-
Notifications
You must be signed in to change notification settings - Fork 2
/
global.yaml
335 lines (274 loc) · 13.2 KB
/
global.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
# Global and common settings for installing Istio.
# This file is configured for a small scale production cluster.
# Use user-values-medium or custom settings to tune up the CPU and scalling.
# Additional values overrides can be used.
# Each individual component will use values from this file, with defaults and 'advanced' settings included in
# its own chart's values.yaml.
# TODO: trim this file to commonly used settings, leave 'advanced' in the individual values.yaml (they can
# still be overridden by users, but won't show in basic documentation.
# This doesn't match istio defaults, which are more geared towards tests and bookinfo.
global:
# Used to locate istio-pilot.
# Default is to install pilot in a dedicated namespace, istio-pilot11. You can use multiple namespaces, but
# for each 'profile' you need to match the control plane namespace and the value of istioNamespace
# It is assumed that istio-system is running either 1.0 or an upgraded version of 1.1, but only security components are
# used (citadel generating the secrets).
istioNamespace: istio-control
# Telemetry namespace, including tracing.
telemetryNamespace: istio-telemetry
policyNamespace: istio-policy
## End new settings
## After this line we have the old Istio settings.
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: gcr.io/istio-release
# Default tag for Istio images.
tag: release-1.1-latest-daily
# monitoring port used by mixer, pilot, galley
# TODO: mark as 'hidden' or move to individual templates, not important for most users (internal).
monitoringPort: 15014
# TODO: specific to control, move there
k8sIngress:
enabled: false
# Gateway used for legacy k8s Ingress resources. By default it is
# using 'istio:ingress', to match 0.8 config. It requires that
# ingress.enabled is set to true. You can also set it
# to ingressgateway, or any other gateway you define in the 'gateway'
# section.
gatewayName: ingress
# enableHttps will add port 443 on the ingress.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
enableHttps: false
proxy:
image: proxyv2
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Resources for the sidecar.
resources:
requests:
cpu: 200m
memory: 256Mi
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Controls number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: 0
# Configures the access log for each sidecar. Setting it to an empty string will
# disable access log for sidecar or /dev/stdout
accessLogFile: ""
# Configure how and what fields are displayed in sidecar access log. Setting to
# empty string will result in default log format
accessLogFormat: ""
# Configure the access log for sidecar to JSON or TEXT.
accessLogEncoding: TEXT
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
# Specify which tracer to use. One of: lightstep, zipkin
tracer: "zipkin"
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxy_init
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
imagePullPolicy: Always
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
# disablePolicyChecks disables mixer policy checks.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: false
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is true which means the traffic is not denied when the client is unable to connect to Mixer.
policyCheckFailOpen: true
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
# secure: specifies whether data should be sent with TLS
# cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
# required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
# namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
#
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
secure: true # example: true|false
cacertPath: "" # example: /etc/lightstep/cacert.pem
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any clustser configured with private docker registry.
imagePullSecrets:
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# Whether to perform server-side validation of configuration.
configValidation: true
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: true
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 100m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
defaultPodDisruptionBudget:
minAvailable: 1
# maxUnavailable: 1
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Use the Mesh Control Protocol (MCP) for configuring Mixer and
# Pilot. Requires galley (`--set galley.enabled=true`).
useMCP: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
# Indicate the domain used in SPIFFE identity URL
# The default depends on the environment.
# kubernetes: cluster.local
# else: default dns domain
trustDomain: ""
# Set the default behavior of the sidecar for handling outbound traffic from the application:
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
# services or ServiceEntries for the destination port
outboundTrafficPolicy:
mode: REGISTRY_ONLY
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
enabled: false
udsPath: ""
useTrustworthyJwt: false
useNormalJwt: false
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (not
# supported yet).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway
# port: 443
#
meshNetworks:
# Specifies whether helm test is enabled or not.
# This field is set to false by default, so 'helm template ...'
# will ignore the helm test yaml files when generating the template
enableHelmTest: false
##### End global
##### Each component has its own values.yaml with component-specific settings.
##### Overrides can be done by adding user-specific values.yaml