Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
values.yaml 2.04 KB
Newer Older
Caleb Bron's avatar
copy istio 1.4.3  
Caleb Bron committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 
#
# security configuration
#
enabled: true
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
image: citadel
selfSigned: true # indicate if self-signed CA is used.
createMeshPolicy: true
nodeSelector: {}
tolerations: []
podAnnotations: {}

# Enable health checking on the Citadel CSR signing API.
# https://istio.io/docs/tasks/security/health-check/
citadelHealthCheck: false
# 90*24hour = 2160h
workloadCertTtl: 2160h
# Environment variables that configure Citadel.
env: {}

# Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override
# labels are not found on a given namespace.
#
# For example: consider a namespace called "target", which has neither the "ca.istio.io/env"
# nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets
# for service accounts created in this "target" namespace, Citadel will defer to this option. If the value
# of this option is "true" in this case, secrets will be generated for the "target" namespace.
# If the value of this option is "false" Citadel will not generate secrets upon service account creation.
enableNamespacesByDefault: true

# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
#    "requiredDuringSchedulingIgnoredDuringExecution"
#    "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
#   operator: In
#   values: S1,S2
#   topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []