Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
95 contributors

Users who have contributed to this file

@howardjohn @costinm @ymesika @rshriram @morvencao @gyliu513 @sdake @mandarjog @ayj @linsun @douglas-reid @GregHanson @objectiser @quanjielin @vadimeisenbergibm @hklai @incfly @pitlv2109 @nmittler @gbaufake @yangminzhu @tak2siva @sbezverk @ramaraochavali @plumdog @jmazzitelli
624 lines (543 sloc) 23.8 KB
# Top level istio values file has the following sections.
#
# global: This file is the authoritative and exhaustive source for the global section.
#
# chart sections: Every subdirectory inside the charts/ directory has a top level
# configuration key in this file. This file overrides the values specified
# by the charts/${chartname}/values.yaml.
# Check the chart level values file for exhaustive list of configuration options.
#
# Gateways Configuration, refer to the charts/gateways/values.yaml
# for detailed configuration
#
gateways:
enabled: true
#
# sidecar-injector webhook configuration, refer to the
# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
#
sidecarInjectorWebhook:
enabled: true
#
# galley configuration, refer to charts/galley/values.yaml
# for detailed configuration
#
galley:
enabled: true
#
# mixer configuration
#
# @see charts/mixer/values.yaml for all values
mixer:
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
enabled: true
telemetry:
enabled: true
#
# pilot configuration
#
# @see charts/pilot/values.yaml
pilot:
enabled: true
#
# security configuration
#
security:
enabled: true
#
# nodeagent configuration
#
nodeagent:
enabled: false
#
# addon grafana configuration
#
grafana:
enabled: false
#
# addon prometheus configuration
#
prometheus:
enabled: true
#
# addon jaeger tracing configuration
#
tracing:
enabled: false
#
# addon kiali tracing configuration
#
kiali:
enabled: false
#
# addon certmanager configuration
#
certmanager:
enabled: false
#
# Istio CNI plugin enabled
# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
# settings for the istio-proxy.
#
istio_cni:
enabled: false
# addon Istio CoreDNS configuration
#
istiocoredns:
enabled: false
# Common settings used among istio subcharts.
global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# monitoring port used by mixer, pilot, galley and sidecar injector
monitoringPort: 15014
k8sIngress:
enabled: false
# Gateway used for k8s Ingress resources. By default it is
# using 'istio:ingressgateway' that will be installed by setting
# 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'
# flags to true.
gatewayName: ingressgateway
# enableHttps will add port 443 on the ingress.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
enableHttps: false
proxy:
# Configuration for the proxy init container
init:
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 10m
memory: 10Mi
# use fully qualified image names for alternate path to proxy.
image: proxyv2
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Controls number of Proxy worker threads.
# If set to 0, then start worker thread for each CPU thread/core.
concurrency: 2
# Configures the access log for each sidecar.
# Options:
# "" - disables access log
# "/dev/stdout" - enables access log
accessLogFile: ""
# Configure how and what fields are displayed in sidecar access log. Setting to
# empty string will result in default log format
accessLogFormat: ""
# Configure the access log for sidecar to JSON or TEXT.
accessLogEncoding: TEXT
# Configure envoy gRPC access log service.
envoyAccessLogService:
enabled: false
host: # example: accesslog-service.istio-system
port: # example: 15000
tlsSettings:
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
clientCertificate: # example: /etc/istio/als/cert-chain.pem
privateKey: # example: /etc/istio/als/key.pem
caCertificates: # example: /etc/istio/als/root-cert.pem
sni: # example: als.somedomain
subjectAltNames: []
# - als.somedomain
tcpKeepalive:
probes: 3
time: 10s
interval: 10s
# Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: ""
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
componentLogLevel: ""
# Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
# This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
dnsRefreshRate: 300s
# Specifies the path to the outlier event log.
outlierLogPath: # example: /dev/stdout
# Automatic protocol detection uses a set of heuristics to
# determine whether the connection is using TLS or not (on the
# server side), as well as the application protocol being used
# (e.g., http vs tcp). These heuristics rely on the client sending
# the first bits of data. For server first protocols like MySQL,
# MongoDB, etc., Envoy will timeout on the protocol detection after
# the specified period, defaulting to non mTLS plain TCP
# traffic. Set this field to tweak the period that Envoy will wait
# for the client to send the first bits of data. (MUST BE >=1ms)
protocolDetectionTimeout: 100ms
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Image used to enable core dumps. This is only used, when "enableCoreDump" is set to true.
