istio
1# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
2meshConfig:
3defaultConfig:
4proxyMetadata:
5ISTIO_META_ENABLE_HBONE: "true"
6variant: distroless
7pilot:
8variant: distroless
9env:
10# Setup more secure default that is off in 'default' only for backwards compatibility
11VERIFY_CERTIFICATE_AT_CLIENT: "true"
12ENABLE_AUTO_SNI: "true"
13
14PILOT_ENABLE_HBONE: "true"
15CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
16PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
17PILOT_ENABLE_AMBIENT_WAYPOINTS: "true"
18cni:
19logLevel: info
20ambient:
21enabled: true
22
23# Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
24excludeNamespaces:
25- kube-system
26