Provisioning](#citrix-adc-cpx-license-provisioning)
+6. [Service Graph configuration](#configuration-for-servicegraph)
+7. [Generate Certificate for Application](#generate-certificate-for-application)
+8. [Limitations](#limitations)
+9. [Clean Up](#clean-up)
+10. [Configuration Parameters](#configuration-parameters)
+
+
+## <a name="tldr">TL; DR;</a>
+
+    kubectl create namespace citrix-system
+    
+    helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+    helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
+
+
+## <a name="introduction">Introduction</a>
+
+Citrix ADC CPX can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/). Automatic sidecar injection requires resources including a Kubernetes [mutating webhook admission](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) controller, and a service. Using this Helm chart, you can create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.
+
+In Istio servicemesh, the namespace must be labelled before applying the deployment yaml for [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#automatic-sidecar-injection). Once the namespace is labelled, sidecars (envoy or CPX) will be injected while creating pods.
+- For CPX, namespace must be labelled `cpx-injection=enabled`
+- For Envoy, namespace must be labelled `istio-injection=enabled`
+
+__Note: If a namespace is labelled with both `istio-injection` and `cpx-injection`, Envoy injection takes a priority! Citrix CPX won't be injected on top of the already injected Envoy sidecar. For using Citrix ADC as sidecar, ensure that `istio-injection` label is removed from the namespace.__
+
+For detailed information on different deployment options, see [Deployment Architecture](https://github.com/citrix/citrix-istio-adaptor/blob/master/docs/istio-integration/architecture.md).
+
+### Compatibility Matrix between Citrix xDS-adaptor and Istio version
+
+Below table provides info about recommended Citrix xDS-Adaptor version to be used for various Istio versions.
+
+| Citrix xDS-Adaptor version | Istio version |
+|----------------------------|---------------|
+| quay.io/citrix/citrix-xds-adaptor:0.9.9 | Istio v1.10+ |
+| quay.io/citrix/citrix-xds-adaptor:0.9.8 | Istio v1.8 to Istio v1.9 |
+| quay.io/citrix/citrix-xds-adaptor:0.9.5 | Istio v1.6 |
+
+### Prerequisites
+
+The following prerequisites are required for deploying Citrix ADC as a sidecar to an application pod.
+
+- Ensure that **Istio version 1.8 onwards** is installed
+- Ensure that Helm with version 3.x is installed. Follow this [step](https://github.com/citrix/citrix-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same.
+- Ensure that your cluster Kubernetes version should be 1.16 onwards and the `admissionregistration.k8s.io/v1`, `admissionregistration.k8s.io/v1beta1` API is enabled
+
+You can verify the API by using the following command:
+
+        kubectl api-versions | grep admissionregistration.k8s.io/v1
+
+The following output indicates that the API is enabled:
+
+        admissionregistration.k8s.io/v1
+        admissionregistration.k8s.io/v1beta1
+
+- Create namespace `citrix-system`
+        
+        kubectl create namespace citrix-system
+        
+- **Registration of Citrix ADC CPX in ADM**
+
+Create a secret containing ADM username and password in each application namespace.
+
+        kubectl create secret generic admlogin --from-literal=username=<adm-username> --from-literal=password=<adm-password> -n citrix-system
+
+## <a name="deploy-sidecar-injector-for-citrix-adc-cpx-using-helm-chart">Deploy Sidecar Injector for Citrix ADC CPX using Helm chart</a>
+
+**Before you Begin**
+
+To deploy resources for automatic installation of Citrix ADC CPX as a sidecar in Istio, perform the following step. In this example, release name is specified as `cpx-sidecar-injector`  and namespace is used as `citrix-system`.
+
+
+    helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+    helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES
+
+This step installs a mutating webhook and a service resource to application pods in the namespace labeled as `cpx-injection=enabled`.
+
+*"Note:" The `cpx-injection=enabled` label is mandatory for injecting sidecars.*
+
+An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/tree/master/examples/citrix-adc-in-istio).
+
+
+# <a name="observability-using-coe"> Observability using Citrix Observability Exporter </a>
+
+### Pre-requisites
+
+1. Citrix Observability Exporter (COE) should be deployed in the cluster.
+
+2. Citrix ADC CPX should be running with versions 13.0-48+ or 12.1-56+.
+
+Citrix ADC CPXes serving East West traffic send its metrics and transaction data to COE which has a support for Prometheus and Zipkin. 
+
+Metrics data can be visualized in Prometheus dashboard. 
+
+Zipkin enables users to analyze tracing for East-West service to service communication.
+
+*Note*: Istio should be [installed](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/#before-you-begin) with Zipkin as tracing endpoint.
+
+```
+helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>
+```
+
+By default, COE is primarily used for Prometheus integration. Servicegraph and tracing is handled by Citrix ADM appliance. To enable Zipkin tracing, set argument `coe.coeTracing=true` in helm command. Default value of coeTracing is set to false.
+
+```
+helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=<coe-service-name>.<namespace>,coe.coeTracing=true
+
+```
+
+For example, if COE is deployed as `coe` in `citrix-system` namespace, then below helm command will deploy sidecar injector webhook which will be deploying Citrix ADC CPX sidecar proxies in application pods, and these sidecar proxies will be configured to establish communication channels with COE.
+
+```
+helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES,coe.coeURL=coe.citrix-system
+```
+
+*Important*: Apply below mentioned annotations on COE deployment so that Prometheus can scrape data from COE.
+```
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "5563" # Prometheus port
+```
+## <a name="citrix-adc-cpx-license-provisioning">**Citrix ADC CPX License Provisioning**</a>
+By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.citrix.com/en-in/products/citrix-adc/cpx-express.html) however for better performance and production deployment customer needs licensed CPX instances. [Citrix ADM](https://www.citrix.com/en-in/products/citrix-application-delivery-management/) is used to check out licenses for Citrix ADC CPX.
+
+**Bandwidth based licensing**
+For provisioning licensing on Citrix ADC CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**.
+For example, to set 2Gbps as bandwidth capacity, below command can be used.
+
+```
+helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.licenseServerIP=<licenseServer_IP>,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000
+
+```
+
+## <a name="configuration-for-servicegraph">**Service Graph configuration**</a>
+   Citrix ADM Service graph is an observability tool that allows user to analyse service to service communication. The service graph is generated by ADM post collection of transactional data from registered Citrix ADC instances. More details about it can be found [here](https://docs.citrix.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html).
