# Top level istio values file has the following sections. # # global: This file is the authoritative and exhaustive source for the global section. # # chart sections: Every subdirectory inside the charts/ directory has a top level # configuration key in this file. This file overrides the values specified # by the charts/${chartname}/values.yaml. # Check the chart level values file for exhaustive list of configuration options. # # Gateways Configuration, refer to the charts/gateways/values.yaml # for detailed configuration # gateways: enabled: true istio-ingressgateway: labels: release: cluster-istio # # sidecar-injector webhook configuration, refer to the # charts/sidecarInjectorWebhook/values.yaml for detailed configuration # sidecarInjectorWebhook: image: istio-sidecar_injector enabled: true # # galley configuration, refer to charts/galley/values.yaml # for detailed configuration # galley: image: istio-galley enabled: true # # mixer configuration # # @see charts/mixer/values.yaml for all values mixer: image: istio-mixer policy: # if policy is enabled the global.disablePolicyChecks has affect. enabled: true telemetry: enabled: true # # pilot configuration # # @see charts/pilot/values.yaml pilot: image: istio-pilot enabled: true # # security configuration # security: image: istio-citadel enabled: true # # nodeagent configuration # nodeagent: image: istio-node-agent-k8s enabled: false # # addon grafana configuration # grafana: image: grafana-grafana enabled: false # # addon prometheus configuration # prometheus: image: prom-prometheus enabled: false # # addon jaeger tracing configuration # tracing: jaeger: hub: docker.io/rancher image: jaegertracing-all-in-one zipkin: hub: docker.io/rancher image: openzipkin-zipkin enabled: false # # addon kiali tracing configuration # kiali: hub: docker.io/rancher image: kiali-kiali contextPath: / dashboard: jaegerURL: http://tracing.istio-system:80 grafanaURL: http://access-grafana.cattle-prometheus:80 auth: strategy: anonymous enabled: false prometheusAddr: http://access-prometheus.cattle-prometheus:80 # # addon certmanager configuration # certmanager: enabled: false # # Istio CNI plugin enabled # This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately. # If true, the privileged initContainer istio-init is not needed to perform the traffic redirect # settings for the istio-proxy. # istio_cni: enabled: false # addon Istio CoreDNS configuration # istiocoredns: coreDNSImage: coredns-coredns coreDNSPluginImage: istio-coredns-plugin enabled: false # Common settings used among istio subcharts. global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io hub: docker.io/rancher # Default tag for Istio images. tag: 1.4.3 # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: # The control plane has different scopes depending on component, but can configure default log level across all components # If empty, default scope and level will be used as configured in code logging: level: "default:info" # monitoring port used by mixer, pilot, galley and sidecar injector monitoringPort: 15014 k8sIngress: enabled: false # Gateway used for k8s Ingress resources. By default it is # using 'istio:ingressgateway' that will be installed by setting # 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' # flags to true. gatewayName: ingressgateway # enableHttps will add port 443 on the ingress. # It REQUIRES that the certificates are installed in the # expected secrets - enabling this option without certificates # will result in LDS rejection and the ingress will not work. enableHttps: false proxy: # Configuration for the proxy init container init: resources: limits: cpu: 100m memory: 50Mi requests: cpu: 10m memory: 10Mi # use fully qualified image names for alternate path to proxy. image: istio-proxyv2 # cluster domain. Default value is "cluster.local". clusterDomain: "cluster.local" # Resources for the sidecar. resources: requests: cpu: 100m memory: 128Mi limits: cpu: 2000m memory: 1024Mi # Controls number of Proxy worker threads. # If set to 0, then start worker thread for each CPU thread/core. concurrency: 2 # Configures the access log for each sidecar. # Options: # "" - disables access log # "/dev/stdout" - enables access log accessLogFile: "" # Configure how and what fields are displayed in sidecar access log. Setting to # empty string will result in default log format accessLogFormat: "" # Configure the access log for sidecar to JSON or TEXT. accessLogEncoding: TEXT # Configure envoy gRPC access log service. envoyAccessLogService: enabled: false host: # example: accesslog-service.istio-system port: # example: 15000 tlsSettings: mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL clientCertificate: # example: /etc/istio/als/cert-chain.pem privateKey: # example: /etc/istio/als/key.pem caCertificates: # example: /etc/istio/als/root-cert.pem sni: # example: als.somedomain subjectAltNames: [] # - als.somedomain tcpKeepalive: probes: 3 time: 10s interval: 10s # Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. # Expected values are: trace|debug|info|warning|error|critical|off logLevel: "" # Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. componentLogLevel: "" # Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS # This must be given it terms of seconds. For example, 300s is valid but 5m is invalid. dnsRefreshRate: 300s # Automatic protocol detection uses a set of heuristics to # determine whether the connection is using TLS or not (on the # server side), as well as the application protocol being used # (e.g., http vs tcp). These heuristics rely on the client sending # the first bits of data. For server first protocols like MySQL, # MongoDB, etc., Envoy will timeout on the protocol detection after # the specified period, defaulting to non mTLS plain TCP # traffic. Set this field to tweak the period that Envoy will wait # for the client to send the first bits of data. (MUST BE >=1ms) protocolDetectionTimeout: 100ms #If set to true, istio-proxy container will have privileged securityContext privileged: false # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false # Image used to enable core dumps. This is only used, when "enableCoreDump" is set to true. enableCoreDumpImage: ubuntu:xenial # Default port for Pilot agent health checks. A value of 0 will disable health checking. statusPort: 15020 # The initial delay for readiness probes in seconds. readinessInitialDelaySeconds: 1 # The period between readiness probes. readinessPeriodSeconds: 2 # The number of successive failed probes before indicating readiness failure. readinessFailureThreshold: 30 # istio egress capture whitelist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" # would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar includeIPRanges: "*" excludeIPRanges: "" excludeOutboundPorts: "" # pod internal interfaces kubevirtInterfaces: "" # istio ingress capture whitelist # examples: # Redirect no inbound traffic to Envoy: --includeInboundPorts="" # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" # Redirect only selected ports: --includeInboundPorts="80,8080" includeInboundPorts: "*" excludeInboundPorts: "" # This controls the 'policy' in the sidecar injector. autoInject: enabled # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be :). # Disabled by default. # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. envoyStatsd: # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. enabled: false host: # example: statsd-svc.istio-system port: # example: 9125 # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector # via the Metrics Service gRPC API. This contains detailed stats information emitted directly # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. # # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto # for details about Envoy's Metrics Service API. # # Disabled by default. envoyMetricsService: enabled: false host: # example: metrics-service.istio-system port: # example: 15000 tlsSettings: mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL clientCertificate: # example: /etc/istio/ms/cert-chain.pem privateKey: # example: /etc/istio/ms/key.pem caCertificates: # example: /etc/istio/ms/root-cert.pem sni: # example: ms.somedomain subjectAltNames: [] # - ms.somedomain tcpKeepalive: probes: 3 time: 10s interval: 10s # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. tracer: "zipkin" proxy_init: # Base name for the istio-init container, used to configure iptables. image: istio-proxyv2 # imagePullPolicy is applied to istio control plane components. # local tests require IfNotPresent, to avoid uploading to dockerhub. # TODO: Switch to Always as default, and override in the local tests. imagePullPolicy: IfNotPresent # controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false # disablePolicyChecks disables mixer policy checks. # if mixer.policy.enabled==true then disablePolicyChecks has affect. # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. disablePolicyChecks: true # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: false # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. enableTracing: true # Configuration for each of the supported tracers tracer: # Configuration for envoy to send trace data to LightStep. # Disabled by default. # address: the : of the satellite pool # accessToken: required for sending data to the pool # secure: specifies whether data should be sent with TLS # cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is # required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination # namespace with the key matching the base of the provided cacertPath and the value being the cacert itself. # lightstep: address: "" # example: lightstep-satellite:443 accessToken: "" # example: abcdefg1234567 secure: true # example: true|false cacertPath: "" # example: /etc/lightstep/cacert.pem zipkin: # Host:Port for reporting trace data in zipkin format. If not specified, will default to # zipkin service (port 9411) in the same namespace as the other istio