istio
302 строки · 12.4 Кб
1defaults:2# Standalone istio egress gateway.3# Should be installed in a separate namespace, to minimize access to config4gateways:5istio-egressgateway:6name: istio-egressgateway7ports:8- port: 809targetPort: 808010name: http211protocol: TCP12- port: 44313name: https14targetPort: 844315protocol: TCP16labels:18app: istio-egressgateway19istio: egressgateway20# Scalability tuning22# replicaCount: 123rollingMaxSurge: 100%24rollingMaxUnavailable: 25%25autoscaleEnabled: true26autoscaleMin: 127autoscaleMax: 528resources:29requests:30cpu: 100m31memory: 128Mi32limits:33cpu: 2000m34memory: 1024Mi35cpu:36targetAverageUtilization: 8037memory: {}38# targetAverageUtilization: 8039serviceAnnotations: {}41podAnnotations: {}42type: ClusterIP # change to NodePort or LoadBalancer if need be43# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services45ipFamilyPolicy: ""46ipFamilies: []47secretVolumes:49- name: egressgateway-certs50secretName: istio-egressgateway-certs51mountPath: /etc/istio/egressgateway-certs52- name: egressgateway-ca-certs53secretName: istio-egressgateway-ca-certs54mountPath: /etc/istio/egressgateway-ca-certs55configVolumes: []57additionalContainers: []58serviceAccount:60# Annotations to add to the service account61annotations: {}62### Advanced options ############64# TODO: convert to real options, env should not be exposed65env: {}66# Set this to "external" if and only if you want the egress gateway to67# act as a transparent SNI gateway that routes mTLS/TLS traffic to68# external services defined using service entries, where the service69# entry has resolution set to DNS, has one or more endpoints with70# network field set to "external". By default its set to "" so that71# the egress gateway sees the same set of endpoints as the sidecars72# preserving backward compatibility73# ISTIO_META_REQUESTED_NETWORK_VIEW: ""74nodeSelector: {}76tolerations: []77# Specify the pod anti-affinity that allows you to constrain which nodes79# your pod is eligible to be scheduled based on labels on pods that are80# already running on the node rather than based on labels on nodes.81# There are currently two types of anti-affinity:82# "requiredDuringSchedulingIgnoredDuringExecution"83# "preferredDuringSchedulingIgnoredDuringExecution"84# which denote "hard" vs. "soft" requirements, you can define your values85# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"86# correspondingly.87# For example:88# podAntiAffinityLabelSelector:89# - key: security90# operator: In91# values: S1,S292# topologyKey: "kubernetes.io/hostname"93# This pod anti-affinity rule says that the pod requires not to be scheduled94# onto a node if that node is already running a pod with label having key95# "security" and value "S1".96podAntiAffinityLabelSelector: []97podAntiAffinityTermLabelSelector: []98# whether to run the gateway in a privileged container100runAsRoot: false101# The injection template to use for the gateway. If not set, no injection will be performed.103injectionTemplate: ""104# Revision is set as 'version' label and part of the resource names when installing multiple control planes.106revision: ""107# For Helm compatibility.109ownerName: ""110global:112# set the default set of namespaces to which services, service entries, virtual services, destination113# rules should be exported to. Currently only one value can be provided in this list. This value114# should be one of the following two options:115# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.116# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host117defaultConfigVisibilitySettings: []118# Default node selector to be applied to all deployments so that all pods can be120# constrained to run a particular nodes. Each component can overwrite these default121# values by adding its node selector block in the relevant section below and setting122# the desired values.123defaultNodeSelector: {}124# enable pod disruption budget for the control plane, which is used to126# ensure Istio control plane components are gradually upgraded or recovered.127defaultPodDisruptionBudget:128enabled: true129# A minimal set of requested resources to applied to all deployments so that131# Horizontal Pod Autoscaler will be able to function (if set).132# Each component can overwrite these default values by adding its own resources133# block in the relevant section below and setting the desired resources values.134defaultResources:135requests:136cpu: 10m137# memory: 128Mi138# limits:139# cpu: 100m140# memory: 128Mi141# Default node tolerations to be applied to all deployments so that all pods can be143# scheduled to a particular nodes with matching taints. Each component can overwrite144# these default values by adding its tolerations block in the relevant section below145# and setting the desired values.146# Configure this field in case that all pods of Istio control plane are expected to147# be scheduled to particular nodes with specified taints.148defaultTolerations: []149# Default hub for Istio images.151# Releases are published to docker hub under 'istio' project.152# Dev builds from prow are on gcr.io153hub: gcr.io/istio-testing154# Default tag for Istio images.156tag: latest157# Specify image pull policy if default behavior isn't desired.159# Default behavior: latest images will be Always else IfNotPresent.160imagePullPolicy: ""161# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace163# to use for pulling any images in pods that