invalid trailing UTF-8 octet

[infa-ddeore]

Describe the bug
Error after appending result to another yaml

$ yq r data1.yaml global -ppv | yq v -
16:45:15 main [ERRO] yaml: invalid trailing UTF-8 octet

Input Yaml
Giving full file as the issue is reproducible with it
data1.yml:

#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
enabled: true

istio-ingressgateway:
  enabled: true
  #
  # Secret Discovery Service (SDS) configuration for ingress gateway.
  #
  sds:
    # If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
    enabled: false
    # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
    # This server runs in the same pod as ingress gateway.
    image: node-agent-k8s
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi

  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  autoscaleEnabled: true
  autoscaleMin: 1
  autoscaleMax: 5
  # specify replicaCount when autoscaleEnabled: false
  # replicaCount: 1
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 2000m
      memory: 1024Mi
  cpu:
    targetAverageUtilization: 80
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalIPs: []
  serviceAnnotations: {}
  podAnnotations: {}
  type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
  #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
  ports:
    ## You can add custom gateway ports
    # Note that AWS ELB will by default perform health checks on the first port
    # on this list. Setting this to the health check port will ensure that health
    # checks always work. https://github.com/istio/istio/issues/12503
  - port: 15020
    targetPort: 15020
    name: status-port
  - port: 80
    targetPort: 80
    name: http2
    nodePort: 31380
  - port: 443
    name: https
    nodePort: 31390
  # Example of a port to add. Remove if not needed
  - port: 31400
    name: tcp
    nodePort: 31400
  ### PORTS FOR UI/metrics #####
  ## Disable if not needed
  - port: 15029
    targetPort: 15029
    name: https-kiali
  - port: 15030
    targetPort: 15030
    name: https-prometheus
  - port: 15031
    targetPort: 15031
    name: https-grafana
  - port: 15032
    targetPort: 15032
    name: https-tracing
    # This is the port where sni routing happens
  - port: 15443
    targetPort: 15443
    name: tls
  #### MESH EXPANSION PORTS  ########
  # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
  # to pilot/citadel if global.meshExpansion settings are enabled.
  # Delete these ports if mesh expansion is not enabled, to avoid
  # exposing unnecessary ports on the web.
  # You can remove these ports if you are not using mesh expansion
  meshExpansionPorts:
  - port: 15011
    targetPort: 15011
    name: tcp-pilot-grpc-tls
  - port: 15004
    targetPort: 15004
    name: tcp-mixer-grpc-tls
  - port: 8060
    targetPort: 8060
    name: tcp-citadel-grpc-tls
  - port: 853
    targetPort: 853
    name: tcp-dns-tls
  ####### end MESH EXPANSION PORTS ######
  ##############
  secretVolumes:
  - name: ingressgateway-certs
    secretName: istio-ingressgateway-certs
    mountPath: /etc/istio/ingressgateway-certs
  - name: ingressgateway-ca-certs
    secretName: istio-ingressgateway-ca-certs
    mountPath: /etc/istio/ingressgateway-ca-certs
  ### Advanced options ############

  # Ports to explicitly check for readiness. If configured, the readiness check will expect a
  # listener on these ports. A comma separated list is expected, such as "80,443".
  #
  # Warning: If you do not have a gateway configured for the ports provided, this check will always
  # fail. This is intended for use cases where you always expect to have a listener on the port,
  # such as 80 or 443 in typical setups.
  applicationPorts: ""

  env:
    # A gateway with this mode ensures that pilot generates an additional
    # set of clusters for internal services but without Istio mTLS, to
    # enable cross cluster routing.
    ISTIO_META_ROUTER_MODE: "sni-dnat"
  nodeSelector: {}
  tolerations: []

