1# Global and common settings for installing Istio. 2 3# This file is configured for a small scale production cluster. 4# Use user-values-medium or custom settings to tune up the CPU and scaling. 5# Additional values overrides can be used. 6 7# Each individual component will use values from this file, with defaults and 'advanced' settings included in 8# its own chart's values.yaml. 9 10# TODO: trim this file to commonly used settings, leave 'advanced' in the individual values.yaml (they can 11# still be overridden by users, but won't show in basic documentation. 12 13# This doesn't match istio defaults, which are more geared towards tests and bookinfo. 14 15global: 16 # Used to locate istio-pilot. 17 # Default is to install pilot in a dedicated namespace, istio-pilot11. You can use multiple namespaces, but 18 # for each 'profile' you need to match the control plane namespace and the value of istioNamespace 19 # It is assumed that istio-system is running either 1.0 or an upgraded version of 1.1, but only security components are 20 # used (citadel generating the secrets). 21 istioNamespace: istio-system 22 23 # Telemetry namespace, including tracing. 24 telemetryNamespace: istio-system 25 26 prometheusNamespace: istio-system 27 28 policyNamespace: istio-system 29 30 configRootNamespace: istio-system 31 32 ## End new settings 33 ## After this line we have the old Istio settings. 34 35 # Default hub for Istio images. 36 # Releases are published to docker hub under 'istio' project. 37 # Dev builds from prow are on gcr.io 38 hub: gcr.io/istio-testing 39 40 # Default tag for Istio images. 41 tag: latest 42 43 # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level> 44 # The control plane has different scopes depending on component, but can configure default log level across all components 45 # If empty, default scope and level will be used as configured in code 46 logging: 47 level: "default:info" 48 49 # To output all istio components logs in json format by adding --log_as_json argument to each container argument 50 logAsJson: false 51 52 # Enabled by default in master for maximising testing. 53 istiod: 54 enabled: true 55 enableAnalysis: false 56 57 # One central istiod controls all remote clusters: disabled by default 58 centralIstiod: false 59 60 proxy: 61 image: proxyv2 62 63 # cluster domain. Default value is "cluster.local". 64 clusterDomain: "cluster.local" 65 66 # Resources for the sidecar. 67 resources: 68 requests: 69 cpu: 100m 70 memory: 128Mi 71 limits: 72 cpu: 2000m 73 memory: 1024Mi 74 75 # Controls number of Proxy worker threads. 76 # If set to 0, then start worker thread for each CPU thread/core. 77 concurrency: 2 78 79 # Configures the access log for each sidecar. 80 # Options: 81 # "" - disables access log 82 # "/dev/stdout" - enables access log 83 accessLogFile: "" 84 85 # Configure how and what fields are displayed in sidecar access log. Setting to 86 # empty string will result in default log format 87 accessLogFormat: "" 88 89 # Configure the access log for sidecar to JSON or TEXT. 90 accessLogEncoding: TEXT 91 92 # Configure envoy gRPC access log service. 93 envoyAccessLogService: 94 enabled: false 95 host: # example: accesslog-service.istio-system 96 port: # example: 15000 97 tlsSettings: 98 mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL 99 clientCertificate: # example: /etc/istio/als/cert-chain.pem 100 privateKey: # example: /etc/istio/als/key.pem 101 caCertificates: # example: /etc/istio/als/root-cert.pem 102 sni: # example: als.somedomain 103 subjectAltNames: [] 104 # - als.somedomain 105 tcpKeepalive: 106 probes: 3 107 time: 10s 108 interval: 10s 109 110 # Log level for proxy, applies to gateways and sidecars. 111 # Expected values are: trace|debug|info|warning|error|critical|off 112 logLevel: warning 113 114 # Per Component log level for proxy, applies to gateways and sidecars. If a component level is 115 # not set, then the global "logLevel" will be used. 116 componentLogLevel: "misc:error" 117 118 # Automatic protocol detection uses a set of heuristics to 119 # determine whether the connection is using TLS or not (on the 120 # server side), as well as the application protocol being used 121 # (e.g., http vs tcp). These heuristics rely on the client sending 122 # the first bits of data. For server first protocols like MySQL, 123 # MongoDB, etc., Envoy will timeout on the protocol detection after 124 # the specified period, defaulting to non mTLS plain TCP 125 # traffic. Set this field to tweak the period that Envoy will wait 126 # for the client to send the first bits of data. (MUST BE >=1ms) 127 protocolDetectionTimeout: 100ms 128 129 #If set to true, istio-proxy container will have privileged securityContext 130 privileged: false 131 132 # If set, newly injected sidecars will have core dumps enabled. 