+   Citrix ADC needs to be provided with ADM details for registration and data export. This section lists the steps needed to deploy Citrix ADC and register it with ADM.
+
+   1. Create secret using Citrix ADM Agent credentials, which will be used by Citrix ADC as CPX to communicate with Citrix ADM Agent:
+
+	kubectl create secret generic admlogin --from-literal=username=<adm-agent-username> --from-literal=password=<adm-agent-password>
+
+   2. Deploy Citrix ADC CPX sidecar injector using helm command with `ADM` details:
+
+	helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set ADMSettings.ADMIP=<ADM-Agent-IP>
+
+> **Note:**
+> If container agent is being used here for Citrix ADM, specify `PodIP` of container agent in the `ADMSettings.ADMIP` parameter.
+
+## <a name="generate-certificate-for-application">Generate Certificate for Application </a>
+
+Application needs TLS certificate-key pair for establishing secure communication channel with other applications. Earlier these certificates were issued by Istio Citadel and bundled in Kubernetes secret. Certificate was loaded in the application pod by doing volume mount of secret. Now `xDS-Adaptor` can generate its own certificate and get it signed by the Istio Citadel (Istiod). This eliminates the need of secret and associated [risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks). 
+
+xDS-Adaptor needs to be provided with details Certificate Authority (CA) for successful signing of Certificate Signing Request (CSR). By default, CA is `istiod.istio-system.svc` which accepts CSRs on port 15012. 
+To skip this process, don't provide any value (empty string) to `certProvider.caAddr`.
+```
+	helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+        helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr=""
+```
+
+### <a name="using-third-party-service-account-tokens">Configure Third Party Service Account Tokens</a>
+
+In order to generate certificate for application workload, xDS-Adaptor needs to send valid service account token along with Certificate Signing Request (CSR) to the Istio control plane (Citadel CA). Istio control plane authenticates the xDS-Adaptor using this JWT. 
+Kubernetes supports two forms of these tokens:
+
+* Third party tokens, which have a scoped audience and expiration.
+* First party tokens, which have no expiration and are mounted into all pods.
+ 
+ If Kubernetes cluster is installed with third party tokens, then the same information needs to be provided for automatic sidecar injection by passing `--set certProvider.jwtPolicy="third-party-jwt"`. By default, it is `first-party-jwt`.
+
+```
+        helm repo add citrix https://citrix.github.io/citrix-helm-charts/
+
+        helm install cpx-sidecar-injector citrix/citrix-cpx-istio-sidecar-injector --namespace citrix-system --set cpxProxy.EULA=YES --set certProvider.caAddr="istiod.istio-system.svc" --set certProvider.jwtPolicy="third-party-jwt"
+
+```
+
+To determine if your cluster supports third party tokens, look for the TokenRequest API using below command. If there is no output, then it is `first-party-jwt`. In case of `third-party-jwt`, output will be like below.
+
+```
+# kubectl get --raw /api/v1 | jq '.resources[] | select(.name | index("serviceaccounts/token"))'
+
+{
+    "name": "serviceaccounts/token",
+    "singularName": "",
+    "namespaced": true,
+    "group": "authentication.k8s.io",
+    "version": "v1",
+    "kind": "TokenRequest",
+    "verbs": [
+        "create"
+    ]
+}
+
+```
+
+## <a name="limitations">Limitations</a>
+
+Citrix ADC CPX occupies certain ports for internal usage. This makes application service running on one of these restricted ports incompatible with the Citrix ADC CPX.
+The list of ports is mentioned below. Citrix is working on delisting some of the major ports from the given list, and same shall be available in future releases.
+
+#### Restricted Ports
+
+| Sr No |Port Number|
+|-------|-----------|
+| 1 | 80 |
+| 2 | 3010 |
+| 3 | 5555 |
+| 4 | 8080 |
+
+## <a name="clean-up">Clean Up</a>
+
+To delete the resources created for automatic injection with the release name  `cpx-sidecar-injector`, perform the following step.
+
+    helm delete cpx-sidecar-injector
+
+## <a name="configuration-parameters">Configuration parameters</a>
+
+The following table lists the configurable parameters and their default values in the Helm chart.
+
+
+| Parameter                      | Description                   | Default                   |
+|--------------------------------|-------------------------------|---------------------------|
+| `xDSAdaptor.image`                    | Image of the Citrix xDS Adaptor container                    |  quay.io/citrix/citrix-xds-adaptor:0.9.9   |
+| `xDSAdaptor.imagePullPolicy`   | Image pull policy for xDS-adaptor | IfNotPresent        |
+| `xDSAdaptor.secureConnect`     | If this value is set to true, xDS-adaptor establishes secure gRPC channel with Istio Pilot   | TRUE                       |
+| `xDSAdaptor.logLevel`   | Log level to be set for xDS-adaptor log messages. Possible values: TRACE (most verbose), DEBUG, INFO, WARN, ERROR (least verbose) | DEBUG       | Optional|
+| `xDSAdaptor.jsonLog`   | Set this argument to true if log messages are required in JSON format | false       | Optional|
+| `coe.coeURL`          | Name of [Citrix Observability Exporter](https://github.com/citrix/citrix-observability-exporter) Service in the form of _servicename.namespace_  | NIL            | Optional|
+| `coe.coeTracing`          | Use COE to send appflow transactions to Zipkin endpoint. If it is set to true, ADM servicegraph (if configured) can be impacted.  | false           | Optional|
+| `ADMSettings.ADMIP`     | Provide the Citrix Application Delivery Management (ADM) IP address | NIL                       |
+| `ADMSettings.licenseServerIP `          | Citrix License Server IP address  | NIL            | Optional |
+| `ADMSettings.licenseServerPort`   | Citrix ADM port if a non-default port is used                                                                                      | 27000                                                          |
+| `ADMSettings.bandWidth`          | Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps  | NIL            | Optional |
+| `ADMSettings.bandWidthLicense`          | To specify bandwidth based licensing  | false            | Optional |
+| `istioPilot.name`                 | Name of the Istio Pilot service     | istio-pilot                                                           |
+| `istioPilot.namespace`     | Namespace where Istio Pilot is running       | istio-system                                                          |
+| `istioPilot.secureGrpcPort`       | Secure GRPC port where Istio Pilot is listening (Default setting)                                                                  | 15011                                                                 |
+| `istioPilot.insecureGrpcPort`      | Insecure GRPC port where Istio Pilot is listening                                                                                  | 15010                                                                 |