  # Specify the pod anti-affinity that allows you to constrain which nodes
  # your pod is eligible to be scheduled based on labels on pods that are
  # already running on the node rather than based on labels on nodes.
  # There are currently two types of anti-affinity:
  #    "requiredDuringSchedulingIgnoredDuringExecution"
  #    "preferredDuringSchedulingIgnoredDuringExecution"
  # which denote "hard" vs. "soft" requirements, you can define your values
  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
  # correspondingly.
  # For example:
  # podAntiAffinityLabelSelector:
  # - key: security
  #   operator: In
  #   values: S1,S2
  #   topologyKey: "kubernetes.io/hostname"
  # This pod anti-affinity rule says that the pod requires not to be scheduled
  # onto a node if that node is already running a pod with label having key
  # "security" and value "S1".
  podAntiAffinityLabelSelector: []
  podAntiAffinityTermLabelSelector: []

istio-egressgateway:
  enabled: false
  labels:
    app: istio-egressgateway
    istio: egressgateway
  autoscaleEnabled: true
  autoscaleMin: 1
  autoscaleMax: 5
  # specify replicaCount when autoscaleEnabled: false
  # replicaCount: 1
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 2000m
      memory: 1024Mi
  cpu:
    targetAverageUtilization: 80
  serviceAnnotations: {}
  podAnnotations: {}
  type: ClusterIP #change to NodePort or LoadBalancer if need be
  ports:
  - port: 80
    name: http2
  - port: 443
    name: https
    # This is the port where sni routing happens
  - port: 15443
    targetPort: 15443
    name: tls
  secretVolumes:
  - name: egressgateway-certs
    secretName: istio-egressgateway-certs
    mountPath: /etc/istio/egressgateway-certs
  - name: egressgateway-ca-certs
    secretName: istio-egressgateway-ca-certs
    mountPath: /etc/istio/egressgateway-ca-certs
  #### Advanced options ########
  env:
    # Set this to "external" if and only if you want the egress gateway to
    # act as a transparent SNI gateway that routes mTLS/TLS traffic to
    # external services defined using service entries, where the service
    # entry has resolution set to DNS, has one or more endpoints with
    # network field set to "external". By default its set to "" so that
    # the egress gateway sees the same set of endpoints as the sidecars
    # preserving backward compatibility
    # ISTIO_META_REQUESTED_NETWORK_VIEW: ""
    # A gateway with this mode ensures that pilot generates an additional
    # set of clusters for internal services but without Istio mTLS, to
    # enable cross cluster routing.
    ISTIO_META_ROUTER_MODE: "sni-dnat"
  nodeSelector: {}
  tolerations: []
  
  # Specify the pod anti-affinity that allows you to constrain which nodes
  # your pod is eligible to be scheduled based on labels on pods that are
  # already running on the node rather than based on labels on nodes.
  # There are currently two types of anti-affinity:
  #    "requiredDuringSchedulingIgnoredDuringExecution"
  #    "preferredDuringSchedulingIgnoredDuringExecution"
  # which denote "hard" vs. "soft" requirements, you can define your values
  # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
  # correspondingly.
  # For example:
  # podAntiAffinityLabelSelector:
  # - key: security
  #   operator: In
  #   values: S1,S2
  #   topologyKey: "kubernetes.io/hostname"
  # This pod anti-affinity rule says that the pod requires not to be scheduled
  # onto a node if that node is already running a pod with label having key
  # "security" and value "S1".
  podAntiAffinityLabelSelector: []
  podAntiAffinityTermLabelSelector: []

# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
# as non-mtls ports to support upgrades and gradual transition.
istio-ilbgateway:
  enabled: false
  labels:
    app: istio-ilbgateway
    istio: ilbgateway
  autoscaleEnabled: true
  autoscaleMin: 1
  autoscaleMax: 5
  # specify replicaCount when autoscaleEnabled: false
  # replicaCount: 1
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  cpu:
    targetAverageUtilization: 80
  resources:
    requests:
      cpu: 800m
      memory: 512Mi
    #limits:
    #  cpu: 1800m
    #  memory: 256Mi
  loadBalancerIP: ""
  serviceAnnotations:
    cloud.google.com/load-balancer-type: "internal"
  podAnnotations: {}
  type: LoadBalancer
  ports:
  ## You can add custom gateway ports - google ILB default quota is 5 ports,
  - port: 15011
    name: grpc-pilot-mtls
  # Insecure port - only for migration from 0.8. Will be removed in 1.1
  - port: 15010
    name: grpc-pilot
  - port: 8060
    targetPort: 8060
    name: tcp-citadel-grpc-tls
  # Port 5353 is forwarded to kube-dns
  - port: 5353
    name: tcp-dns
  secretVolumes:
  - name: ilbgateway-certs
    secretName: istio-ilbgateway-certs
    mountPath: /etc/istio/ilbgateway-certs
  - name: ilbgateway-ca-certs
    secretName: istio-ilbgateway-ca-certs
    mountPath: /etc/istio/ilbgateway-ca-certs
  nodeSelector: {}
  tolerations: []