reference this ServiceAccount.164# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)165# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.166# Must be set for any cluster configured with private docker registry.167imagePullSecrets: []168# - private-registry-key169# To output all istio components logs in json format by adding --log_as_json argument to each container argument171logAsJson: false172# Specify pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:174# 0 - Never scheduled175# 1 - Least preferred176# 2 - No preference177# 3 - Most preferred178arch: {}179# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>181# The control plane has different scopes depending on component, but can configure default log level across all components182# If empty, default scope and level will be used as configured in code183logging:184level: "default:info"185# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and187# system-node-critical, it is better to configure this in order to make sure your Istio pods188# will not be killed because of low priority class.189# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass190# for more detail.191priorityClassName: ""192proxy:194image: proxyv2195# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value197# cluster domain. Default value is "cluster.local".198clusterDomain: "cluster.local"199# Per Component log level for proxy, applies to gateways and sidecars. If a component level is201# not set, then the global "logLevel" will be used.202componentLogLevel: "misc:error"203# If set, newly injected sidecars will have core dumps enabled.205enableCoreDump: false206# Log level for proxy, applies to gateways and sidecars.208# Expected values are: trace|debug|info|warning|error|critical|off209logLevel: warning210##############################################################################################212# The following values are found in other charts. To effectively modify these values, make #213# make sure they are consistent across your Istio helm charts #214##############################################################################################215# The customized CA address to retrieve certificates for the pods in the cluster.217# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.218caAddress: ""219# Used to locate istiod.221istioNamespace: istio-system222# Mesh ID means Mesh Identifier. It should be unique within the scope where224# meshes will interact with each other, but it is not required to be225# globally/universally unique. For example, if any of the following are true,226# then two meshes must have different Mesh IDs:227# - Meshes will have their telemetry aggregated in one place228# - Meshes will be federated together229# - Policy will be written referencing one mesh from the other230#231# If an administrator expects that any of these conditions may become true in232# the future, they should ensure their meshes have different Mesh IDs233# assigned.234#235# Within a multicluster mesh, each cluster must be (manually or auto)236# configured to have the same Mesh ID value. If an existing cluster 'joins' a237# multicluster mesh, it will need to be migrated to the new mesh ID. Details238# of migration TBD, and it may be a disruptive operation to change the Mesh239# ID post-install.240#241# If the mesh admin does not specify a value, Istio will use the value of the242# mesh's Trust Domain. The best practice is to select a proper Trust Domain243# value.244meshID: ""245# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.247mountMtlsCerts: false248multiCluster:250# Set to true to connect two kubernetes clusters via their respective251# ingressgateway services when pods in each cluster cannot directly252# talk to one another. All clusters should be using Istio mTLS and must253# have a shared root CA for this model to work.254enabled: false255# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection256# to properly label proxies257clusterName: ""258# Network defines the network this cluster belong to. This name260# corresponds to the networks in the map of mesh networks.261network: ""262# Configure the certificate provider for control plane communication.264# Currently, two providers are supported: "kubernetes" and "istiod".265# As some platforms may not have kubernetes signing APIs,266# Istiod is the default267pilotCertProvider: istiod268sds:270# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.271# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the272# JWT is intended for the CA.273token:274aud: istio-ca275sts:277# The service port used by Security Token Service (STS) server to handle token exchange requests.278# Setting this port to a non-zero value enables STS server.279servicePort: 0280# whether to use autoscaling/v2 template for HPA settings282# for internal usage only, not to be configured by users.283autoscalingv2API: true284meshConfig:286enablePrometheusMerge: true287# The trust domain corresponds to the trust root of a system289# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain290trustDomain: "cluster.local"291defaultConfig:293proxyMetadata: {}294tracing:295# tlsSettings:296# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL297# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem298# privateKey: # example: /etc/istio/tracer/key.pem299# caCertificates: # example: /etc/istio/tracer/root-cert.pem300# sni: # example: tracer.somedomain301# subjectAltNames: []302# - tracer.somedomain303