1# Global and common settings for installing Istio.
2
3# This file is configured for a small scale production cluster.
4# Use user-values-medium or custom settings to tune up the CPU and scaling.
5# Additional values overrides can be used.
6
7# Each individual component will use values from this file, with defaults and 'advanced' settings included in
8# its own chart's values.yaml.
9
10# TODO: trim this file to commonly used settings, leave 'advanced' in the individual values.yaml (they can
11# still be overridden by users, but won't show in basic documentation.
12
13# This doesn't match istio defaults, which are more geared towards tests and bookinfo.
14
15global:
16  # Used to locate istio-pilot.
17  # Default is to install pilot in a dedicated namespace, istio-pilot11. You can use multiple namespaces, but
18  # for each 'profile' you need to match the control plane namespace and the value of istioNamespace
19  # It is assumed that istio-system is running either 1.0 or an upgraded version of 1.1, but only security components are
20  # used (citadel generating the secrets).
21  istioNamespace: istio-system
22
23  # Telemetry namespace, including tracing.
24  telemetryNamespace: istio-system
25
26  prometheusNamespace: istio-system
27
28  policyNamespace: istio-system
29
30  configRootNamespace: istio-system
31
32  ## End new settings
33  ## After this line we have the old Istio settings.
34
35  # Default hub for Istio images.
36  # Releases are published to docker hub under 'istio' project.
37  # Dev builds from prow are on gcr.io
38  hub: gcr.io/istio-testing
39
40  # Default tag for Istio images.
41  tag: latest
42
43  # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
44  # The control plane has different scopes depending on component, but can configure default log level across all components
45  # If empty, default scope and level will be used as configured in code
46  logging:
47    level: "default:info"
48
49  # To output all istio components logs in json format by adding --log_as_json argument to each container argument
50  logAsJson: false
51
52  # Enabled by default in master for maximising testing.
53  istiod:
54    enabled: true
55    enableAnalysis: false
56
57  # One central istiod controls all remote clusters: disabled by default
58  centralIstiod: false
59
60  proxy:
61    image: proxyv2
62
63    # cluster domain. Default value is "cluster.local".
64    clusterDomain: "cluster.local"
65
66    # Resources for the sidecar.
67    resources:
68      requests:
69        cpu: 100m
70        memory: 128Mi
71      limits:
72        cpu: 2000m
73        memory: 1024Mi
74
75    # Controls number of Proxy worker threads.
76    # If set to 0, then start worker thread for each CPU thread/core.
77    concurrency: 2
78
79    # Configures the access log for each sidecar.
80    # Options:
81    #   "" - disables access log
82    #   "/dev/stdout" - enables access log
83    accessLogFile: ""
84
85    # Configure how and what fields are displayed in sidecar access log. Setting to
86    # empty string will result in default log format
87    accessLogFormat: ""
88
89    # Configure the access log for sidecar to JSON or TEXT.
90    accessLogEncoding: TEXT
91
92    # Configure envoy gRPC access log service.
93    envoyAccessLogService:
94      enabled: false
95      host: # example: accesslog-service.istio-system
96      port: # example: 15000
97      tlsSettings:
98        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
99        clientCertificate: # example: /etc/istio/als/cert-chain.pem
100        privateKey:        # example: /etc/istio/als/key.pem
101        caCertificates:    # example: /etc/istio/als/root-cert.pem
102        sni:               # example: als.somedomain
103        subjectAltNames: []
104        # - als.somedomain
105      tcpKeepalive:
106        probes: 3
107        time: 10s
108        interval: 10s
109
110    # Log level for proxy, applies to gateways and sidecars.
111    # Expected values are: trace|debug|info|warning|error|critical|off
112    logLevel: warning
113
114    # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
115    # not set, then the global "logLevel" will be used.