# Common settings used among istio subcharts.
global:
  # Default hub for Istio images.
  # Releases are published to docker hub under 'istio' project.
  # Dev builds from prow are on gcr.io
  hub: docker.io/istio

  # Default tag for Istio images.
  tag: 1.4.5

  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
  # The control plane has different scopes depending on component, but can configure default log level across all components
  # If empty, default scope and level will be used as configured in code
  logging:
    level: "default:info"

  # monitoring port used by mixer, pilot, galley and sidecar injector
  monitoringPort: 15014

  k8sIngress:
    enabled: false
    # Gateway used for k8s Ingress resources. By default it is
    # using 'istio:ingressgateway' that will be installed by setting
    # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'
    # flags to true.
    gatewayName: ingressgateway
    # enableHttps will add port 443 on the ingress.
    # It REQUIRES that the certificates are installed  in the
    # expected secrets - enabling this option without certificates
    # will result in LDS rejection and the ingress will not work.
    enableHttps: false

  proxy:
    # Configuration for the proxy init container
    init:
      resources:
        limits:
          cpu: 100m
          memory: 50Mi
        requests:
          cpu: 10m
          memory: 10Mi
    # use fully qualified image names for alternate path to proxy.
    image: proxyv2

    # cluster domain. Default value is "cluster.local".
    clusterDomain: "cluster.local"

    # Resources for the sidecar.
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi

    # Controls number of Proxy worker threads.
    # If set to 0, then start worker thread for each CPU thread/core.
    concurrency: 2

    # Configures the access log for each sidecar.
    # Options:
    #   "" - disables access log
    #   "/dev/stdout" - enables access log
    accessLogFile: ""

    # Configure how and what fields are displayed in sidecar access log. Setting to
    # empty string will result in default log format
    accessLogFormat: ""

    # Configure the access log for sidecar to JSON or TEXT.
    accessLogEncoding: TEXT

    # Configure envoy gRPC access log service.
    envoyAccessLogService:
      enabled: false
      host: # example: accesslog-service.istio-system
      port: # example: 15000
      tlsSettings:
        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
        clientCertificate: # example: /etc/istio/als/cert-chain.pem
        privateKey:        # example: /etc/istio/als/key.pem
        caCertificates:    # example: /etc/istio/als/root-cert.pem
        sni:               # example: als.somedomain
        subjectAltNames: []
        # - als.somedomain
      tcpKeepalive:
        probes: 3
        time: 10s
        interval: 10s

    # Log level for proxy, applies to gateways and sidecars.  If left empty, "warning" is used.
    # Expected values are: trace|debug|info|warning|error|critical|off
    logLevel: ""

    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
    # not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
    componentLogLevel: ""

    # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
    # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.
    dnsRefreshRate: 300s

    # Automatic protocol detection uses a set of heuristics to
    # determine whether the connection is using TLS or not (on the
    # server side), as well as the application protocol being used
    # (e.g., http vs tcp). These heuristics rely on the client sending
    # the first bits of data. For server first protocols like MySQL,
    # MongoDB, etc., Envoy will timeout on the protocol detection after
    # the specified period, defaulting to non mTLS plain TCP
    # traffic. Set this field to tweak the period that Envoy will wait
    # for the client to send the first bits of data. (MUST BE >=1ms)
    protocolDetectionTimeout: 100ms

    #If set to true, istio-proxy container will have privileged securityContext
    privileged: false

