# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. # For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. defaults: #.Values.pilot for discovery and mesh wide config ## Discovery Settings pilot: autoscaleEnabled: true autoscaleMin: 1 autoscaleMax: 5 autoscaleBehavior: {} replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% hub: "" tag: "" variant: "" # Can be a full hub/image:tag image: pilot traceSampling: 1.0 # Resources for a small pilot install resources: requests: cpu: 500m memory: 2048Mi # Set to `type: RuntimeDefault` to use the default profile if available. seccompProfile: {} # Whether to use an existing CNI installation cni: enabled: false provider: default # Additional container arguments extraContainerArgs: [] env: {} # Settings related to the untaint controller # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes taint: # Controls whether or not the untaint controller is active enabled: false # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod namespace: "" affinity: {} tolerations: [] cpu: targetAverageUtilization: 80 memory: {} # targetAverageUtilization: 80 # Additional volumeMounts to the istiod container volumeMounts: [] # Additional volumes to the istiod pod volumes: [] nodeSelector: {} podAnnotations: {} serviceAnnotations: {} serviceAccountAnnotations: {} topologySpreadConstraints: [] # You can use jwksResolverExtraRootCA to provide a root certificate # in PEM format. This will then be trusted by pilot when resolving # JWKS URIs. jwksResolverExtraRootCA: "" # The following is used to limit how long a sidecar can be connected # to a pilot. It balances out load across pilot instances at the cost of # increasing system churn. keepaliveMaxServerConnectionAge: 30m # Additional labels to apply to the deployment. deploymentLabels: {} ## Mesh config settings # Install the mesh config map, generated from values.yaml. # If false, pilot wil use default values (by default) or user-supplied values. configMap: true # Additional labels to apply on the pod level for monitoring and logging configuration. podLabels: {} # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ipFamilyPolicy: "" ipFamilies: [] # Ambient mode only. # Set this if you install ztunnel to a different namespace from `istiod`. # If set, `istiod` will allow connections from trusted node proxy ztunnels # in the provided namespace. # If unset, `istiod` will assume the trusted node proxy ztunnel resides # in the same namespace as itself. trustedZtunnelNamespace: "" sidecarInjectorWebhook: # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # always skip the injection on pods that match that label selector, regardless of the global policy. # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions neverInjectSelector: [] alwaysInjectSelector: [] # injectedAnnotations are additional annotations that will be added to the pod spec after injection # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: # # annotations: # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default # # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: # injectedAnnotations: # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default injectedAnnotations: {} # This enables injection of sidecar in all namespaces, # with the exception of namespaces with "istio-injection:disabled" annotation # Only one environment should have this enabled. enableNamespacesByDefault: false # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. reinvocationPolicy: Never rewriteAppHTTPProbe: true # Templates defines a set of custom injection templates that can be used. For example, defining: # # templates: # hello: | # metadata: # labels: # hello: world # # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod # being injected with the hello=world labels. # This is intended for advanced configuration only; most users should use the built in template templates: {} # Default templates specifies a set of default templates that are used in sidecar injection. # By default, a template `sidecar` is always provided, which contains the template of default sidecar. # To inject other additional templates, define it using the `templates` option, and add it to # the default templates list. # For example: # # templates: # hello: | # metadata: # labels: # hello: world # # defaultTemplates: ["sidecar", "hello"] defaultTemplates: [] istiodRemote: # Sidecar injector mutating webhook configuration clientConfig.url value. # For example: https://$remotePilotAddress:15017/inject # The host should not refer to a service running in the cluster; use a service reference by specifying # the clientConfig.service field instead. injectionURL: "" # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. # Override to pass env variables, for example: /inject/cluster/remote/net/network2 injectionPath: "/inject" injectionCABundle: "" telemetry: enabled: true v2: # For Null VM case now. # This also enables metadata exchange. enabled: true # Indicate if prometheus stats filter is enabled or not prometheus: enabled: true # stackdriver filter settings. stackdriver: enabled: false # Revision is set as 'version' label and part of the resource names when installing multiple control planes. revision: "" # Revision tags are aliases to Istio control plane revisions revisionTags: [] # For Helm compatibility. ownerName: "" # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options meshConfig: enablePrometheusMerge: true experimental: stableValidationPolicy: false global: # Used to locate istiod. istioNamespace: istio-system # List of cert-signers to allow "approve" action in the istio cluster role # # certSigners: # - clusterissuers.cert-manager.io/istio-ca certSigners: [] # enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: enabled: true # The values aren't mutable due to a current PodDisruptionBudget limitation # minAvailable: 1 # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). # Each component can overwrite these default values by adding its own resources # block in the relevant section below and setting the desired resources values. defaultResources: requests: cpu: 10m # memory: 128Mi # limits: # cpu: 100m # memory: 128Mi # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. tag: 1.23.0 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. imagePullPolicy: "" # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. # Must be set for any cluster configured with private docker registry. imagePullSecrets: [] # - private-registry-key # Enabled by default in master for maximising testing. istiod: enableAnalysis: false # To output all istio components logs in json format by adding --log_as_json argument to each container argument logAsJson: false # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: # The control