133 enableCoreDump: false 134 135 # Default port for Pilot agent health checks. A value of 0 will disable health checking. 136 statusPort: 15020 137 138 # The initial delay for readiness probes in seconds. 139 readinessInitialDelaySeconds: 1 140 141 # The period between readiness probes. 142 readinessPeriodSeconds: 2 143 144 # The number of successive failed probes before indicating readiness failure. 145 readinessFailureThreshold: 30 146 147 # istio egress capture whitelist 148 # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly 149 # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" 150 # would only capture egress traffic on those two IP Ranges, all other outbound traffic would 151 # be allowed by the sidecar 152 includeIPRanges: "*" 153 excludeIPRanges: "" 154 excludeOutboundPorts: "" 155 156 # istio ingress capture whitelist 157 # examples: 158 # Redirect only selected ports: --includeInboundPorts="80,8080" 159 excludeInboundPorts: "" 160 161 # This controls the 'policy' in the sidecar injector. 162 autoInject: enabled 163 164 # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument 165 # would be <host>:<port>). 166 # Disabled by default. 167 # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. 168 envoyStatsd: 169 # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. 170 enabled: false 171 host: # example: statsd-svc.istio-system 172 port: # example: 9125 173 174 # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector 175 # via the Metrics Service gRPC API. This contains detailed stats information emitted directly 176 # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also 177 # available to scrape via the Envoy admin port at either /stats or /stats/prometheus. 178 # 179 # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto 180 # for details about Envoy's Metrics Service API. 181 # 182 # Disabled by default. 183 envoyMetricsService: 184 enabled: false 185 host: # example: metrics-service.istio-system 186 port: # example: 15000 187 tlsSettings: 188 mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL 189 clientCertificate: # example: /etc/istio/ms/cert-chain.pem 190 privateKey: # example: /etc/istio/ms/key.pem 191 caCertificates: # example: /etc/istio/ms/root-cert.pem 192 sni: # example: ms.somedomain 193 subjectAltNames: [] 194 # - ms.somedomain 195 tcpKeepalive: 196 probes: 3 197 time: 10s 198 interval: 10s 199 200 # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. 201 # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. 202 tracer: "zipkin" 203 204 proxy_init: 205 # Base name for the proxy_init container, used to configure iptables. 206 image: proxyv2 207 resources: 208 limits: 209 cpu: 100m 210 memory: 50Mi 211 requests: 212 cpu: 10m 213 memory: 10Mi 214 215 # Specify image pull policy if default behavior isn't desired. 216 # Default behavior: latest images will be Always else IfNotPresent. 217 imagePullPolicy: "" 218 219 # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are 220 # propagated, not recommended for tests. 221 controlPlaneSecurityEnabled: true 222 223 # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. 224 mountMtlsCerts: false 225 226 # disablePolicyChecks disables mixer policy checks. 227 # if mixer.policy.enabled==true then disablePolicyChecks has affect. 228 # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. 229 disablePolicyChecks: true 230 231 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. 232 # Default is false which means the traffic is denied when the client is unable to connect to Mixer. 233 policyCheckFailOpen: false 234 235 # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. 236 enableTracing: true 237 238 # Configuration for each of the supported tracers 239 tracer: 240 # Configuration for envoy to send trace data to LightStep. 241 # Disabled by default. 242 # address: the <host>:<port> of the satellite pool 243 # accessToken: required for sending data to the pool 244 # 245 lightstep: 246 address: "" # example: lightstep-satellite:443 247 accessToken: "" # example: abcdefg1234567 248 zipkin: 249 # Host:Port for reporting trace data in zipkin format. If not specified, will default to 250 # zipkin service (port 9411) in the same namespace as the other istio components. 251 address: "" 252 datadog: 253 # Host:Port for submitting traces to the Datadog agent. 