Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
configmap.yaml 14.8 KB
Newer Older
Caleb Bron's avatar
copy istio 1.4.3  
Caleb Bron committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 
{{- if or .Values.pilot.enabled .Values.global.istioRemote }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: istio
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "istio.name" . }}
    chart: {{ template "istio.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
data:
  mesh: |-
    # Set the following variable to true to disable policy checks by Mixer.
    # Note that metrics will still be reported to Mixer.
    {{- if .Values.mixer.policy.enabled }}
    disablePolicyChecks: {{ .Values.global.disablePolicyChecks }}
    {{- else }}
    disablePolicyChecks: true
    {{- end }}

    disableMixerHttpReports: false

    {{- if .Values.mixer.telemetry.reportBatchMaxEntries }}
    # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
    reportBatchMaxEntries: {{ .Values.mixer.telemetry.reportBatchMaxEntries }}
    {{- end }}

    {{- if .Values.mixer.telemetry.reportBatchMaxTime }}
    # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
    reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }}
    {{- end }}

    {{- if .Values.mixer.telemetry.sessionAffinityEnabled }}
    # sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry.
    sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }}
    {{- end }}

    # Set enableTracing to false to disable request tracing.
    enableTracing: {{ .Values.global.enableTracing }}

    # Set accessLogFile to empty string to disable access log.
    accessLogFile: "{{ .Values.global.proxy.accessLogFile }}"

    # If accessLogEncoding is TEXT, value will be used directly as the log format
    # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n"
    # If AccessLogEncoding is JSON, value will be parsed as map[string]string
    # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}'
    # Leave empty to use default log format
    accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }}

    # Set accessLogEncoding to JSON or TEXT to configure sidecar access log
    accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}'

    enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }}

    {{- if .Values.global.istioRemote }}

    {{- if .Values.global.remotePolicyAddress }}
    {{- if .Values.global.createRemoteSvcEndpoints }}
    mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004
    {{- else }}
    mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004
    {{- end }}
    {{- end }}
    {{- if .Values.global.remoteTelemetryAddress }}
    {{- if .Values.global.createRemoteSvcEndpoints }}
    mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004
    {{- else }}
    mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004
    {{- end }}
    {{- end }}

    {{- else }}

    {{- if .Values.mixer.policy.enabled }}
    {{- if .Values.global.controlPlaneSecurityEnabled }}
    mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
    {{- else }}
    mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
    {{- end }}
    {{- end }}
    {{- if .Values.mixer.telemetry.enabled }}
    {{- if .Values.global.controlPlaneSecurityEnabled }}
    mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004
    {{- else }}
    mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091
    {{- end }}
    {{- end }}

    {{- end }}

    {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }}
    # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
    # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
    policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
    {{- end }}

    {{- if .Values.gateways.enabled }}
    # Let Pilot give ingresses the public IP of the Istio ingressgateway
    ingressService: istio-ingressgateway
    {{- end }}

    # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS
    connectTimeout: 10s

    # Automatic protocol detection uses a set of heuristics to
    # determine whether the connection is using TLS or not (on the
    # server side), as well as the application protocol being used
    # (e.g., http vs tcp). These heuristics rely on the client sending
    # the first bits of data. For server first protocols like MySQL,
    # MongoDB, etc., Envoy will timeout on the protocol detection after
    # the specified period, defaulting to non mTLS plain TCP
    # traffic. Set this field to tweak the period that Envoy will wait
    # for the client to send the first bits of data. (MUST BE >=1ms)
    protocolDetectionTimeout: {{ .Values.global.proxy.protocolDetectionTimeout }}

    # DNS refresh rate for Envoy clusters of type STRICT_DNS
    dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }}

    # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
    # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
    sdsUdsPath: {{ .Values.global.sds.udsPath | quote }}

    # The trust domain corresponds to the trust root of a system.
    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    trustDomain: {{ .Values.global.trustDomain | quote }}

    #  The trust domain aliases represent the aliases of trust_domain.
    #  For example, if we have
    #  trustDomain: td1
    #  trustDomainAliases: [“td2”, "td3"]
    #  Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
    #  or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
    trustDomainAliases:
      {{- range .Values.global.trustDomainAliases }}
      - {{ . | quote }}
      {{- end }}