    # If set, newly injected sidecars will have core dumps enabled.
    enableCoreDump: false

    # Image used to enable core dumps. This is only used, when "enableCoreDump" is set to true.
    enableCoreDumpImage: ubuntu:xenial

    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
    statusPort: 15020

    # The initial delay for readiness probes in seconds.
    readinessInitialDelaySeconds: 1

    # The period between readiness probes.
    readinessPeriodSeconds: 2

    # The number of successive failed probes before indicating readiness failure.
    readinessFailureThreshold: 30

    # istio egress capture whitelist
    # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
    # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
    # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
    # be allowed by the sidecar
    includeIPRanges: "*"
    excludeIPRanges: ""
    excludeOutboundPorts: ""

    # pod internal interfaces
    kubevirtInterfaces: ""

    # istio ingress capture whitelist
    # examples:
    #     Redirect no inbound traffic to Envoy:    --includeInboundPorts=""
    #     Redirect all inbound traffic to Envoy:   --includeInboundPorts="*"
    #     Redirect only selected ports:            --includeInboundPorts="80,8080"
    includeInboundPorts: "*"
    excludeInboundPorts: ""

    # This controls the 'policy' in the sidecar injector.
    autoInject: enabled

    # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
    # would be <host>:<port>).
    # Disabled by default.
    # The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
    envoyStatsd:
      # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
      enabled: false
      host: # example: statsd-svc.istio-system
      port: # example: 9125

    # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
    # via the Metrics Service gRPC API. This contains detailed stats information emitted directly
    # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
    # available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
    #
    # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
    # for details about Envoy's Metrics Service API.
    #
    # Disabled by default.
    envoyMetricsService:
      enabled: false
      host: # example: metrics-service.istio-system
      port: # example: 15000
      tlsSettings:
        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
        clientCertificate: # example: /etc/istio/ms/cert-chain.pem
        privateKey:        # example: /etc/istio/ms/key.pem
        caCertificates:    # example: /etc/istio/ms/root-cert.pem
        sni:               # example: ms.somedomain
        subjectAltNames: []
        # - ms.somedomain
      tcpKeepalive:
        probes: 3
        time: 10s
        interval: 10s

    # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
    tracer: "zipkin"

  proxy_init:
    # Base name for the istio-init container, used to configure iptables.
    image: proxyv2

  # imagePullPolicy is applied to istio control plane components.
  # local tests require IfNotPresent, to avoid uploading to dockerhub.
  # TODO: Switch to Always as default, and override in the local tests.
  imagePullPolicy: IfNotPresent

  # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are
  # propagated, not recommended for tests.
  controlPlaneSecurityEnabled: false

  # disablePolicyChecks disables mixer policy checks.
  # if mixer.policy.enabled==true then disablePolicyChecks has affect.
  # Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
  disablePolicyChecks: true

  # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
  # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
  policyCheckFailOpen: false

  # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
  enableTracing: true

  # Configuration for each of the supported tracers
  tracer:
    # Configuration for envoy to send trace data to LightStep.
    # Disabled by default.
    # address: the <host>:<port> of the satellite pool
    # accessToken: required for sending data to the pool
    # secure: specifies whether data should be sent with TLS
    # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
    #   required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
    #   namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
    #
    lightstep:
      address: ""                # example: lightstep-satellite:443
      accessToken: ""            # example: abcdefg1234567
      secure: true               # example: true|false
      cacertPath: ""             # example: /etc/lightstep/cacert.pem
    zipkin:
      # Host:Port for reporting trace data in zipkin format. If not specified, will default to
      # zipkin service (port 9411) in the same namespace as the other istio components.
      address: ""
    datadog:
      # Host:Port for submitting traces to the Datadog agent.
      address: "$(HOST_IP):8126"
    stackdriver:
      # enables trace output to stdout.
      debug: false
      # The global default max number of attributes per span.
      maxNumberOfAttributes: 200
      # The global default max number of annotation events per span.
      maxNumberOfAnnotations: 200
      # The global default max number of message events per span.
      maxNumberOfMessageEvents: 200

  # Default mtls policy. If true, mtls between services will be enabled by default.
  mtls:
    # Default setting for service-to-service mtls. Can be set explicitly using
    # destination rules or service annotations.
    enabled: false
    # If set to true, and a given service does not have a corresponding DestinationRule configured,
    # or its DestinationRule does not have TLSSettings specified, Istio configures client side
    # TLS configuration automatically, based on the server side mTLS authentication policy and the
    # availibity of sidecars.
    auto: false

  # Lists the secrets you need to use to pull Istio images from a private registry.
  imagePullSecrets: []
    # - private-registry-key

  # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
  #   0 - Never scheduled
  #   1 - Least preferred
  #   2 - No preference
  #   3 - Most preferred
  arch:
    amd64: 2
    s390x: 2
    ppc64le: 2

  # Whether to restrict the applications namespace the controller manages;
  # If not set, controller watches all namespaces
  oneNamespace: false

  # Default node selector to be applied to all deployments so that all pods can be
  # constrained to run a particular nodes. Each component can overwrite these default
  # values by adding its node selector block in the relevant section below and setting
  # the desired values.
  defaultNodeSelector: {}

  # Default node tolerations to be applied to all deployments so that all pods can be
  # scheduled to a particular nodes with matching taints. Each component can overwrite
  # these default values by adding its tolerations block in the relevant section below
  # and setting the desired values.
  # Configure this field in case that all pods of Istio control plane are expected to
  # be scheduled to particular nodes with specified taints.
  defaultTolerations: []

  # Whether to perform server-side validation of configuration.
  configValidation: true

  # Custom DNS config for the pod to resolve names of services in other
  # clusters. Use this to add additional search domains, and other settings.
  # see
  # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
  # This does not apply to gateway pods as they typically need a different
  # set of DNS settings than the normal application pods (e.g., in
  # multicluster scenarios).
  # NOTE: If using templates, follow the pattern in the commented example below.
  # podDNSSearchNamespaces:
  # - global
  # - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"

  # If set to true, the pilot and citadel mtls will be exposed on the
  # ingress gateway
  meshExpansion:
    enabled: false
    # If set to true, the pilot and citadel mtls and the plaintext pilot ports
    # will be exposed on an internal gateway
    useILB: false

  multiCluster:
    # Set to true to connect two kubernetes clusters via their respective
    # ingressgateway services when pods in each cluster cannot directly
    # talk to one another. All clusters should be using Istio mTLS and must
    # have a shared root CA for this model to work.
    enabled: false

    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
    # to properly label proxies
    clusterName: ""

  # A minimal set of requested resources to applied to all deployments so that
  # Horizontal Pod Autoscaler will be able to function (if set).
  # Each component can overwrite these default values by adding its own resources
  # block in the relevant section below and setting the desired resources values.
  defaultResources:
    requests:
      cpu: 10m
    #   memory: 128Mi
    # limits:
    #   cpu: 100m
    #   memory: 128Mi

  # enable pod distruption budget for the control plane, which is used to
  # ensure Istio control plane components are gradually upgraded or recovered.
  defaultPodDisruptionBudget:
    enabled: true
    # The values aren't mutable due to a current PodDisruptionBudget limitation
    # minAvailable: 1

  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
  # system-node-critical, it is better to configure this in order to make sure your Istio pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  # for more detail.
  priorityClassName: ""

  # Use the Mesh Control Protocol (MCP) for configuring Mixer and
  # Pilot. Requires galley (`--set galley.enabled=true`).
  useMCP: true

  # The trust domain corresponds to the trust root of a system
  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
  # Indicate the domain used in SPIFFE identity URL
  # The default depends on the environment.
  #   kubernetes: cluster.local
  #   else:  default dns domain
  trustDomain: ""

  #  The trust domain aliases represent the aliases of trust_domain.
  #  For example, if we have
  #  trustDomain: td1
  #  trustDomainAliases: [“td2”, "td3"]
  #  Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
  #  or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
  trustDomainAliases: []