254 address: "$(HOST_IP):8126" 255 stackdriver: 256 # enables trace output to stdout. 257 debug: false 258 # The global default max number of attributes per span. 259 maxNumberOfAttributes: 200 260 # The global default max number of annotation events per span. 261 maxNumberOfAnnotations: 200 262 # The global default max number of message events per span. 263 maxNumberOfMessageEvents: 200 264 265 # Default mtls policy. If true, mtls between services will be enabled by default. 266 mtls: 267 # Default setting for service-to-service mtls. Can be set explicitly using 268 # destination rules or service annotations. 269 enabled: false 270 # If set to true, and a given service does not have a corresponding DestinationRule configured, 271 # or its DestinationRule does not have TLSSettings specified, Istio configures client side 272 # TLS configuration automatically, based on the server side mTLS authentication policy and the 273 # availibity of sidecars. 274 auto: true 275 276 # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace 277 # to use for pulling any images in pods that reference this ServiceAccount. 278 # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) 279 # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. 280 # Must be set for any cluster configured with private docker registry. 281 imagePullSecrets: [] 282 # - private-registry-key 283 284 # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: 285 # 0 - Never scheduled 286 # 1 - Least preferred 287 # 2 - No preference 288 # 3 - Most preferred 289 arch: 290 amd64: 2 291 s390x: 2 292 ppc64le: 2 293 294 # Whether to restrict the applications namespace the controller manages; 295 # If not set, controller watches all namespaces 296 oneNamespace: false 297 298 # Default node selector to be applied to all deployments so that all pods can be 299 # constrained to run a particular nodes. Each component can overwrite these default 300 # values by adding its node selector block in the relevant section below and setting 301 # the desired values. 302 defaultNodeSelector: {} 303 304 # Default node tolerations to be applied to all deployments so that all pods can be 305 # scheduled to a particular nodes with matching taints. Each component can overwrite 306 # these default values by adding its tolerations block in the relevant section below 307 # and setting the desired values. 308 # Configure this field in case that all pods of Istio control plane are expected to 309 # be scheduled to particular nodes with specified taints. 310 defaultTolerations: [] 311 312 # Whether to perform server-side validation of configuration. 313 configValidation: true 314 315 # Custom DNS config for the pod to resolve names of services in other 316 # clusters. Use this to add additional search domains, and other settings. 317 # see 318 # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config 319 # This does not apply to gateway pods as they typically need a different 320 # set of DNS settings than the normal application pods (e.g., in 321 # multicluster scenarios). 322 # NOTE: If using templates, follow the pattern in the commented example below. 323 #podDNSSearchNamespaces: 324 #- global 325 #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" 326 327 # If set to true, the pilot and citadel mtls will be exposed on the 328 # ingress gateway 329 meshExpansion: 330 enabled: false 331 # If set to true, the pilot and citadel mtls and the plain text pilot ports 332 # will be exposed on an internal gateway 333 useILB: false 334 335 multiCluster: 336 # Set to true to connect two kubernetes clusters via their respective 337 # ingressgateway services when pods in each cluster cannot directly 338 # talk to one another. All clusters should be using Istio mTLS and must 339 # have a shared root CA for this model to work. 340 enabled: false 341 # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection 342 # to properly label proxies 343 clusterName: "" 344 345 # A minimal set of requested resources to applied to all deployments so that 346 # Horizontal Pod Autoscaler will be able to function (if set). 347 # Each component can overwrite these default values by adding its own resources 348 # block in the relevant section below and setting the desired resources values. 349 defaultResources: 350 requests: 351 cpu: 10m 352 # memory: 128Mi 353 # limits: 354 # cpu: 100m 355 # memory: 128Mi 356 357 # enable pod disruption budget for the control plane, which is used to 358 # ensure Istio control plane components are gradually upgraded or recovered. 