{{- if or .Values.pilot.enabled .Values.global.istioRemote }} apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: {{ .Release.Namespace }} labels: app: {{ template "istio.name" . }} chart: {{ template "istio.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} data: mesh: |- # Set the following variable to true to disable policy checks by Mixer. # Note that metrics will still be reported to Mixer. {{- if .Values.mixer.policy.enabled }} disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} {{- else }} disablePolicyChecks: true {{- end }} disableMixerHttpReports: false {{- if .Values.mixer.telemetry.reportBatchMaxEntries }} # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server reportBatchMaxEntries: {{ .Values.mixer.telemetry.reportBatchMaxEntries }} {{- end }} {{- if .Values.mixer.telemetry.reportBatchMaxTime }} # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server reportBatchMaxTime: {{ .Values.mixer.telemetry.reportBatchMaxTime }} {{- end }} {{- if .Values.mixer.telemetry.sessionAffinityEnabled }} # sidecarToTelemetrySessionAffinity will create a STRICT_DNS type cluster for istio-telemetry. sidecarToTelemetrySessionAffinity: {{ .Values.mixer.telemetry.sessionAffinityEnabled }} {{- end }} # Set enableTracing to false to disable request tracing. enableTracing: {{ .Values.global.enableTracing }} # Set accessLogFile to empty string to disable access log. accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" # If accessLogEncoding is TEXT, value will be used directly as the log format # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" # If AccessLogEncoding is JSON, value will be parsed as map[string]string # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' # Leave empty to use default log format accessLogFormat: {{ .Values.global.proxy.accessLogFormat | quote }} # Set accessLogEncoding to JSON or TEXT to configure sidecar access log accessLogEncoding: '{{ .Values.global.proxy.accessLogEncoding }}' enableEnvoyAccessLogService: {{ .Values.global.proxy.envoyAccessLogService.enabled }} {{- if .Values.global.istioRemote }} {{- if .Values.global.remotePolicyAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}:15004 {{- else }} mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 {{- end }} {{- end }} {{- if .Values.global.remoteTelemetryAddress }} {{- if .Values.global.createRemoteSvcEndpoints }} mixerReportServer: istio-telemetry.{{ .Release.Namespace }}:15004 {{- else }} mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 {{- end }} {{- end }} {{- else }} {{- if .Values.mixer.policy.enabled }} {{- if .Values.global.controlPlaneSecurityEnabled }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 {{- else }} mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} {{- if .Values.mixer.telemetry.enabled }} {{- if .Values.global.controlPlaneSecurityEnabled }} mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:15004 {{- else }} mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}:9091 {{- end }} {{- end }} {{- end }} {{- if or .Values.mixer.policy.enabled (and .Values.global.istioRemote .Values.global.remotePolicyAddress) }} # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} {{- end }} {{- if .Values.gateways.enabled }} # Let Pilot give ingresses the public IP of the Istio ingressgateway ingressService: istio-ingressgateway {{- end }} # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS connectTimeout: 10s # Automatic protocol detection uses a set of heuristics to # determine whether the connection is using TLS or not (on the # server side), as well as the application protocol being used # (e.g., http vs tcp). These heuristics rely on the client sending # the first bits of data. For server first protocols like MySQL, # MongoDB, etc., Envoy will timeout on the protocol detection after # the specified period, defaulting to non mTLS plain TCP # traffic. Set this field to tweak the period that Envoy will wait # for the client to send the first bits of data. (MUST BE >=1ms) protocolDetectionTimeout: {{ .Values.global.proxy.protocolDetectionTimeout }} # DNS refresh rate for Envoy clusters of type STRICT_DNS dnsRefreshRate: {{ .Values.global.proxy.dnsRefreshRate }} # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: {{ .Values.global.sds.udsPath | quote }} # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: {{ .Values.global.trustDomain | quote }} # The trust domain aliases represent the aliases of trust_domain. # For example, if we have # trustDomain: td1 # trustDomainAliases: [“td2”, "td3"] # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. trustDomainAliases: {{- range .Values.global.trustDomainAliases }} - {{ . | quote }} {{- end }} # If true, automatically configure client side mTLS settings to match the corresponding service's # server side mTLS authentication policy, when destination rule for that service does not specify # TLS settings. enableAutoMtls: {{ .Values.global.mtls.auto }} # Set the default behavior of the sidecar for handling outbound traffic from the application: # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no # services or ServiceEntries for the destination port # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well # as those defined through ServiceEntries outboundTrafficPolicy: mode: {{ .Values.global.outboundTrafficPolicy.mode }} {{- if .Values.global.localityLbSetting.enabled }} localityLbSetting: {{ toYaml .Values.global.localityLbSetting | trim | indent 6 }} {{- end }} # The namespace to treat as the administrative root namespace for istio # configuration. {{- if .Values.global.configRootNamespace }} rootNamespace: {{ .Values.global.configRootNamespace }} {{- else }} rootNamespace: {{ .Release.Namespace }} {{- end }} # Configures DNS certificates provisioned through Chiron linked into Pilot. certificates: {{ toYaml .Values.global.certificates | trim | indent 6 }} {{- if .Values.global.defaultConfigVisibilitySettings }} defaultServiceExportTo: {{- range .Values.global.defaultConfigVisibilitySettings }} - {{ . | quote }} {{- end }} defaultVirtualServiceExportTo: {{- range .Values.global.defaultConfigVisibilitySettings }} - {{ . | quote }} {{- end }} defaultDestinationRuleExportTo: {{- range .Values.global.defaultConfigVisibilitySettings }} - {{ . | quote }} {{- end }} {{- end }} {{- if $.Values.global.useMCP }} configSources: - address: istio-galley.