components. address: "" datadog: # Host:Port for submitting traces to the Datadog agent. address: "$(HOST_IP):8126" stackdriver: # enables trace output to stdout. debug: false # The global default max number of attributes per span. maxNumberOfAttributes: 200 # The global default max number of annotation events per span. maxNumberOfAnnotations: 200 # The global default max number of message events per span. maxNumberOfMessageEvents: 200 # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: false # If set to true, and a given service does not have a corresponding DestinationRule configured, # or its DestinationRule does not have TLSSettings specified, Istio configures client side # TLS configuration automatically, based on the server side mTLS authentication policy and the # availibity of sidecars. auto: false # Lists the secrets you need to use to pull Istio images from a private registry. imagePullSecrets: [] # - private-registry-key # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: # 0 - Never scheduled # 1 - Least preferred # 2 - No preference # 3 - Most preferred arch: amd64: 2 s390x: 2 ppc64le: 2 # Whether to restrict the applications namespace the controller manages; # If not set, controller watches all namespaces oneNamespace: false # Default node selector to be applied to all deployments so that all pods can be # constrained to run a particular nodes. Each component can overwrite these default # values by adding its node selector block in the relevant section below and setting # the desired values. defaultNodeSelector: {} # Default node tolerations to be applied to all deployments so that all pods can be # scheduled to a particular nodes with matching taints. Each component can overwrite # these default values by adding its tolerations block in the relevant section below # and setting the desired values. # Configure this field in case that all pods of Istio control plane are expected to # be scheduled to particular nodes with specified taints. defaultTolerations: [] # Whether to perform server-side validation of configuration. configValidation: true # Custom DNS config for the pod to resolve names of services in other # clusters. Use this to add additional search domains, and other settings. # see # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config # This does not apply to gateway pods as they typically need a different # set of DNS settings than the normal application pods (e.g., in # multicluster scenarios). # NOTE: If using templates, follow the pattern in the commented example below. # podDNSSearchNamespaces: # - global # - "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" # If set to true, the pilot and citadel mtls will be exposed on the # ingress gateway meshExpansion: enabled: false # If set to true, the pilot and citadel mtls and the plaintext pilot ports # will be exposed on an internal gateway useILB: false multiCluster: # Set to true to connect two kubernetes clusters via their respective # ingressgateway services when pods in each cluster cannot directly # talk to one another. All clusters should be using Istio mTLS and must # have a shared root CA for this model to work. enabled: false # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection # to properly label proxies clusterName: "" # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). # Each component can overwrite these default values by adding its own resources # block in the relevant section below and setting the desired resources values. defaultResources: requests: cpu: 10m # memory: 128Mi # limits: # cpu: 100m # memory: 128Mi # enable pod distruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: enabled: false # The values aren't mutable due to a current PodDisruptionBudget limitation # minAvailable: 1 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low priority class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass # for more detail. priorityClassName: "" # Use the Mesh Control Protocol (MCP) for configuring Mixer and # Pilot. Requires galley (`--set galley.enabled=true`). useMCP: true # The trust domain corresponds to the trust root of a system # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain # Indicate the domain used in SPIFFE identity URL # The default depends on the environment. # kubernetes: cluster.local # else: default dns domain trustDomain: "" # The trust domain aliases represent the aliases of trust_domain. # For example, if we have # trustDomain: td1 # trustDomainAliases: [“td2”, "td3"] # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. trustDomainAliases: [] # Mesh ID means Mesh Identifier. It should be unique within the scope where # meshes will interact with each other, but it is not required to be # globally/universally unique. For example, if any of the following are true, # then two meshes must have different Mesh IDs: # - Meshes will have their telemetry aggregated in one place # - Meshes will be federated together # - Policy will be written referencing one mesh