+| `istioPilot.proxyType`      | Type of Citrix ADC associated with the xDS-adaptor. Possible values are: sidecar and router.                                                                              |   sidecar|
+| `istioPilot.SAN`                 | Subject alternative name for Istio Pilot which is the Secure Production Identity Framework For Everyone (SPIFFE) ID of Istio Pilot.                                   | NIL |
+| `cpxProxy.netscalerUrl`   |    URL or IP address of the Citrix ADC which will be configured by Istio-adaptor.                                                            | http://127.0.0.1 |
+| `cpxProxy.image`          | Citrix ADC CPX image used as sidecar proxy                                                                                                    | quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27 |
+| `cpxProxy.imagePullPolicy`           | Image pull policy for Citrix ADC                                                                                  | IfNotPresent                                                               |
+| `cpxProxy.EULA`              |  End User License Agreement(EULA) terms and conditions. If yes, then user agrees to EULA terms and conditions.                                                     | NO |
+| `cpxProxy.cpxSidecarMode`            | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not.                                                                                               | YES                                                                    |
+| `cpxProxy.cpxDisableProbe`            | Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup.                                                                                               | YES                                                                    |
+| `sidecarWebHook.webhookImage`   | Mutating webhook associated with the sidecar injector. It invokes a service `cpx-sidecar-injector` to inject sidecar proxies in the application pod.                                                                                      | quay.io/citrix/cpx-istio-sidecar-injector:1.1.0 |
+| `sidecarWebHook.imagePullPolicy`   | Image pull policy                                                                          |IfNotPresent|
+| `sidecarCertsGenerator.image`   | Certificate genrator image associated with sidecar injector. This image generates certificate and key needed for CPX sidecar injection.                                                                                      | quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0 |
+| `sidecarCertsGenerator.imagePullPolicy`   | Image pull policy                                                                          |IfNotPresent|
+| `webhook.injectionLabelName` |  Label of namespace where automatic Citrix ADC CPX sidecar injection is required. | cpx-injection |
+| `certProvider.caAddr`   | Certificate Authority (CA) address issuing certificate to application                           | istiod.istio-system.svc                          | Optional |
+| `certProvider.caPort`   | Certificate Authority (CA) port issuing certificate to application                              | 15012 | Optional |
+| `certProvider.trustDomain`   | SPIFFE Trust Domain                         | cluster.local | Optional |
+| `certProvider.certTTLinHours`   | Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours. Default is 30 days validity              | 720 | Optional |
+| `certProvider.clusterId`   | clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in multicluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the value of global.multiCluster.clusterName provided during servicemesh control plane installation              | Kubernetes | Optional |
+| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens.  | first-party-jwt | Optional |
+| `certProvider.jwtPolicy`   | Service Account token type. Kubernetes platform supports First party tokens and Third party tokens. Usually public cloud based Kubernetes has third-party-jwt | null | Optional |
+
+**Note:** You can use the `values.yaml` file packaged in the chart. This file contains the default configuration values for the chart.
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md
new file mode 100644
index 000000000..aa16d2136
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/app-readme.md
@@ -0,0 +1,28 @@
+# Citrix ADC as a Sidecar for Istio
+
+Citrix ADC [CPX](https://docs.citrix.com/en-us/citrix-adc-cpx) can act as a sidecar proxy to an application container in Istio. You can inject the Citrix ADC CPX manually or automatically using the [Istio sidecar injector](https://istio.io/docs/setup/additional-setup/sidecar-injection/). 
+
+
+### Prerequisites
+
+The following prerequisites are required for deploying Citrix ADC as a sidecar in an application pod
+
+- Ensure that **Istio** is enabled.
+- Ensure that your cluster has Kubernetes version 1.16.0 or later.
+- Ensure the [Kubernetes controller manager](https://rancher.com/docs/rke/latest/en/config-options/services/#kubernetes-controller-manager)’s default certificate signer is enabled.
+
+**Note**: For RKE based cluster, extra arguments need to be provided for kube-controller service.
+```services:
+  kube-controller: 
+    extra_args: 
+      cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
+      cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
+```
+For detailed information follow this [link](https://github.com/citrix/citrix-xds-adaptor/blob/master/docs/istio-integration/rancher-provisioned-cluster.md)
+
+### Important NOTE:
+ - We should not **Enable Istio Auto Injection** on Application namespace.
+ - The cpx-injection=enabled label is mandatory for injecting sidecars.
+ - An example to deploy application along with Citrix ADC CPX sidecar is provided [here](https://github.com/citrix/citrix-helm-charts/blob/master/examples/citrix-adc-in-istio/README.md).
+
+This catalog create resources required for automatically deploying Citrix ADC CPX as a sidecar proxy.For detailed information follow this [link](https://github.com/citrix/citrix-helm-charts/tree/master/citrix-cpx-istio-sidecar-injector)
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh
new file mode 100644
index 000000000..ed5d58a4e
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/create-certs-for-cpx-istio-chart.sh
@@ -0,0 +1,127 @@
+#!/bin/bash
+
+set -e
+
+usage() {
+    cat <<EOF
+Generate certificate suitable for use with an Istio webhook service.
+This script uses k8s' CertificateSigningRequest API to a generate a
+certificate signed by k8s CA suitable for use with Istio webhook
+services. This requires permissions to create and approve CSR. See
+https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
+detailed explantion and additional instructions.
+The server key/cert k8s CA cert are stored in a k8s secret.
+usage: ${0} [OPTIONS]
+The following flags are required.
+       --service          Service name of webhook (e.g. cpx-sidecar-injector).
+       --namespace        Namespace where webhook service and secret reside (e.g. citrix-system).
+       --secret           Secret name for CA certificate and server certificate/key pair (e.g. cpx-sidecar-injector-certs).
+EOF
+    exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+    case ${1} in
+        --service)
+            service="$2"
+            shift
+            ;;
+        --secret)
+            secret="$2"
+            shift
+            ;;
+        --namespace)
+            namespace="$2"
+            shift
+            ;;
+        *)
+            usage
+            ;;
+    esac
+    shift
+done
+
+[ -z ${service} ] && service=cpx-sidecar-injector
+[ -z ${secret} ] && secret=cpx-sidecar-injector-certs
+[ -z ${namespace} ] && namespace=citrix-system
+
+if [ ! -x "$(command -v openssl)" ]; then
+    echo "openssl not found"
+    exit 1
+fi
+
+csrName=${service}.${namespace}
+#tmpdir=$(mktemp -d)
+scriptdir="$(dirname "$BASH_SOURCE")"
+certdir="$scriptdir/cpx-certs"
+mkdir -p ${certdir}
+echo "creating certs in directory ${certdir} "
+cat <<EOF >> ${certdir}/csr.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${service}
+DNS.2 = ${service}.${namespace}
+DNS.3 = ${service}.${namespace}.svc
+EOF
+
+openssl genrsa -out ${certdir}/key.pem 2048
+openssl req -new -key ${certdir}/key.pem -subj "/CN=${service}.${namespace}.svc" -out ${certdir}/server.csr -config ${certdir}/csr.conf
+
+# clean-up any previously created CSR for our service. Ignore errors if not present.
+kubectl delete csr ${csrName} 2>/dev/null || true
+
+# create  server cert/key CSR and  send to k8s API
+cat <<EOF | kubectl create -f -
+apiVersion: certificates.k8s.io/v1beta1
+kind: CertificateSigningRequest
+metadata:
+  name: ${csrName}
+spec:
+  groups:
+  - system:authenticated
+  request: $(cat ${certdir}/server.csr | base64 | tr -d '\n')
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+EOF
+
+# verify CSR has been created
+while true; do
+    kubectl get csr ${csrName}
+    if [ "$?" -eq 0 ]; then
+        break
+    fi
+done
+
+# approve and fetch the signed certificate
+kubectl certificate approve ${csrName}
+# verify certificate has been signed
+for x in $(seq 10); do
+    serverCert=$(kubectl get csr ${csrName} -o jsonpath='{.status.certificate}')
+    if [[ ${serverCert} != '' ]]; then
+        break
+    fi
+    sleep 1
+done
+if [[ ${serverCert} == '' ]]; then
+    echo "ERROR: After approving csr ${csrName}, the signed certificate did not appear on the resource. Giving up after 10 attempts." >&2
+    exit 1
+fi
+echo ${serverCert} | openssl base64 -d -A -out ${certdir}/cert.pem
+
+
+# create the secret with CA cert and server cert/key
+kubectl create secret generic ${secret} \
+        --from-file=key.pem=${certdir}/key.pem \
+        --from-file=cert.pem=${certdir}/cert.pem \
+        --dry-run -o yaml |
+    kubectl -n ${namespace} apply -f -
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml
new file mode 100644
index 000000000..18483b84a
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/questions.yml
@@ -0,0 +1,291 @@
+labels:
+  io.rancher.certified: partner
+questions:
+- variable: xDSAdaptor.image
+  required: true
+  type: string
+  default: "quay.io/citrix/citrix-xds-adaptor:0.9.9"
+  description: "xds-adaptor Image to be used"
+  label: xDSAdaptor Image
+  group: "xDSAdaptor Settings"
+- variable: xDSAdaptor.imagePullPolicy
+  required: true
+  type: enum
+  default: IfNotPresent
+  description: "Istio-adaptor Image pull policy"
+  label: istioAdaptor imagePullPolicy
+  options:
+  - "Always"
+  - "IfNotPresent"
+  - "Never"
+  group: "xDSAdaptor Settings"
+- variable: xDSAdaptor.proxyType
+  required: true
+  type: string
+  default: true
+  label: xDSAdaptor proxyType
+  description: "xDSAdaptor proxyType type set to router by default"
+  group: "xDSAdaptor Settings"
+- variable: xDSAdaptor.secureConnect
+  required: false
+  type: boolean
+  default: true
+  label: xDSAdaptor secureConnect
+  description: "xDSAdaptor establishes secure gRPC channel with Istio Pilot, if value is set to true"
+  group: "xDSAdaptor Settings"
+- variable: xDSAdaptor.logLevel
+  required: false
+  type: enum
+  default: DEBUG
+  label: xDSAdaptor logLevel
+  description: "xDSAdaptor logLevel"
+  options:
+  - "TRACE"
+  - "DEBUG"
+  - "INFO"
+  - "WARN"
+  - "ERROR"
+  group: "xDSAdaptor Settings"
+- variable: xDSAdaptor.jsonLog
+  required: false
+  type: string
+  default: "true"
+  label: xDSAdaptor jsonLog
+  description: "Set this argument to true if log messages are required in JSON format"
+  group: "xDSAdaptor Settings"
+- variable: coe.coeURL
+  required: false
+  type: string
+  label: coe coeURL
+  description: "Name of Citrix Observability Exporter Service"
+  group: "COE Settings"
+- variable: coe.coeTracing
+  required: false
+  type: boolean
+  label: coe coeTracing
+  description: "Used to send appflow transactions to Zipkin endpoint,if true ADM servicegraph (if configured) can be impacted"
+  group: "COE Settings"
+- variable: istioPilot.name
+  required: true
+  type: string
+  default: istio-pilot
+  label: istio-pilot name
+  group: "istio-pilot Settings"
+- variable: istioPilot.namespace
+  required: true
+  type: string
+  default: istio-system
+  label: istio-pilot namespace
+  description: "Name of the Istio Pilot service"
+  group: "istio-pilot Settings"
+- variable: istioPilot.secureGrpcPort
+  required: true
+  type: int
+  default: 15011
+  description: "Secure GRPC port where Istio Pilot is listening"
+  label: istio-pilot secureGrpcPort
+  show_if: "xDSAdaptor.secureConnect=true"
+  group: "istio-pilot Settings"
+- variable: istioPilot.insecureGrpcPort
+  required: true
+  type: int
+  default: 15010
+  label: istio-pilot insecureGrpcPort
+  description: "Insecure GRPC port where Istio Pilot is listening"
+  show_if: "xDSAdaptor.secureConnect=false"
+  group: "istio-pilot Settings"
+- variable: istioPilot.SAN
+  required: false
+  type: string
+  default: 
+  label: istio-pilot SAN
+  description: "Subject alternative name for Istio Pilot which is (SPIFFE) ID of Istio Pilot"
+  show_if: "xDSAdaptor.secureConnect=true"
+  group: "istio-pilot Settings"
+- variable: certProvider.caAddr
+  required: true
+  type: string
+  default: "istiod.istio-system.svc"
+  label: certProvider caAddr
+  description: "Certificate Authority (CA) address issuing certificate to application"
+  group: "certProvider Settings"
+- variable: certProvider.caPort
+  required: true
+  type: int
+  default: 15012
+  label: certProvider caPort
+  description: "Certificate Authority (CA) port issuing certificate to application"
+  group: "certProvider Settings"
+- variable: certProvider.trustDomain
+  required: true
+  type: string
+  default: "cluster.local"
+  label: certProvider trustDomain
+  description: "SPIFFE Trust Domain"
+  group: "certProvider Settings"
+- variable: certProvider.certTTLinHours
+  required: true
+  type: int
+  default: 720
+  label: certProvider certTTLinHours
+  description: "Validity of certificate generated by xds-adaptor and signed by Istiod (Istio Citadel) in hours."