{{ $.Release.Namespace }}.svc:9901 {{- if .Values.pilot.configSource.subscribedResources }} subscribedResources: - {{ .Values.pilot.configSource.subscribedResources }} {{- end}} {{- if $.Values.global.controlPlaneSecurityEnabled}} tlsSettings: mode: ISTIO_MUTUAL {{- end }} {{- end }} defaultConfig: # # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters # defined in Envoy's configuration file connectTimeout: 10s # ### ADVANCED SETTINGS ############# # Where should envoy's configuration be stored in the istio-proxy container configPath: "/etc/istio/proxy" binaryPath: "/usr/local/bin/envoy" # The pseudo service name used for Envoy. serviceCluster: istio-proxy # These settings that determine how long an old Envoy # process should be kept alive after an occasional reload. drainDuration: 45s parentShutdownDuration: 1m0s # # The mode used to redirect inbound connections to Envoy. This setting # has no effect on outbound traffic: iptables REDIRECT is always used for # outbound connections. # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. # The "REDIRECT" mode loses source addresses during redirection. # If "TPROXY", use iptables TPROXY to redirect to Envoy. # The "TPROXY" mode preserves both the source and destination IP # addresses and ports, so that they can be used for advanced filtering # and manipulation. # The "TPROXY" mode also configures the sidecar to run with the # CAP_NET_ADMIN capability, which is required to use TPROXY. #interceptionMode: REDIRECT # # Port where Envoy listens (on local host) for admin commands # You can exec into the istio-proxy container in a pod and # curl the admin port (curl http://localhost:15000/) to obtain # diagnostic information from Envoy. See # https://lyft.github.io/envoy/docs/operations/admin.html # for more details proxyAdminPort: 15000 # # Set concurrency to a specific number to control the number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: {{ .Values.global.proxy.concurrency }} # {{- if eq .Values.global.proxy.tracer "lightstep" }} tracing: lightstep: # Address of the LightStep Satellite pool address: {{ .Values.global.tracer.lightstep.address }} # Access Token used to communicate with the Satellite pool accessToken: {{ .Values.global.tracer.lightstep.accessToken }} # Whether communication with the Satellite pool should be secure secure: {{ .Values.global.tracer.lightstep.secure }} # Path to the file containing the cacert to use when verifying TLS cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} {{- else if eq .Values.global.proxy.tracer "zipkin" }} tracing: zipkin: # Address of the Zipkin collector {{- if .Values.global.tracer.zipkin.address }} address: {{ .Values.global.tracer.zipkin.address }} {{- else if .Values.global.remoteZipkinAddress }} address: {{ .Values.global.remoteZipkinAddress }}:9411 {{- else }} address: zipkin.{{ .Release.Namespace }}:9411 {{- end }} {{- else if eq .Values.global.proxy.tracer "datadog" }} tracing: datadog: # Address of the Datadog Agent address: {{ .Values.global.tracer.datadog.address }} {{- else if eq .Values.global.proxy.tracer "stackdriver" }} tracing: stackdriver: {} {{- end }} {{- if .Values.global.proxy.envoyStatsd.enabled }} # # Statsd metrics collector converts statsd metrics into Prometheus metrics. statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} {{- end }} {{- if .Values.global.proxy.envoyMetricsService.enabled }} # # Envoy's Metrics Service stats sink pushes Envoy metrics to a remote collector via the Metrics Service gRPC API. envoyMetricsService: address: {{ .Values.global.proxy.envoyMetricsService.host }}:{{ .Values.global.proxy.envoyMetricsService.port }} {{- if .Values.global.proxy.envoyMetricsService.tlsSettings }} tlsSettings: {{ toYaml .Values.global.proxy.envoyMetricsService.tlsSettings | trim | indent 10 }} {{- end}} {{- if .Values.global.proxy.envoyMetricsService.tcpKeepalive }} tcpKeepalive: {{ toYaml .Values.global.proxy.envoyMetricsService.tcpKeepalive | trim | indent 10 }} {{- end}} {{- end}} {{- if .Values.global.proxy.envoyAccessLogService.enabled }} # # Envoy's AccessLog Service pushes access logs to a remote collector via the Access Log Service gRPC API. envoyAccessLogService: address: {{ .Values.global.proxy.envoyAccessLogService.host }}:{{ .Values.global.proxy.envoyAccessLogService.port }} {{- if .Values.global.proxy.envoyAccessLogService.tlsSettings }} tlsSettings: {{ toYaml .Values.global.proxy.envoyAccessLogService.tlsSettings | trim | indent 10 }} {{- end}} {{- if .Values.global.proxy.envoyAccessLogService.tcpKeepalive }} tcpKeepalive: {{ toYaml .Values.global.proxy.envoyAccessLogService.tcpKeepalive | trim | indent 10 }} {{- end}} {{- end}} {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} {{- if .Values.global.controlPlaneSecurityEnabled }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} discoveryAddress: {{ $defPilotHostname }}:15011 {{- else }} discoveryAddress: {{ $pilotAddress }}:15011 {{- end }} {{- else }} # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: NONE # # Address where istio Pilot service is running {{- if or .Values.global.remotePilotCreateSvcEndpoint .Values.global.createRemoteSvcEndpoints }} discoveryAddress: {{ $defPilotHostname }}:15010 {{- else }} discoveryAddress: {{ $pilotAddress }}:15010 {{- end }} {{- end }} # Configuration file for the mesh networks to be used by the Split Horizon EDS. meshNetworks: |- {{- if .Values.global.meshNetworks }} networks: {{ toYaml .Values.global.meshNetworks | trim | indent 6 }} {{- else }} networks: {} {{- end }} {{- end }}