  # Mesh ID means Mesh Identifier. It should be unique within the scope where
  # meshes will interact with each other, but it is not required to be
  # globally/universally unique. For example, if any of the following are true,
  # then two meshes must have different Mesh IDs:
  # - Meshes will have their telemetry aggregated in one place
  # - Meshes will be federated together
  # - Policy will be written referencing one mesh from the other
  #
  # If an administrator expects that any of these conditions may become true in
  # the future, they should ensure their meshes have different Mesh IDs
  # assigned.
  #
  # Within a multicluster mesh, each cluster must be (manually or auto)
  # configured to have the same Mesh ID value. If an existing cluster 'joins' a
  # multicluster mesh, it will need to be migrated to the new mesh ID. Details
  # of migration TBD, and it may be a disruptive operation to change the Mesh
  # ID post-install.
  #
  # If the mesh admin does not specify a value, Istio will use the value of the
  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
  # value.
  meshID: ""

  # Set the default behavior of the sidecar for handling outbound traffic from the application:
  # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
  #   services or ServiceEntries for the destination port
  # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
  #   as those defined through ServiceEntries
  # ALLOW_ANY is the default in 1.1.  This means each pod will be able to make outbound requests
  # to services outside of the mesh without any ServiceEntry.
  # REGISTRY_ONLY was the default in 1.0.  If this behavior is desired, set the value below to REGISTRY_ONLY.
  outboundTrafficPolicy:
    mode: ALLOW_ANY

  # The namespace where globally shared configurations should be present.
  # DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
  # default Sidecar configs, etc. should be added to this namespace.
  # configRootNamespace: istio-config

  # set the default set of namespaces to which services, service entries, virtual services, destination
  # rules should be exported to. Currently only one value can be provided in this list. This value
  # should be one of the following two options:
  # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
  # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
  # defaultConfigVisibilitySettings:
  #- '*'

  sds:
    # SDS enabled. IF set to true, mTLS certificates for the sidecars will be
    # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
    enabled: false
    udsPath: ""
    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
    # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
    # JWT is intended for the CA.
    token:
      aud: istio-ca

  # Configure the mesh networks to be used by the Split Horizon EDS.
  #
  # The following example defines two networks with different endpoints association methods.
  # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
  # mapped to network1. The gateway for this network example is specified by its public IP
  # address and port.
  # The second network, `network2`, in this example is defined differently with all endpoints
  # retrieved through the specified Multi-Cluster registry being mapped to network2. The
  # gateway is also defined differently with the name of the gateway service on the remote
  # cluster. The public IP for the gateway will be determined from that remote service (only
  # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
  # it still need to be configured manually).
  #
  # meshNetworks:
  #   network1:
  #     endpoints:
  #     - fromCidr: "192.168.0.1/24"
  #     gateways:
  #     - address: 1.1.1.1
  #       port: 80
  #   network2:
  #     endpoints:
  #     - fromRegistry: reg1
  #     gateways:
  #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
  #       port: 443
  #
  meshNetworks: {}

  # Network defines the network this cluster belong to. This name
  # corresponds to the networks in the map of mesh networks.
  network: ""

  # Specifies the global locality load balancing settings.
  # Locality-weighted load balancing allows administrators to control the distribution of traffic to
  # endpoints based on the localities of where the traffic originates and where it will terminate.
  # Either failover or distribute configuration can be set, but not both. If neither are provided
  # failover mode will be used.
  #
  # localityLbSetting:
  #   enabled: true
  #   distribute:
  #   - from: "us-central1/*"
  #     to:
  #       "us-central1/*": 80
  #       "us-central2/*": 20
  #
  # localityLbSetting:
  #   enabled: true
  #   failover:
  #   - from: us-east
  #     to: eu-west
  #   - from: us-west
  #     to: us-east
  localityLbSetting:
    enabled: true

  # Specifies whether helm test is enabled or not.
  # This field is set to false by default, so 'helm template ...'
  # will ignore the helm test yaml files when generating the template
  enableHelmTest: false

  # Configures DNS certificates provisioned through Chiron linked into Pilot.
  # The DNS names in this file are all hard-coded; please ensure the namespaces
  # in dnsNames are consistent with those of your services.
  # Example:
  # certificates:
  #   - secretName: dns.istio-galley-service-account
  #     dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
  #   - secretName: dns.istio-sidecar-injector-service-account
  #     dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
  certificates: []

