# # security configuration # enabled: true replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% image: citadel selfSigned: true # indicate if self-signed CA is used. createMeshPolicy: true nodeSelector: {} tolerations: [] podAnnotations: {} # Enable health checking on the Citadel CSR signing API. # https://istio.io/docs/tasks/security/health-check/ citadelHealthCheck: false # 90*24hour = 2160h workloadCertTtl: 2160h # Environment variables that configure Citadel. env: {} # Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override # labels are not found on a given namespace. # # For example: consider a namespace called "target", which has neither the "ca.istio.io/env" # nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets # for service accounts created in this "target" namespace, Citadel will defer to this option. If the value # of this option is "true" in this case, secrets will be generated for the "target" namespace. # If the value of this option is "false" Citadel will not generate secrets upon service account creation. enableNamespacesByDefault: true # Specify the pod anti-affinity that allows you to constrain which nodes # your pod is eligible to be scheduled based on labels on pods that are # already running on the node rather than based on labels on nodes. # There are currently two types of anti-affinity: # "requiredDuringSchedulingIgnoredDuringExecution" # "preferredDuringSchedulingIgnoredDuringExecution" # which denote "hard" vs. "soft" requirements, you can define your values # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" # correspondingly. # For example: # podAntiAffinityLabelSelector: # - key: security # operator: In # values: S1,S2 # topologyKey: "kubernetes.io/hostname" # This pod anti-affinity rule says that the pod requires not to be scheduled # onto a node if that node is already running a pod with label having key # "security" and value "S1". podAntiAffinityLabelSelector: [] podAntiAffinityTermLabelSelector: []