    # If true, automatically configure client side mTLS settings to match the corresponding service's
    # server side mTLS authentication policy, when destination rule for that service does not specify
    # TLS settings.
    enableAutoMtls: {{ .Values.global.mtls.auto }}

    # Set the default behavior of the sidecar for handling outbound traffic from the application:
    # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
    #   services or ServiceEntries for the destination port
    # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
    #   as those defined through ServiceEntries
    outboundTrafficPolicy:
      mode: {{ .Values.global.outboundTrafficPolicy.mode }}

    {{- if  .Values.global.localityLbSetting.enabled }}
    localityLbSetting:
{{ toYaml .Values.global.localityLbSetting | trim | indent 6 }}
    {{- end }}
    # The namespace to treat as the administrative root namespace for istio
    # configuration.
{{- if .Values.global.configRootNamespace }}
    rootNamespace: {{ .Values.global.configRootNamespace }}
{{- else }}
    rootNamespace: {{ .Release.Namespace }}
{{- end }}

    # Configures DNS certificates provisioned through Chiron linked into Pilot.
    certificates:
{{ toYaml .Values.global.certificates | trim | indent 6 }}

    {{- if .Values.global.defaultConfigVisibilitySettings }}
    defaultServiceExportTo:
      {{- range .Values.global.defaultConfigVisibilitySettings }}
      - {{ . | quote }}
      {{- end }}
    defaultVirtualServiceExportTo:
      {{- range .Values.global.defaultConfigVisibilitySettings }}
      - {{ . | quote }}
      {{- end }}
    defaultDestinationRuleExportTo:
      {{- range .Values.global.defaultConfigVisibilitySettings }}
      - {{ . | quote }}
      {{- end }}
    {{- end }}

    {{- if $.Values.global.useMCP }}
    configSources:
    - address: istio-galley.{{ $.Release.Namespace }}.svc:9901
      {{- if .Values.pilot.configSource.subscribedResources }}
      subscribedResources:
        - {{ .Values.pilot.configSource.subscribedResources }}
      {{- end}}
    {{- if $.Values.global.controlPlaneSecurityEnabled}}
      tlsSettings:
        mode: ISTIO_MUTUAL
    {{- end }}
    {{- end }}

    defaultConfig:
      #
      # TCP connection timeout between Envoy & the application, and between Envoys.  Used for static clusters
      # defined in Envoy's configuration file
      connectTimeout: 10s
      #
      ### ADVANCED SETTINGS #############
      # Where should envoy's configuration be stored in the istio-proxy container
      configPath: "/etc/istio/proxy"
      binaryPath: "/usr/local/bin/envoy"
      # The pseudo service name used for Envoy.
      serviceCluster: istio-proxy
      # These settings that determine how long an old Envoy
      # process should be kept alive after an occasional reload.
      drainDuration: 45s
      parentShutdownDuration: 1m0s
      #
      # The mode used to redirect inbound connections to Envoy. This setting
      # has no effect on outbound traffic: iptables REDIRECT is always used for
      # outbound connections.
      # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
      # The "REDIRECT" mode loses source addresses during redirection.
      # If "TPROXY", use iptables TPROXY to redirect to Envoy.
      # The "TPROXY" mode preserves both the source and destination IP
      # addresses and ports, so that they can be used for advanced filtering
      # and manipulation.
      # The "TPROXY" mode also configures the sidecar to run with the
      # CAP_NET_ADMIN capability, which is required to use TPROXY.
      #interceptionMode: REDIRECT
      #
      # Port where Envoy listens (on local host) for admin commands
      # You can exec into the istio-proxy container in a pod and
      # curl the admin port (curl http://localhost:15000/) to obtain
      # diagnostic information from Envoy. See
      # https://lyft.github.io/envoy/docs/operations/admin.html
      # for more details
      proxyAdminPort: 15000
      #
      # Set concurrency to a specific number to control the number of Proxy worker threads.
      # If set to 0 (default), then start worker thread for each CPU thread/core.
      concurrency: {{ .Values.global.proxy.concurrency }}
      #
      {{- if eq .Values.global.proxy.tracer "lightstep" }}
      tracing:
        lightstep:
          # Address of the LightStep Satellite pool
          address: {{ .Values.global.tracer.lightstep.address }}
          # Access Token used to communicate with the Satellite pool
          accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
          # Whether communication with the Satellite pool should be secure
          secure: {{ .Values.global.tracer.lightstep.secure }}
          # Path to the file containing the cacert to use when verifying TLS
          cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }}
      {{- else if eq .Values.global.proxy.tracer "zipkin" }}
      tracing:
        zipkin:
          # Address of the Zipkin collector
        {{- if .Values.global.tracer.zipkin.address }}
          address: {{ .Values.global.tracer.zipkin.address }}
        {{- else if .Values.global.remoteZipkinAddress }}
          address: {{ .Values.global.remoteZipkinAddress }}:9411
        {{- else }}
          address: zipkin.{{ .Release.Namespace }}:9411
        {{- end }}
      {{- else if eq .Values.global.proxy.tracer "datadog" }}
      tracing:
        datadog:
          # Address of the Datadog Agent
          address: {{ .Values.global.tracer.datadog.address }}
      {{- else if eq .Values.global.proxy.tracer "stackdriver" }}
      tracing:
        stackdriver: {}
      {{- end }}