+  group: "certProvider Settings"
+- variable: certProvider.clusterId
+  required: true
+  type: string
+  default: "Kubernetes"
+  label: certProvider clusterId
+  description: "clusterId is the ID of the cluster where Istiod CA instance resides (default Kubernetes). It can be different value on some cloud platforms or in m
+ulticluster environments. For example, in Anthos servicemesh, it might be of the format of `cn<project-name>-<region>-<cluster_name>`. In multiCluster environments, it is the val
+ue of global.multiCluster.clusterName provided during servicemesh control plane installation"
+  group: "certProvider Settings"
+- variable: certProvider.jwtPolicy
+  required: true
+  type: enum
+  default: "first-party-jwt"
+  label: certProvider jwtPolicy
+  description: "Kubernetes platform supports First party tokens and Third party tokens"
+  options:
+  - "first-party-jwt"
+  - "third-party-jwt"
+- variable: cpxProxy.netscalerUrl
+  required: true
+  type: string
+  default: "http://127.0.0.1"
+  description: "Citrix ADC CPX image used as sidecar proxy"
+  label: cpxProxy image
+  group: "cpxProxy Settings"
+- variable: cpxProxy.image
+  required: true
+  type: string
+  default: "quay.io/citrix/citrix-k8s-cpx-ingress:13.0-79.64"
+  description: "Citrix ADC CPX image used as sidecar proxy"
+  label: cpxProxy image
+  group: "cpxProxy Settings"
+- variable: cpxProxy.imagePullPolicy
+  required: true
+  type: enum
+  default: IfNotPresent
+  description: "cpxProxy Image pull policy"
+  label: cpxProxy imagePullPolicy
+  options:
+  - "Always"
+  - "IfNotPresent"
+  - "Never"
+  group: "cpxProxy Settings"
+- variable: cpxProxy.EULA
+  required: true
+  type: enum
+  label: cpxProxy EULA license
+  options:
+  - "YES"
+  - "NO"
+  group: "cpxProxy Settings"
+- variable: cpxProxy.cpxSidecarMode
+  required: true
+  type: string
+  default: "YES"
+  description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX is running as sidecar mode or not"
+  label: cpxProxy image
+  options:
+  - "YES"
+  - "NO"
+  group: "cpxProxy Settings"
+- variable: cpxProxy.mgmtHttpPort
+  required: true
+  type: int
+  default: 10080
+  label: cpxProxy mgmtHttpPort
+  group: "cpxProxy Settings"
+- variable: cpxProxy.mgmtHttpsPort
+  required: true
+  type: int
+  default: 10443
+  label: cpxProxy mgmtHttpsPort
+  group: "cpxProxy Settings"
+- variable: cpxProxy.cpxDisableProbe
+  required: true
+  type: string
+  default: YES
+  description: "Environment variable for Citrix ADC CPX. It indicates that Citrix ADC CPX will disable probing dynamic services. It should be enabled for multicluster setup."
+  label: cpxProxy cpxDisableProbe
+  options:
+  - "YES"
+  - "NO"
+  group: "cpxProxy Settings"
+- variable: sidecarWebHook.webhookImage
+  required: true
+  type: string
+  default: "quay.io/citrix/cpx-istio-sidecar-injector:1.0.0"
+  label: sidecarWebHook webhookImage
+  description: "webhookImage image to be used"
+  group: "sidecarWebHook Settings"
+- variable: sidecarWebHook.imagePullPolicy
+  required: true
+  type: enum
+  default: IfNotPresent
+  label: sidecarWebHook imagePullPolicy
+  options:
+  - "Always"
+  - "IfNotPresent"
+  - "Never"
+  group: "sidecarWebHook Settings"
+- variable: sidecarCertsGenerator.image
+  required: true
+  type: string
+  default: " quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0"
+  label: sidecarWebHook webhookImage
+  description: "webhookImage image to be used"
+  group: "sidecarCertsGenerator Settings"
+- variable: sidecarCertsGenerator.imagePullPolicy
+  required: true
+  type: enum
+  default: IfNotPresent
+  label: sidecarWebHook imagePullPolicy
+  options:
+  - "Always"
+  - "IfNotPresent"
+  - "Never"
+  group: "sidecarCertsGenerator Settings"
+- variable: ADMSettings.ADMIP
+  required: false
+  type: string
+  default:
+  label: ADMSettings ADMIP
+  description: "Citrix Application Delivery Management (ADM) IP address"
+  group: "ADMSettings Settings"
+- variable: ADMSettings.licenseServerIP
+  required: false
+  type: string
+  default:
+  label: ADMSettings licenseServerIP
+  description: "Citrix License Server IP address"
+  group: "ADMSettings Settings"
+- variable: ADMSettings.licenseServerPort
+  required: false
+  type: int
+  default: 27000
+  label: ADMSettings licenseServerPort
+  description: "Citrix ADM port if a non-default port is used"
+  group: "ADMSettings Settings"
+- variable: ADMSettings.bandWidthLicense
+  required: false
+  type: boolean
+  default: false
+  label: ADMSettings bandWidthLicense
+  description: "To specify bandwidth based licensing"
+  group: "ADMSettings Settings"
+- variable: ADMSettings.bandWidth
+  required: false
+  type: string
+  default:
+  label: ADMSettings bandWidth
+  description: "Desired bandwidth capacity to be set for Citrix ADC CPX in Mbps"
+  group: "ADMSettings Settings"
+- variable: webhook.injectionLabelName
+  required: true
+  type: string
+  default: "cpx-injection"
+  label: webhook injectionLabelName
+  description: "Label of namespace, where automatic sidecr injection is required"
+  group: "webhook Settings"
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl
new file mode 100644
index 000000000..964b92cd5
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/_helpers.tpl
@@ -0,0 +1,20 @@
+{{/* Below function is used to identify default value of jwtPolicy if not provided.