116    componentLogLevel: "misc:error"
117
118    # Automatic protocol detection uses a set of heuristics to
119    # determine whether the connection is using TLS or not (on the
120    # server side), as well as the application protocol being used
121    # (e.g., http vs tcp). These heuristics rely on the client sending
122    # the first bits of data. For server first protocols like MySQL,
123    # MongoDB, etc., Envoy will timeout on the protocol detection after
124    # the specified period, defaulting to non mTLS plain TCP
125    # traffic. Set this field to tweak the period that Envoy will wait
126    # for the client to send the first bits of data. (MUST BE >=1ms)
127    protocolDetectionTimeout: 100ms
128
129    #If set to true, istio-proxy container will have privileged securityContext
130    privileged: false
131
132    # If set, newly injected sidecars will have core dumps enabled.
133    enableCoreDump: false
134
135    # Default port for Pilot agent health checks. A value of 0 will disable health checking.
136    statusPort: 15020
137
138    # The initial delay for readiness probes in seconds.
139    readinessInitialDelaySeconds: 1
140
141    # The period between readiness probes.
142    readinessPeriodSeconds: 2
143
144    # The number of successive failed probes before indicating readiness failure.
145    readinessFailureThreshold: 30
146
147    # istio egress capture whitelist
148    # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
149    # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
150    # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
151    # be allowed by the sidecar
152    includeIPRanges: "*"
153    excludeIPRanges: ""
154    excludeOutboundPorts: ""
155
156    # istio ingress capture whitelist
157    # examples:
158    #     Redirect only selected ports:            --includeInboundPorts="80,8080"
159    excludeInboundPorts: ""
160
161    # This controls the 'policy' in the sidecar injector.
162    autoInject: enabled
163
164    # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
165    # would be <host>:<port>).
166    # Disabled by default.
167    # The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
168    envoyStatsd:
169      # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
170      enabled: false
171      host: # example: statsd-svc.istio-system
172      port: # example: 9125
173
174    # Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
175    # via the Metrics Service gRPC API. This contains detailed stats information emitted directly
176    # by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
177    # available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
178    #
179    # See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
180    # for details about Envoy's Metrics Service API.
181    #
182    # Disabled by default.
183    envoyMetricsService:
184      enabled: false
185      host: # example: metrics-service.istio-system
186      port: # example: 15000
187      tlsSettings:
188        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
189        clientCertificate: # example: /etc/istio/ms/cert-chain.pem
190        privateKey:        # example: /etc/istio/ms/key.pem
191        caCertificates:    # example: /etc/istio/ms/root-cert.pem
192        sni:               # example: ms.somedomain
193        subjectAltNames: []
194        # - ms.somedomain
195      tcpKeepalive:
196        probes: 3
197        time: 10s
198        interval: 10s
199
200    # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
201    # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
202    tracer: "zipkin"
203
204  proxy_init:
205    # Base name for the proxy_init container, used to configure iptables.
206    image: proxyv2
207    resources:
208      limits:
209        cpu: 100m
210        memory: 50Mi
211      requests:
212        cpu: 10m
213        memory: 10Mi
214
215  # Specify image pull policy if default behavior isn't desired.
216  # Default behavior: latest images will be Always else IfNotPresent.
217  imagePullPolicy: ""
218
219  # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
220  # propagated, not recommended for tests.
221  controlPlaneSecurityEnabled: true
222
223  # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
224  mountMtlsCerts: false
225
226  # disablePolicyChecks disables mixer policy checks.
227  # if mixer.policy.enabled==true then disablePolicyChecks has affect.
228  # Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
229  disablePolicyChecks: true
230
231  # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
232  # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
233  policyCheckFailOpen: false
234
235  # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
236  enableTracing: true
237
238  # Configuration for each of the supported tracers
239  tracer:
240    # Configuration for envoy to send trace data to LightStep.
241    # Disabled by default.
242    # address: the <host>:<port> of the satellite pool
243    # accessToken: required for sending data to the pool
244    #
245    lightstep:
246      address: ""                # example: lightstep-satellite:443
247      accessToken: ""            # example: abcdefg1234567
248    zipkin:
249      # Host:Port for reporting trace data in zipkin format. If not specified, will default to
250      # zipkin service (port 9411) in the same namespace as the other istio components.