    {{- if .Values.global.proxy.envoyStatsd.enabled }}
      #
      # Statsd metrics collector converts statsd metrics into Prometheus metrics.
      statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }}
    {{- end }}

    {{- if .Values.global.proxy.envoyMetricsService.enabled }}
      #
      # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API.
      envoyMetricsService:
        address: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }}
    {{- if .Values.global.proxy.envoyMetricsService.tlsSettings }}
        tlsSettings:
{{ toYaml .Values.global.proxy.envoyMetricsService.tlsSettings | trim | indent 10 }}
    {{- end}}
    {{- if .Values.global.proxy.envoyMetricsService.tcpKeepalive }}
        tcpKeepalive:
{{ toYaml .Values.global.proxy.envoyMetricsService.tcpKeepalive | trim | indent 10 }}
    {{- end}}
    {{- end}}
    
    {{- if .Values.global.proxy.envoyAccessLogService.enabled }}
      #
      # Envoy's AccessLog Service pushes access logs to a remote collector via the Access Log Service gRPC API.
      envoyAccessLogService:
        address: {{ .Values.global.proxy.envoyAccessLogService.host }}:{{ .Values.global.proxy.envoyAccessLogService.port }}
    {{- if .Values.global.proxy.envoyAccessLogService.tlsSettings }}
        tlsSettings:
{{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | trim | indent 10 }}
    {{- end}}
    {{- if .Values.global.proxy.envoyAccessLogService.tcpKeepalive }}
        tcpKeepalive:
{{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | trim | indent 10 }}
    {{- end}}
    {{- end}}

    {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }}
    {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }}
    {{- if .Values.global.controlPlaneSecurityEnabled }}
      #
      # Mutual TLS authentication between sidecars and istio control plane.
      controlPlaneAuthPolicy: MUTUAL_TLS
      #
      # Address where istio Pilot service is running
      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
      discoveryAddress: {{ $defPilotHostname }}:15011
      {{- else }}
      discoveryAddress: {{ $pilotAddress }}:15011
      {{- end }}
    {{- else }}
      #
      # Mutual TLS authentication between sidecars and istio control plane.
      controlPlaneAuthPolicy: NONE
      #
      # Address where istio Pilot service is running
      {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }}
      discoveryAddress: {{ $defPilotHostname }}:15010
      {{- else }}
      discoveryAddress: {{ $pilotAddress }}:15010
      {{- end }}
    {{- end }}

  # Configuration file for the mesh networks to be used by the Split Horizon EDS.
  meshNetworks: |-
  {{- if .Values.global.meshNetworks }}
    networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
  {{- else }}
    networks: {}
  {{- end }}
{{- end }}