  # Configure whether Operator manages webhook configurations. The current behavior
  # of Galley and Sidecar Injector is that they manage their own webhook configurations.
  # When this option is set as true, Istio Operator, instead of webhooks, manages the
  # webhook configurations. When this option is set as false, webhooks manage their
  # own webhook configurations.
  operatorManageWebhooks: false

Command
The command you ran:

 yq r data1.yaml global -ppv | yq v -

Actual behavior
Should not get the error, manually copying the output to other file instead of redirection doesn't have any issue

yq v /tmp/out.yaml -v
...
...
16:49:01 Visit [DEBU] yep, visiting
16:49:01 DebugVisitedNodes [DEBU] Visited Nodes:
16:49:01 mergePathStackToString [DEBU] got a path string: 
16:49:01 DebugVisitedNodes [DEBU]  - 
16:49:01 func1 [DEBU] all done

Expected behavior
There shouldn't be UTF error with io redirection to a file

[infa-ddeore]

i narrowed down the problem, trustDomainAliases has non-utf character, yq still parses the file but gives error in validate.

  #  trustDomainAliases: [“td2”, "td3"]

I did workaround by removing non UTF character with sed

yq r data1.yaml -ppv | sed -e 's/[\d128-\d255]//g' | yq v -

EDIT:
I noticed sed is removing most of other stuff as well, so i got rid if it and used iconv command to fix this in better way:

yq r data1.yaml  -ppv | iconv -f utf-8 -t utf-8 -c | yq -

-f is the source format
-t the target format
-c skips any invalid sequence

[jpmorin]

I have the same problem with accentuated char anywhere in the yaml document, even if only in comments.

exemple.yml

# french char w/ accent: à
foo: bar

This simple write command crash because of the accentuated character. It runs fine without it.

yq w -i exemple.yml "a.b" "c"

Here is the full stacktrace

$ yq w -i exemple.yml "a.b" "c"
panic: runtime error: index out of range [26] with length 26 [recovered]
        panic: runtime error: index out of range [26] with length 26