251      address: ""
252    datadog:
253      # Host:Port for submitting traces to the Datadog agent.
254      address: "$(HOST_IP):8126"
255    stackdriver:
256      # enables trace output to stdout.
257      debug: false
258      # The global default max number of attributes per span.
259      maxNumberOfAttributes: 200
260      # The global default max number of annotation events per span.
261      maxNumberOfAnnotations: 200
262      # The global default max number of message events per span.
263      maxNumberOfMessageEvents: 200
264
265  # Default mtls policy. If true, mtls between services will be enabled by default.
266  mtls:
267    # Default setting for service-to-service mtls. Can be set explicitly using
268    # destination rules or service annotations.
269    enabled: false
270    # If set to true, and a given service does not have a corresponding DestinationRule configured,
271    # or its DestinationRule does not have TLSSettings specified, Istio configures client side
272    # TLS configuration automatically, based on the server side mTLS authentication policy and the
273    # availibity of sidecars.
274    auto: true
275
276  # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
277  # to use for pulling any images in pods that reference this ServiceAccount.
278  # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
279  # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
280  # Must be set for any cluster configured with private docker registry.
281  imagePullSecrets: []
282    # - private-registry-key
283
284  # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
285  #   0 - Never scheduled
286  #   1 - Least preferred
287  #   2 - No preference
288  #   3 - Most preferred
289  arch:
290    amd64: 2
291    s390x: 2
292    ppc64le: 2
293
294  # Whether to restrict the applications namespace the controller manages;
295  # If not set, controller watches all namespaces
296  oneNamespace: false
297
298  # Default node selector to be applied to all deployments so that all pods can be
299  # constrained to run a particular nodes. Each component can overwrite these default
300  # values by adding its node selector block in the relevant section below and setting
301  # the desired values.
302  defaultNodeSelector: {}
303
304  # Default node tolerations to be applied to all deployments so that all pods can be
305  # scheduled to a particular nodes with matching taints. Each component can overwrite
306  # these default values by adding its tolerations block in the relevant section below
307  # and setting the desired values.
308  # Configure this field in case that all pods of Istio control plane are expected to
309  # be scheduled to particular nodes with specified taints.
310  defaultTolerations: []
311
312  # Whether to perform server-side validation of configuration.
313  configValidation: true
314
315  # Custom DNS config for the pod to resolve names of services in other
316  # clusters. Use this to add additional search domains, and other settings.
317  # see
318  # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
319  # This does not apply to gateway pods as they typically need a different
320  # set of DNS settings than the normal application pods (e.g., in
321  # multicluster scenarios).
322  # NOTE: If using templates, follow the pattern in the commented example below.
323  #podDNSSearchNamespaces:
324  #- global
325  #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
326
327  # If set to true, the pilot and citadel mtls will be exposed on the
328  # ingress gateway
329  meshExpansion:
330    enabled: false
331    # If set to true, the pilot and citadel mtls and the plain text pilot ports
332    # will be exposed on an internal gateway
333    useILB: false
334
335  multiCluster:
336    # Set to true to connect two kubernetes clusters via their respective
337    # ingressgateway services when pods in each cluster cannot directly
338    # talk to one another. All clusters should be using Istio mTLS and must
339    # have a shared root CA for this model to work.
340    enabled: false
341    # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
342    # to properly label proxies
343    clusterName: ""
344
345  # A minimal set of requested resources to applied to all deployments so that
346  # Horizontal Pod Autoscaler will be able to function (if set).
347  # Each component can overwrite these default values by adding its own resources
348  # block in the relevant section below and setting the desired resources values.
349  defaultResources:
350    requests:
351      cpu: 10m
352    #   memory: 128Mi
353    # limits:
354    #   cpu: 100m
355    #   memory: 128Mi
356
357  # enable pod disruption budget for the control plane, which is used to
358  # ensure Istio control plane components are gradually upgraded or recovered.