from the other # # If an administrator expects that any of these conditions may become true in # the future, they should ensure their meshes have different Mesh IDs # assigned. # # Within a multicluster mesh, each cluster must be (manually or auto) # configured to have the same Mesh ID value. If an existing cluster 'joins' a # multicluster mesh, it will need to be migrated to the new mesh ID. Details # of migration TBD, and it may be a disruptive operation to change the Mesh # ID post-install. # # If the mesh admin does not specify a value, Istio will use the value of the # mesh's Trust Domain. The best practice is to select a proper Trust Domain # value. meshID: "" # Set the default behavior of the sidecar for handling outbound traffic from the application: # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no # services or ServiceEntries for the destination port # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well # as those defined through ServiceEntries # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests # to services outside of the mesh without any ServiceEntry. # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. outboundTrafficPolicy: mode: ALLOW_ANY # The namespace where globally shared configurations should be present. # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), # default Sidecar configs, etc. should be added to this namespace. # configRootNamespace: istio-config # set the default set of namespaces to which services, service entries, virtual services, destination # rules should be exported to. Currently only one value can be provided in this list. This value # should be one of the following two options: # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host # defaultConfigVisibilitySettings: #- '*' sds: # SDS enabled. IF set to true, mTLS certificates for the sidecars will be # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. enabled: false udsPath: "" # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the # JWT is intended for the CA. token: aud: istio-ca # Configure the mesh networks to be used by the Split Horizon EDS. # # The following example defines two networks with different endpoints association methods. # For `network1` all endpoints that their IP belongs to the provided CIDR range will be # mapped to network1. The gateway for this network example is specified by its public IP # address and port. # The second network, `network2`, in this example is defined differently with all endpoints # retrieved through the specified Multi-Cluster registry being mapped to network2. The # gateway is also defined differently with the name of the gateway service on the remote # cluster. The public IP for the gateway will be determined from that remote service (only # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, # it still need to be configured manually). # # meshNetworks: # network1: # endpoints: # - fromCidr: "192.168.0.1/24" # gateways: # - address: 1.1.1.1 # port: 80 # network2: # endpoints: # - fromRegistry: reg1 # gateways: # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local # port: 443 # meshNetworks: {} # Network defines the network this cluster belong to. This name # corresponds to the networks in the map of mesh networks. network: "" # Specifies the global locality load balancing settings. # Locality-weighted load balancing allows administrators to control the distribution of traffic to # endpoints based on the localities of where the traffic originates and where it will terminate. # Either failover or distribute configuration can be set, but not both. If neither are provided # failover mode will be used. # # localityLbSetting: # enabled: true # distribute: # - from: "us-central1/*" # to: # "us-central1/*": 80 # "us-central2/*": 20 # # localityLbSetting: # enabled: true # failover: # - from: us-east # to: eu-west # - from: us-west # to: us-east localityLbSetting: enabled: true # Specifies whether helm test is enabled or not. # This field is set to false by default, so 'helm template ...' # will ignore the helm test yaml files when generating the template enableHelmTest: false # Configures DNS certificates provisioned through Chiron linked into Pilot. # The DNS names in this file are all hard-coded; please ensure the namespaces # in dnsNames are consistent with those of your services. # Example: # certificates: # - secretName: dns.istio-galley-service-account # dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system] # - secretName: dns.istio-sidecar-injector-service-account # dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system] certificates: [] # Configure whether Operator manages webhook configurations. The current behavior # of Galley and Sidecar Injector is that they manage their own webhook configurations. # When this option is set as true, Istio Operator, instead of webhooks, manages the # webhook configurations. When this option is set as false, webhooks manage their # own webhook configurations. operatorManageWebhooks: false