359 defaultPodDisruptionBudget: 360 enabled: true 361 # The values aren't mutable due to a current PodDisruptionBudget limitation 362 # minAvailable: 1 363 364 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and 365 # system-node-critical, it is better to configure this in order to make sure your Istio pods 366 # will not be killed because of low priority class. 367 # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass 368 # for more detail. 369 priorityClassName: "" 370 371 # Use the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires an MCP source. 372 useMCP: false 373 374 # The trust domain corresponds to the trust root of a system 375 # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain 376 # Indicate the domain used in SPIFFE identity URL 377 # The default depends on the environment. 378 # kubernetes: cluster.local 379 # else: default dns domain 380 trustDomain: "cluster.local" 381 382 # The trust domain aliases represent the aliases of trust_domain. 383 # For example, if we have 384 # trustDomain: td1 385 # trustDomainAliases: ["td2", "td3"] 386 # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", 387 # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. 388 trustDomainAliases: [] 389 390 # Mesh ID means Mesh Identifier. It should be unique within the scope where 391 # meshes will interact with each other, but it is not required to be 392 # globally/universally unique. For example, if any of the following are true, 393 # then two meshes must have different Mesh IDs: 394 # - Meshes will have their telemetry aggregated in one place 395 # - Meshes will be federated together 396 # - Policy will be written referencing one mesh from the other 397 # 398 # If an administrator expects that any of these conditions may become true in 399 # the future, they should ensure their meshes have different Mesh IDs 400 # assigned. 401 # 402 # Within a multicluster mesh, each cluster must be (manually or auto) 403 # configured to have the same Mesh ID value. If an existing cluster 'joins' a 404 # multicluster mesh, it will need to be migrated to the new mesh ID. Details 405 # of migration TBD, and it may be a disruptive operation to change the Mesh 406 # ID post-install. 407 # 408 # If the mesh admin does not specify a value, Istio will use the value of the 409 # mesh's Trust Domain. The best practice is to select a proper Trust Domain 410 # value. 411 meshID: "" 412 413 # Set the default behavior of the sidecar for handling outbound traffic from the application: 414 # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no 415 # services or ServiceEntries for the destination port 416 # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well 417 # as those defined through ServiceEntries 418 # ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests 419 # to services outside of the mesh without any ServiceEntry. 420 # REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY. 421 outboundTrafficPolicy: 422 mode: ALLOW_ANY 423 424 # The namespace where globally shared configurations should be present. 425 # DestinationRules that apply to the entire mesh (e.g., enabling mTLS), 426 # default Sidecar configs, etc. should be added to this namespace. 427 # configRootNamespace: istio-config 428 429 # set the default set of namespaces to which services, service entries, virtual services, destination 430 # rules should be exported to. Currently only one value can be provided in this list. This value 431 # should be one of the following two options: 432 # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. 433 # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host 434 defaultConfigVisibilitySettings: [] 435# - '*' 436 omitSidecarInjectorConfigMap: false 437 sds: 438 # SDS enabled. IF set to true, mTLS certificates for the sidecars will be 439 # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates. 440 enabled: false 441 udsPath: "" 442 # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. 443 # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the 444 # JWT is intended for the CA. 445 token: 446 aud: istio-ca 447 448 sts: 449 # The service port used by Security Token Service (STS) server to handle token exchange requests. 450 # Setting this port to a non-zero value enables STS server. 451 servicePort: 0 452 453 # The customized CA address to retrieve certificates for the pods in the cluster. 454 # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. 455 caAddress: "" 456 457 # Configure the mesh networks to be used by the Split Horizon EDS. 458 # 459 # The following example defines two networks with different endpoints association methods. 