359  defaultPodDisruptionBudget:
360    enabled: true
361    # The values aren't mutable due to a current PodDisruptionBudget limitation
362    # minAvailable: 1
363
364  # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
365  # system-node-critical, it is better to configure this in order to make sure your Istio pods
366  # will not be killed because of low priority class.
367  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
368  # for more detail.
369  priorityClassName: ""
370
371  # Use the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires an MCP source.
372  useMCP: false
373
374  # The trust domain corresponds to the trust root of a system
375  # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
376  # Indicate the domain used in SPIFFE identity URL
377  # The default depends on the environment.
378  #   kubernetes: cluster.local
379  #   else:  default dns domain
380  trustDomain: "cluster.local"
381
382  #  The trust domain aliases represent the aliases of trust_domain.
383  #  For example, if we have
384  #  trustDomain: td1
385  #  trustDomainAliases: ["td2", "td3"]
386  #  Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
387  #  or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
388  trustDomainAliases: []
389
390  # Mesh ID means Mesh Identifier. It should be unique within the scope where
391  # meshes will interact with each other, but it is not required to be
392  # globally/universally unique. For example, if any of the following are true,
393  # then two meshes must have different Mesh IDs:
394  # - Meshes will have their telemetry aggregated in one place
395  # - Meshes will be federated together
396  # - Policy will be written referencing one mesh from the other
397  #
398  # If an administrator expects that any of these conditions may become true in
399  # the future, they should ensure their meshes have different Mesh IDs
400  # assigned.
401  #
402  # Within a multicluster mesh, each cluster must be (manually or auto)
403  # configured to have the same Mesh ID value. If an existing cluster 'joins' a
404  # multicluster mesh, it will need to be migrated to the new mesh ID. Details
405  # of migration TBD, and it may be a disruptive operation to change the Mesh
406  # ID post-install.
407  #
408  # If the mesh admin does not specify a value, Istio will use the value of the
409  # mesh's Trust Domain. The best practice is to select a proper Trust Domain
410  # value.
411  meshID: ""
412
413  # Set the default behavior of the sidecar for handling outbound traffic from the application:
414  # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
415  #   services or ServiceEntries for the destination port
416  # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
417  #   as those defined through ServiceEntries
418  # ALLOW_ANY is the default in 1.1.  This means each pod will be able to make outbound requests
419  # to services outside of the mesh without any ServiceEntry.
420  # REGISTRY_ONLY was the default in 1.0.  If this behavior is desired, set the value below to REGISTRY_ONLY.
421  outboundTrafficPolicy:
422    mode: ALLOW_ANY
423
424  # The namespace where globally shared configurations should be present.
425  # DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
426  # default Sidecar configs, etc. should be added to this namespace.
427  # configRootNamespace: istio-config
428
429  # set the default set of namespaces to which services, service entries, virtual services, destination
430  # rules should be exported to. Currently only one value can be provided in this list. This value
431  # should be one of the following two options:
432  # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
433  # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
434  defaultConfigVisibilitySettings: []
435#  - '*'
436  omitSidecarInjectorConfigMap: false
437  sds:
438    # SDS enabled. IF set to true, mTLS certificates for the sidecars will be
439    # distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
440    enabled: false
441    udsPath: ""
442    # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
443    # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
444    # JWT is intended for the CA.
445    token:
446      aud: istio-ca
447
448  sts:
449    # The service port used by Security Token Service (STS) server to handle token exchange requests.
450    # Setting this port to a non-zero value enables STS server.
451    servicePort: 0
452
453  # The customized CA address to retrieve certificates for the pods in the cluster.
454  # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
455  caAddress: ""
456
457  # Configure the mesh networks to be used by the Split Horizon EDS.
458  #
459  # The following example defines two networks with different endpoints association methods.
460  # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
461  # mapped to network1. The gateway for this network example is specified by its public IP
462  # address and port.