enableCoreDumpImage: ubuntu:xenial
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
# pod internal interfaces
kubevirtInterfaces: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
# Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
# via the Metrics Service gRPC API. This contains detailed stats information emitted directly
# by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
# available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
#
# See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
# for details about Envoy's Metrics Service API.
#
# Disabled by default.
envoyMetricsService:
enabled: false
host: # example: metrics-service.istio-system
port: # example: 15000
tlsSettings:
mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
clientCertificate: # example: /etc/istio/ms/cert-chain.pem
privateKey: # example: /etc/istio/ms/key.pem
caCertificates: # example: /etc/istio/ms/root-cert.pem
sni: # example: ms.somedomain
subjectAltNames: []
# - ms.somedomain
tcpKeepalive:
probes: 3
time: 10s
interval: 10s
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
proxy_init:
# Base name for the istio-init container, used to configure iptables.
image: proxyv2
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
# disablePolicyChecks disables mixer policy checks.
# if mixer.policy.enabled==true then disablePolicyChecks has affect.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: true
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
# secure: specifies whether data should be sent with TLS
# cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
# required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
# namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
#
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
secure: true # example: true|false
cacertPath: "" # example: /etc/lightstep/cacert.pem
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
# If set to true, and a given service does not have a corresponding DestinationRule configured,
# or its DestinationRule does not have TLSSettings specified, Istio configures client side
# TLS configuration automatically, based on the server side mTLS authentication policy and the
# availibity of sidecars.
auto: true
# Lists the secrets you need to use to pull Istio images from a private registry.
imagePullSecrets: []
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Whether to perform server-side validation of configuration.
configValidation: true
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
# podDNSSearchNamespaces:
# - global
# - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plaintext pilot ports
# will be exposed on an internal gateway
useILB: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# enable pod distruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Use the Mesh Control Protocol (MCP) for configuring Mixer and
# Pilot. Requires galley (`--set galley.enabled=true`).
useMCP: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
# Indicate the domain used in SPIFFE identity URL
# The default depends on the environment.
# kubernetes: cluster.local
# else: default dns domain
trustDomain: ""
# The trust domain aliases represent the aliases of trust_domain.
# For example, if we have
# trustDomain: td1
# trustDomainAliases: [“td2”, "td3"]
# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
trustDomainAliases: []
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Set the default behavior of the sidecar for handling outbound traffic from the application:
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
# services or ServiceEntries for the destination port
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
# ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
# to services outside of the mesh without any ServiceEntry.
# REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY.
outboundTrafficPolicy:
mode: ALLOW_ANY
# The namespace where globally shared configurations should be present.
# DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
# default Sidecar configs, etc. should be added to this namespace.
# configRootNamespace: istio-config
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
# defaultConfigVisibilitySettings:
#- '*'
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
enabled: false
udsPath: ""
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Specifies the global locality load balancing settings.
# Locality-weighted load balancing allows administrators to control the distribution of traffic to
# endpoints based on the localities of where the traffic originates and where it will terminate.
# Either failover or distribute configuration can be set, but not both. If neither are provided
# failover mode will be used.
#
# localityLbSetting:
# enabled: true
# distribute:
# - from: "us-central1/*"
# to:
# "us-central1/*": 80
# "us-central2/*": 20
#
# localityLbSetting:
# enabled: true
# failover:
# - from: us-east
# to: eu-west
# - from: us-west
# to: us-east
localityLbSetting:
enabled: true
# Specifies whether helm test is enabled or not.
# This field is set to false by default, so 'helm template ...'
# will ignore the helm test yaml files when generating the template
enableHelmTest: false
# Configures DNS certificates provisioned through Chiron linked into Pilot.
# The DNS names in this file are all hard-coded; please ensure the namespaces
# in dnsNames are consistent with those of your services.
# Example:
# certificates:
# - secretName: dns.istio-galley-service-account
# dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
# - secretName: dns.istio-sidecar-injector-service-account
# dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
certificates: []
# Configure whether Operator manages webhook configurations. The current behavior
# of Galley and Sidecar Injector is that they manage their own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
You can’t perform that action at this time.