460 # For `network1` all endpoints that their IP belongs to the provided CIDR range will be 461 # mapped to network1. The gateway for this network example is specified by its public IP 462 # address and port. 463 # The second network, `network2`, in this example is defined differently with all endpoints 464 # retrieved through the specified Multi-Cluster registry being mapped to network2. The 465 # gateway is also defined differently with the name of the gateway service on the remote 466 # cluster. The public IP for the gateway will be determined from that remote service (only 467 # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, 468 # it still need to be configured manually). 469 # 470 # meshNetworks: 471 # network1: 472 # endpoints: 473 # - fromCidr: "192.168.0.1/24" 474 # gateways: 475 # - address: 1.1.1.1 476 # port: 80 477 # network2: 478 # endpoints: 479 # - fromRegistry: reg1 480 # gateways: 481 # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local 482 # port: 443 483 # 484 meshNetworks: {} 485 486 # Network defines the network this cluster belong to. This name 487 # corresponds to the networks in the map of mesh networks. 488 network: "" 489 490 # Specifies the global locality load balancing settings. 491 # Locality-weighted load balancing allows administrators to control the distribution of traffic to 492 # endpoints based on the localities of where the traffic originates and where it will terminate. 493 # Please set either failover or distribute configuration but not both. 494 # 495 # localityLbSetting: 496 # enabled: true 497 # distribute: 498 # - from: "us-central1/*" 499 # to: 500 # "us-central1/*": 80 501 # "us-central2/*": 20 502 # 503 # localityLbSetting: 504 # enabled: true 505 # failover: 506 # - from: us-east 507 # to: eu-west 508 # - from: us-west 509 # to: us-east 510 localityLbSetting: 511 enabled: true 512 513 # Specifies whether helm test is enabled or not. 514 # This field is set to false by default, so 'helm template ...' 515 # will ignore the helm test yaml files when generating the template 516 enableHelmTest: false 517 518 # Configures DNS certificates provisioned through Chiron linked into Pilot. 519 # The DNS names in this file are all hard-coded; please ensure the namespaces 520 # in dnsNames are consistent with those of your services. 521 # Example: 522 # certificates: 523 # - secretName: dns.istiod-service-account 524 # dnsNames: [istiod.istio-system.svc, istiod.istio-system] 525 certificates: [] 526 527 # Configure whether Operator manages webhook configurations. The current behavior 528 # of Istiod is to manage its own webhook configurations. 529 # When this option is set as true, Istio Operator, instead of webhooks, manages the 530 # webhook configurations. When this option is set as false, webhooks manage their 531 # own webhook configurations. 532 operatorManageWebhooks: false 533 534 # Settings for remote cluster. 535 createRemoteSvcEndpoints: false 536 537 # configure remote pilot and istiod service and endpoint 538 remotePolicyAddress: "" 539 remotePilotAddress: "" 540 remoteTelemetryAddress: "" 541 542 # Configure the certificate provider for control plane communication. 543 # Currently, two providers are supported: "kubernetes" and "istiod". 544 # As some platforms may not have kubernetes signing APIs, 545 # Istiod is the default 546 pilotCertProvider: istiod 547 548 # Configure the policy for validating JWT. 549 # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". 550 jwtPolicy: "third-party-jwt" 551 552# Internal setting - used when generating helm templates for kustomize. 553# clusterResources controls the inclusion of cluster-wide resources when generating the charts/installing. 554# For backward compat, it is set to 'true', resulting in the old-style installation. 555# When set to 'false', all cluster-wide resources will be omitted, and are expected to be installed 556# at the same time with the CRDs. 557clusterResources: true 558 559# Version is set as 'version' label and part of the resource names when installing. 560# It is used to support multiple version in same namespace, similar with normal app traffic shift. 561version: "" 562 563meshConfig: 564 enablePrometheusMerge: false 565 defaultConfig: 566 proxyMetadata: {} 567 tracing: 568 tlsSettings: 569 mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL 570 clientCertificate: # example: /etc/istio/tracer/cert-chain.pem 571 privateKey: # example: /etc/istio/tracer/key.pem 572 caCertificates: # example: /etc/istio/tracer/root-cert.pem 573 sni: # example: tracer.somedomain 574 subjectAltNames: [] 575 # - tracer.somedomain 576