463  # The second network, `network2`, in this example is defined differently with all endpoints
464  # retrieved through the specified Multi-Cluster registry being mapped to network2. The
465  # gateway is also defined differently with the name of the gateway service on the remote
466  # cluster. The public IP for the gateway will be determined from that remote service (only
467  # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
468  # it still need to be configured manually).
469  #
470  # meshNetworks:
471  #   network1:
472  #     endpoints:
473  #     - fromCidr: "192.168.0.1/24"
474  #     gateways:
475  #     - address: 1.1.1.1
476  #       port: 80
477  #   network2:
478  #     endpoints:
479  #     - fromRegistry: reg1
480  #     gateways:
481  #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
482  #       port: 443
483  #
484  meshNetworks: {}
485
486  # Network defines the network this cluster belong to. This name
487  # corresponds to the networks in the map of mesh networks.
488  network: ""
489
490  # Specifies the global locality load balancing settings.
491  # Locality-weighted load balancing allows administrators to control the distribution of traffic to
492  # endpoints based on the localities of where the traffic originates and where it will terminate.
493  # Please set either failover or distribute configuration but not both.
494  #
495  # localityLbSetting:
496  #   enabled: true
497  #   distribute:
498  #   - from: "us-central1/*"
499  #     to:
500  #       "us-central1/*": 80
501  #       "us-central2/*": 20
502  #
503  # localityLbSetting:
504  #   enabled: true
505  #   failover:
506  #   - from: us-east
507  #     to: eu-west
508  #   - from: us-west
509  #     to: us-east
510  localityLbSetting:
511    enabled: true
512
513  # Specifies whether helm test is enabled or not.
514  # This field is set to false by default, so 'helm template ...'
515  # will ignore the helm test yaml files when generating the template
516  enableHelmTest: false
517
518  # Configures DNS certificates provisioned through Chiron linked into Pilot.
519  # The DNS names in this file are all hard-coded; please ensure the namespaces
520  # in dnsNames are consistent with those of your services.
521  # Example:
522  # certificates:
523  #   - secretName: dns.istiod-service-account
524  #     dnsNames: [istiod.istio-system.svc, istiod.istio-system]
525  certificates: []
526
527  # Configure whether Operator manages webhook configurations. The current behavior
528  # of Istiod is to manage its own webhook configurations.
529  # When this option is set as true, Istio Operator, instead of webhooks, manages the
530  # webhook configurations. When this option is set as false, webhooks manage their
531  # own webhook configurations.
532  operatorManageWebhooks: false
533
534  # Settings for remote cluster.
535  createRemoteSvcEndpoints: false
536
537  # configure remote pilot and istiod service and endpoint
538  remotePolicyAddress: ""
539  remotePilotAddress: ""
540  remoteTelemetryAddress: ""
541
542  # Configure the certificate provider for control plane communication.
543  # Currently, two providers are supported: "kubernetes" and "istiod".
544  # As some platforms may not have kubernetes signing APIs,
545  # Istiod is the default
546  pilotCertProvider: istiod
547
548  # Configure the policy for validating JWT.
549  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
550  jwtPolicy: "third-party-jwt"
551
552# Internal setting - used when generating helm templates for kustomize.
553# clusterResources controls the inclusion of cluster-wide resources when generating the charts/installing.
554# For backward compat, it is set to 'true', resulting in the old-style installation.
555# When set to 'false', all cluster-wide resources will be omitted, and are expected to be installed
556# at the same time with the CRDs.
557clusterResources: true
558
559# Version is set as 'version' label and part of the resource names when installing.
560# It is used to support multiple version in same namespace, similar with normal app traffic shift.
561version: ""
562
563meshConfig:
564  enablePrometheusMerge: false
565  defaultConfig:
566    proxyMetadata: {}
567    tracing:
568      tlsSettings:
569        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
570        clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
571        privateKey:        # example: /etc/istio/tracer/key.pem
572        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
573        sni:               # example: tracer.somedomain
574        subjectAltNames: []
575        # - tracer.somedomain
576