goroutine 1 [running]:
gopkg.in/yaml%2ev3.handleErr(0xc0000f9920)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/yaml.go:276 +0x9c
panic(0x559908143bc0, 0xc000018a80)
        /usr/lib/go-1.13/src/runtime/panic.go:679 +0x1b6
gopkg.in/yaml%2ev3.write(0xc0000ba700, 0xc000018a60, 0x1a, 0x20, 0xc0000f7d48, 0x1)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:93 +0x20b
gopkg.in/yaml%2ev3.yaml_emitter_write_comment(0xc0000ba700, 0xc000018a60, 0x1a, 0x20, 0xc00001ed20)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:1978 +0xcd
gopkg.in/yaml%2ev3.yaml_emitter_process_head_comment(0xc0000ba700, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:1111 +0x86
gopkg.in/yaml%2ev3.yaml_emitter_emit_block_mapping_key(0xc0000ba700, 0xc0000e2330, 0x1, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:775 +0x92
gopkg.in/yaml%2ev3.yaml_emitter_state_machine(0xc0000ba700, 0xc0000e2330, 0x1)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:297 +0x344
gopkg.in/yaml%2ev3.yaml_emitter_emit(0xc0000ba700, 0xc0000ba940, 0xc00001ed18)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/emitterc.go:153 +0x149
gopkg.in/yaml%2ev3.(*encoder).emit(0xc0000ba700)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:81 +0x3b
gopkg.in/yaml%2ev3.(*encoder).emitScalar(0xc0000ba700, 0x5599082bd3c1, 0x1, 0x0, 0x0, 0x0, 0x0, 0xc000032f02, 0x5599082e7128, 0x0, ...)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:402 +0x30e
gopkg.in/yaml%2ev3.(*encoder).node(0xc0000ba700, 0xc00009fe00, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:544 +0x1321
gopkg.in/yaml%2ev3.(*encoder).node(0xc0000ba700, 0xc00009fc20, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:493 +0xae7
gopkg.in/yaml%2ev3.(*encoder).node(0xc0000ba700, 0xc00009fae0, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:448 +0x21f
gopkg.in/yaml%2ev3.(*encoder).nodev(0xc0000ba700, 0x559908132fe0, 0xc00009fae0, 0x16)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:406 +0x7b
gopkg.in/yaml%2ev3.(*encoder).marshalDoc(0xc0000ba700, 0x0, 0x0, 0x559908132fe0, 0xc00009fae0, 0x16)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/encode.go:101 +0x22a
gopkg.in/yaml%2ev3.(*Encoder).Encode(0xc0000100c8, 0x559908132fe0, 0xc00009fae0, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/vendor/gopkg.in/yaml.v3/yaml.go:251 +0x100
github.com/mikefarah/yq/v3/pkg/yqlib.(*yamlEncoder).Encode(0xc0000100d0, 0xc00009fae0, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/pkg/yqlib/encoder.go:28 +0x46
github.com/mikefarah/yq/v3/cmd.mapYamlDecoder.func1(0xc000032a40, 0xc000032a40, 0x600)
        /build/yq-1drM7d/yq-3.1/cmd/utils.go:249 +0x27b
github.com/mikefarah/yq/v3/cmd.readStream(0x7ffe54cdb8a7, 0xb, 0xc00000e5c0, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/cmd/utils.go:457 +0x255
github.com/mikefarah/yq/v3/cmd.readAndUpdate(0x5599081634e0, 0xc000010018, 0x7ffe54cdb8a7, 0xb, 0xc00008f3b0, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/cmd/utils.go:337 +0x25e
github.com/mikefarah/yq/v3/cmd.updateDoc(0x7ffe54cdb8a7, 0xb, 0xc00008f380, 0x1, 0x1, 0x5599081634e0, 0xc000010018, 0x1, 0x1)
        /build/yq-1drM7d/yq-3.1/cmd/utils.go:296 +0xd8
github.com/mikefarah/yq/v3/cmd.writeProperty(0xc0000af400, 0xc00006e500, 0x3, 0x4, 0x0, 0x0)
        /build/yq-1drM7d/yq-3.1/cmd/write.go:57 +0x126
github.com/spf13/cobra.(*Command).execute(0xc0000af400, 0xc00006e400, 0x4, 0x4, 0xc0000af400, 0xc00006e400)
        /build/yq-1drM7d/yq-3.1/vendor/github.com/spf13/cobra/command.go:826 +0x462
github.com/spf13/cobra.(*Command).ExecuteC(0xc0000aea00, 0x2, 0xc00008f170, 0xc0000221d8)
        /build/yq-1drM7d/yq-3.1/vendor/github.com/spf13/cobra/command.go:914 +0x2fd
github.com/spf13/cobra.(*Command).Execute(...)
        /build/yq-1drM7d/yq-3.1/vendor/github.com/spf13/cobra/command.go:864
main.main()
        /build/yq-1drM7d/yq-3.1/_build/src/github.com/mikefarah/yq/yq.go:13 +0x62

[jpmorin]

@infa-ddeore : I used the unaccent tool to fix dozens of file at a time.

http://www.nongnu.org/unac/unaccent-man1.en.html

#!/bin/bash
file_paths=$(grep -lr -i [àâéèêëîôùûç] .)

while IFS=' ' read -ra path; do
  buffer=$(mktemp -t ${path##*/}.XXXXXX)
  unaccent UTF-8 < ${path} > ${buffer}
  mv -f ${buffer} ${path}
done <<< "${file_paths}"

However, one of our config file holds a PGP public key with accentuated char in the key's comment. I can't alter the key's comment without altering it's hash...

[mikefarah]

Yeah this is a problem in the underlying yaml parser, there is an issue raised there: go-yaml/yaml#578 :(

[camilosantana]

@mikefarah on macos ...

$ file -I draft.yaml
draft.yaml: text/plain; charset=utf-8

$ yq w draft.yaml     'a.b.c.' blah | file -I -
/dev/stdin: text/plain; charset=iso-8859-1

is the iso-8859-1 encoding expected/desired over UTF-8?