+   * For on-prem Kubernetes v1.21+, it is third-party-jwt. Else first-party-jwt.
+   * Note: Don't just do "helm template" to generate yaml file. Else https://github.com/helm/helm/issues/7991 
+   * is possible. Use "helm template --validate" or "helm install --dry-run --debug".
+   * Note2: For cloud environments, semverCompare should be ideally done with "<1.21.x-x" as 
+   * Kubernetes version is generally of the format v1.20.7-eks-xxxxxx. So, it fails the "v1.21.x" check but that's fine
+   * as in cloud environments third-party-jwt is enabled. 
+*/}}
+
+{{- define "jwtValue" -}}
+{{- if .Values.certProvider.jwtPolicy -}}
+{{- printf .Values.certProvider.jwtPolicy -}}
+{{- else -}}
+{{- if semverCompare "<1.21.x" .Capabilities.KubeVersion.Version -}}
+{{- printf "first-party-jwt" -}}
+{{- else -}}
+{{- printf "third-party-jwt" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml
new file mode 100644
index 000000000..77b9e84e6
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-configmap.yaml
@@ -0,0 +1,221 @@
+# This configmap stores the sidecar proxy info and arguments needed
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cpx-istio-sidecar-injector
+  namespace: {{.Release.Namespace}}
+  labels:
+    app: cpx-sidecar-injector
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    istio: sidecar-injector
+data:
+  config: |-
+    policy: enabled
+    # If user does *NOT* want to inject sidecar on some pods based on label,
+    # then mention such labels in 'neverInjectSelector' entry.
+    # Note: This is valid only when istio's sidecar-injector image is running.
+    neverInjectSelector:
+      - matchExpressions:
+        - {key: citrix.com/no.sidecar, operator: Exists}
+    # Here, if pod has a label citrix.com/no.sidecar, then sidecar won't be injected for that pod.
+    template: |-
+      containers:
+      - name: istio-adaptor
+        image: {{ .Values.xDSAdaptor.image }}
+        imagePullPolicy: {{ .Values.xDSAdaptor.imagePullPolicy }} 
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: INSTANCE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: APPLICATION_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.labels['app']
+        - name: SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.serviceAccountName
+{{- if .Values.certProvider.caAddr }}
+        - name: CA_ADDR
+          value: {{ .Values.certProvider.caAddr }}:{{ .Values.certProvider.caPort}} #istiod.istio-system.svc:15012
+        - name: TRUST_DOMAIN
+          value: {{ .Values.certProvider.trustDomain }} #cluster.local
+        - name: CLUSTER_ID 
+          value: {{ .Values.certProvider.clusterId }} #Kubernetes
+        - name: CERT_TTL_IN_HOURS 
+          value: {{ .Values.certProvider.certTTLinHours }}
+        - name: JWT_POLICY
+          value: {{ include "jwtValue" . | quote }} # third-party-jwt if Kubernetes cluster supports third-party tokens
+{{- end }}
+        - name: NS_USER
+          value: nsroot
+        - name: NS_PASSWORD
+          value: nsroot
+{{- if eq .Values.coe.coeTracing true }}
+        - name: COE_TRACING
+          value: "TRUE"
+{{- end }}
+        - name: LOGLEVEL
+          value: {{ .Values.xDSAdaptor.logLevel | default "DEBUG" | quote }}
+{{- if eq .Values.xDSAdaptor.jsonLog true }}
+        - name: JSONLOG
+          value: "TRUE"
+{{- end }}
+        args:
+        - -ads-server
+{{- if eq .Values.xDSAdaptor.secureConnect true }}
+        - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.secureGrpcPort }} # istiod.istio-system.svc:15012
+{{- else }}
+        - {{ .Values.istioPilot.name}}.{{.Values.istioPilot.namespace }}.svc:{{ .Values.istioPilot.insecureGrpcPort }} # istiod.istio-system.svc:15010
+{{- end }}
+        - -ads-secure-connect={{ .Values.xDSAdaptor.secureConnect}}
+        - -ads-server-SAN
+        - {{ .Values.istioPilot.SAN }}
+        - -istio-proxy-type
+        - {{ .Values.xDSAdaptor.proxyType | default "sidecar" | quote }}
+        - -citrix-adc
+        - "{{- .Values.cpxProxy.netscalerUrl }}:{{- .Values.cpxProxy.mgmtHttpPort | toString }}"
+        - -citrix-adc-password
+        - "/var/deviceinfo/random_id"
+{{- if .Values.ADMSettings.ADMIP }}
+        - -citrix-adm
+        - {{ .Values.ADMSettings.ADMIP }}
+{{- end }}
+{{- if .Values.ADMSettings.licenseServerIP }}
+        - -citrix-license-server
+        - {{ .Values.ADMSettings.licenseServerIP }}
+{{- end }}
+{{- if .Values.coe.coeURL }}
+        - -coe
+        - {{ .Values.coe.coeURL }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /var/deviceinfo
+          name: cpx-pwd
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}
+        - mountPath: /var/run/secrets/tokens
+          name: istio-token
+{{- end }}
+        - mountPath: /etc/nslogin 
+          name: nslogin
+          readOnly: true
+        - name: certs
+          mountPath: /etc/certs
+        - name: istiod-ca-cert
+          mountPath: /etc/rootcert/
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsGroup: 32024
+          runAsUser: 32024 # UID of xds-adaptor container's user
+          runAsNonRoot: true
+      - name: cpx-proxy
+        image: {{ .Values.cpxProxy.image }}
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: true
+        env:
+        - name: "EULA"
+          value: "{{ .Values.cpxProxy.EULA }}"
+        - name: "CPX_SIDECAR_MODE"
+          value: {{ .Values.cpxProxy.cpxSidecarMode | quote }}
+        - name: "CPX_DISABLE_PROBE"
+          value: "{{ .Values.cpxProxy.cpxDisableProbe }}"
+        - name: "MGMT_HTTP_PORT"
+          value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
+        - name: "MGMT_HTTPS_PORT"
+          value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
+        - name: "KUBERNETES_TASK_ID"
+          value: ""
+        - name: "NS_CPX_LITE"
+          value: 1
+{{- if or .Values.coe.coeURL .Values.ADMSettings.ADMIP }}
+        - name: "NS_ENABLE_NEWNSLOG"
+          value: 1
+{{- end }}
+        - name: "LS_IP"
+          value: {{ .Values.ADMSettings.licenseServerIP | default "" }}
+        - name: "LS_PORT"
+          value: {{ .Values.ADMSettings.licenseServerPort}}
+{{- if .Values.ADMSettings.ADMIP }}
+        - name: "NS_MGMT_SERVER"
+          value: {{ .Values.ADMSettings.ADMIP }}
+        - name: "NS_HTTP_PORT"
+          value: {{ .Values.cpxProxy.mgmtHttpPort | quote }}
+        - name: "NS_HTTPS_PORT"
+          value: {{ .Values.cpxProxy.mgmtHttpsPort | quote }}
+{{- end }}
+        - name: "LOGSTREAM_COLLECTOR_IP"
+          value: {{ .Values.ADMSettings.ADMIP | default "" }}
+{{- if and ( .Values.ADMSettings.licenseServerIP ) (eq .Values.ADMSettings.bandWidthLicense true) }}
+        - name: "BANDWIDTH" #bandwidth is required for provision bandwidth based licensing to Citrix ADC CPX from ADM
+          value: {{ required "Mention bandwidth for bandwidth based licensing" .Values.ADMSettings.bandWidth | quote }}
+{{- end }}
+{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }}
+        - name: NS_MGMT_USER
+          valueFrom:
+            secretKeyRef:
+              name: admlogin
+              key: username
+        - name: NS_MGMT_PASS
+          valueFrom:
+            secretKeyRef:
+              name: admlogin
+              key: password
+{{- end }}
+        volumeMounts:
+          - mountPath: /cpx/conf/
+            name: cpx-conf
+          - mountPath: /var/deviceinfo
+            name: cpx-pwd
+          - mountPath: /cpx/crash/
+            name: cpx-crash
+      volumes:
+      - name: cpx-conf
+        emptyDir: {}
+      - name: cpx-pwd
+        emptyDir: {}
+      - name: cpx-crash
+        emptyDir: {}
+      - name: nslogin
+        secret:
+          optional: true
+          secretName: nslogin
+      - name: certs
+        emptyDir: {}
+{{- $jwtpolicy := include "jwtValue" . }}
+{{- if eq $jwtpolicy "third-party-jwt" }}  
+      - name: istio-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: istio-ca
+              expirationSeconds: 43200
+              path: istio-token
+{{- end }}
+      - name: istiod-ca-cert
+        configMap:
+          defaultMode: 0777
+          name: istio-ca-root-cert
+  values: |-
+    {
+      "global": {
+        "jwtPolicy": "third-party-jwt",
+      }
+    }
+---
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml
new file mode 100644
index 000000000..baa898a5d
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-deployment-service.yaml
@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cpx-sidecar-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    istio: sidecar-injector
+    app: cpx-sidecar-injector
+spec:
+  ports:
+  - port: 443
+  selector:
+    istio: sidecar-injector
+
+---
+# Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cpx-sidecar-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: sidecarInjectorWebhook
+    istio: sidecar-injector
+    app: cpx-sidecar-injector
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cpx-sidecar-injector
+      istio: sidecar-injector
+  template:
+    metadata:
+      labels:
+        istio: sidecar-injector
+        app: cpx-sidecar-injector
+      annotations:
+        sidecar.istio.io/inject: "false"
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+    spec:
+      serviceAccountName: cpx-sidecar-injector-service-account
+      initContainers:
+        - name: sidecar-certs-generator
+          image: {{ .Values.sidecarCertsGenerator.image }}
+          imagePullPolicy: {{ .Values.sidecarCertsGenerator.imagePullPolicy }}
+          volumeMounts:
+          - name: certs
+            mountPath: /tmp
+      containers:
+        - name: sidecar-injector-webhook
+          image: {{ .Values.sidecarWebHook.webhookImage }}
+          imagePullPolicy: {{ .Values.sidecarWebHook.imagePullPolicy }}
+          args:
+            - --caCertFile=/etc/istio/certs/cert.pem
+            - --tlsCertFile=/etc/istio/certs/cert.pem
+            - --tlsKeyFile=/etc/istio/certs/key.pem
+            - --injectConfig=/etc/istio/inject/config
+            - --meshConfig=/etc/istio/config/mesh
+            - --healthCheckInterval=10s
+            - --webhookConfigName=cpx-sidecar-injector
+          volumeMounts:
+          - name: config-volume
+            mountPath: /etc/istio/config
+            readOnly: true
+          - name: certs
+            mountPath: /etc/istio/certs
+            readOnly: true
+          - name: inject-config
+            mountPath: /etc/istio/inject
+            readOnly: true
+          livenessProbe:
+            exec:
+              command:
+                - cat
+                - /health
+            failureThreshold: 5
+            initialDelaySeconds: 4
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - cat
+                - /health
+            failureThreshold: 5
+            initialDelaySeconds: 4
+            periodSeconds: 10
+            initialDelaySeconds: 4
+          resources:
+            requests:
+              cpu: 10m
+            
+      volumes:
+      - name: config-volume
+        configMap:
+          name: istio
+      - name: certs
+        emptyDir: {}
+      - name: inject-config
+        configMap:
+          name: cpx-istio-sidecar-injector
+          items:
+          - key: config
+            path: config
+          - key: values
+            path: values
+---
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml
new file mode 100644
index 000000000..8d7e8f708
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-istioConfigMap.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: cpx-sidecar-injector
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    istio: sidecar-injector
+data:
+  mesh: |-
+    # Needed for injection of securityContext in PodSpec during auto-sidecar injection
+    sdsUdsPath: unix:/etc/istio/proxy/SDS
+
+---
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml
new file mode 100644
index 000000000..161998c6c
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-injector-serviceaccount.yaml
@@ -0,0 +1,48 @@
+# Serviceaccount
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cpx-sidecar-injector-service-account
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: cpx-sidecar-injector
+
+---
+# ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cpx-sidecar-injector-istio-system
+  labels:
+    app: cpx-sidecar-injector
+rules:
+- apiGroups: ["*"]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs: ["get", "list", "watch", "patch"]
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["certificatesigningrequests", "certificatesigningrequests/approval"]
+  verbs: ["get", "list", "create", "watch", "delete", "update"]
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["signers"]
+  resourceNames: ["kubernetes.io/legacy-unknown", "kubernetes.io/kubelet-serving"]
+  verbs: ["get", "list", "create", "watch", "delete", "update", "approve"]
+---
+# ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cpx-sidecar-injector-admin-role-binding-istio-system
+  labels:
+    app: cpx-sidecar-injector
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cpx-sidecar-injector-istio-system
+subjects:
+  - kind: ServiceAccount
+    name: cpx-sidecar-injector-service-account
+    namespace: {{ .Release.Namespace }}
+---
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml
new file mode 100644
index 000000000..83234a10d
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/cpx-sidecar-networkpolicy.yaml
@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app: cpx-sidecar-injector
+  name: cpx-sidecar-injector
+  namespace: {{ .Release.Namespace }}
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app: cpx-sidecar-injector
+  policyTypes:
+  - Ingress
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml
new file mode 100644
index 000000000..879671096
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/templates/mutatingwebhook.yaml
@@ -0,0 +1,37 @@
+# Mutating wehbook is used to perform sidecar injection. 
+# It calls sidecar-injector-service when the label is matched.
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cpx-sidecar-injector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: cpx-sidecar-injector
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+webhooks:
+  - name: sidecar-injector.istio.io
+    admissionReviewVersions:
+    - v1
+    clientConfig:
+      service:
+        name: cpx-sidecar-injector
+        namespace: {{ .Release.Namespace }}
+        path: "/inject"
+      caBundle: ""
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+        scope: "*"
+    sideEffects: None
+    failurePolicy: Fail
+    namespaceSelector:
+      matchLabels:
+{{- if .Values.webhook.injectionLabelName }}
+        {{ .Values.webhook.injectionLabelName }}: enabled
+{{- else }}
+        cpx-injection: enabled
+{{- end }}
+---
diff --git a/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml
new file mode 100644
index 000000000..0a982a58e
--- /dev/null
+++ b/charts/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector/1.11.1/values.yaml
@@ -0,0 +1,60 @@
+# Default values for cpx-istio.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+xDSAdaptor:
+    image: quay.io/citrix/citrix-xds-adaptor:0.9.9
+    imagePullPolicy: IfNotPresent
+    proxyType: sidecar
+    secureConnect: true
+    logLevel: DEBUG
+    jsonLog: false
+
+coe:
+    coeURL:
+    coeTracing: false
+ 
+istioPilot:
+    name: istiod
+    namespace: istio-system
+    secureGrpcPort: 15012
+    insecureGrpcPort: 15010
+    SAN: #"spiffe://cluster.local/ns/istio-system/sa/istiod-service-account"
+
+certProvider:
+    caAddr: istiod.istio-system.svc
+    caPort: 15012
+    trustDomain: cluster.local
+    certTTLinHours: 720
+    clusterId: Kubernetes
+    jwtPolicy: #specify third-party-jwt if Kubernetes cluster supports third-party tokens
+
+cpxProxy:
+    netscalerUrl: "http://127.0.0.1"
+    image: quay.io/citrix/citrix-k8s-cpx-ingress:13.0-83.27
+    imagePullPolicy: IfNotPresent
+    EULA: NO
+    cpxSidecarMode: YES
+    mgmtHttpPort: 10080
+    mgmtHttpsPort: 10443
+    cpxDisableProbe: "YES"
+    #licenseServerIP: this value is taken from ADMSettings.ADMIP
+
+sidecarWebHook:
+    webhookImage: quay.io/citrix/cpx-istio-sidecar-injector:1.1.0
+    imagePullPolicy: IfNotPresent
+
+sidecarCertsGenerator:
+    image: quay.io/citrix/cpx-sidecar-injector-certgen:1.1.0
+    imagePullPolicy: IfNotPresent
+
+ADMSettings:
+    ADMIP:
+    licenseServerIP:
+    licenseServerPort: 27000
+    bandWidthLicense: false
+    bandWidth:
+
+webhook:
+    injectionLabelName: cpx-injection
+
diff --git a/index.yaml b/index.yaml
index 4b75fd7e2..381caf75a 100755
--- a/index.yaml
+++ b/index.yaml
@@ -366,6 +366,32 @@ entries:
     - assets/citrix-adc-istio-ingress-gateway/citrix-adc-istio-ingress-gateway-1.2.100.tgz
     version: 1.2.100
   citrix-cpx-istio-sidecar-injector:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector
+      catalog.cattle.io/release-name: citrix-cpx-istio-sidecar-injector
+    apiVersion: v2
+    appVersion: 1.11.0
+    created: "2021-11-22T18:14:45.857822-05:00"
+    description: A Helm chart to deploy resources which install Citrix ADC CPX in
+      Istio Service Mesh as sidecar in application pod
+    digest: bf1aee48044ff55d859db570c7402a2ce64f6cc948623a2aacf413a2df55a26f
+    home: https://www.citrix.com
+    icon: https://raw.githubusercontent.com/citrix/citrix-xds-adaptor/master/docs/media/Citrix_Logo_Trademark.png
+    kubeVersion: '>=v1.16.0-0'
+    maintainers:
+    - email: dhiraj.gedam@citrix.com
+      name: dheerajng
+    - email: subash.dangol@citrix.com
+      name: subashd
+    - email: ajeeta.shakeet@citrix.com
+      name: ajeetas
+    name: citrix-cpx-istio-sidecar-injector
+    sources:
+    - https://github.com/citrix/citrix-xds-adaptor
+    urls:
+    - assets/citrix-cpx-istio-sidecar-injector/citrix-cpx-istio-sidecar-injector-1.11.1.tgz
+    version: 1.11.1
   - annotations:
       catalog.cattle.io/certified: partner
       catalog.cattle.io/display-name: Citrix Cpx Istio Sidecar Injector