plane has different scopes depending on component, but can configure default log level across all components # If empty, default scope and level will be used as configured in code logging: level: "default:info" omitSidecarInjectorConfigMap: false # Configure whether Operator manages webhook configurations. The current behavior # of Istiod is to manage its own webhook configurations. # When this option is set as true, Istio Operator, instead of webhooks, manages the # webhook configurations. When this option is set as false, webhooks manage their # own webhook configurations. operatorManageWebhooks: false # Custom DNS config for the pod to resolve names of services in other # clusters. Use this to add additional search domains, and other settings. # see # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config # This does not apply to gateway pods as they typically need a different # set of DNS settings than the normal application pods (e.g., in # multicluster scenarios). # NOTE: If using templates, follow the pattern in the commented example below. #podDNSSearchNamespaces: #- global #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low priority class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass # for more detail. priorityClassName: "" proxy: image: proxyv2 # This controls the 'policy' in the sidecar injector. autoInject: enabled # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value # cluster domain. Default value is "cluster.local". clusterDomain: "cluster.local" # Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. componentLogLevel: "misc:error" # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false # istio ingress capture allowlist # examples: # Redirect only selected ports: --includeInboundPorts="80,8080" excludeInboundPorts: "" includeInboundPorts: "*" # istio egress capture allowlist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" # would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar includeIPRanges: "*" excludeIPRanges: "" includeOutboundPorts: "" excludeOutboundPorts: "" # Log level for proxy, applies to gateways and sidecars. # Expected values are: trace|debug|info|warning|error|critical|off logLevel: warning # Specify the path to the outlier event log. # Example: /dev/stdout outlierLogPath: "" #If set to true, istio-proxy container will have privileged securityContext privileged: false # The number of successive failed probes before indicating readiness failure. readinessFailureThreshold: 4 # The initial delay for readiness probes in seconds. readinessInitialDelaySeconds: 0 # The period between readiness probes. readinessPeriodSeconds: 15 # Enables or disables a startup probe. # For optimal startup times, changing this should be tied to the readiness probe values. # # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), # and doesn't spam the readiness endpoint too much # # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. startupProbe: enabled: true failureThreshold: 600 # 10 minutes # Resources for the sidecar. resources: requests: cpu: 100m memory: 128Mi limits: cpu: 2000m memory: 1024Mi # Default port for Pilot agent health checks. A value of 0 will disable health checking. statusPort: 15020 # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. tracer: "none" proxy_init: # Base name for the proxy_init container, used to configure iptables. image: proxyv2 # configure remote pilot and istiod service and endpoint remotePilotAddress: "" ############################################################################################## # The following values are found in other charts. To effectively modify these values, make # # make sure they are consistent across your Istio helm charts # ############################################################################################## # The customized CA address to retrieve certificates for the pods in the cluster. # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. # If not set explicitly, default to the Istio discovery address. caAddress: "" # Configure a remote cluster data plane controlled by an external istiod. # When set to true, istiod is not deployed locally and only a subset of the other # discovery charts are enabled. externalIstiod: false # Configure a remote cluster as the config cluster for an external istiod. configCluster: false # configValidation enables the validation webhook for Istio configuration. configValidation: true # Mesh ID means Mesh Identifier. It should be unique within the scope where # meshes will interact with each other, but it is not required to be # globally/universally unique. For example, if any of the following are true, # then two meshes must have different Mesh IDs: # - Meshes will have their telemetry aggregated in one place # - Meshes will be federated together # - Policy will be written referencing one mesh from the other # # If an administrator expects that any of these conditions may become true in # the future, they should ensure their meshes have different Mesh IDs # assigned. # # Within a multicluster mesh, each cluster must be (manually or auto) # configured to have the same Mesh ID value. If an existing cluster 'joins' a # multicluster mesh, it will need to be migrated to the new mesh ID. Details # of migration TBD, and it may be a disruptive operation to change the Mesh # ID post-install. # # If the mesh admin does not specify a value, Istio will use the value of the # mesh's Trust Domain. The best practice is to select a proper Trust Domain # value. meshID: "" # Configure the mesh networks to be used by the Split Horizon EDS. # # The following example defines two networks with different endpoints association methods. # For `network1` all endpoints that their IP belongs to the provided CIDR range will be # mapped to network1. The gateway for this network example is specified by its public IP # address and port. # The second network, `network2`, in this example is defined differently with all endpoints # retrieved through the specified Multi-Cluster registry being mapped to network2. The # gateway is also defined differently with the name of the gateway service on the remote # cluster. The public IP for the gateway will be determined from that remote service (only # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, # it still need to be configured manually). # # meshNetworks: # network1: # endpoints: # - fromCidr: "192.168.0.1/24" # gateways: # - address: 1.1.1.1 # port: 80 # network2: # endpoints: # - fromRegistry: reg1 # gateways: # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local # port: 443 # meshNetworks: {} # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. mountMtlsCerts: false multiCluster: # Set to true to connect two kubernetes clusters via their respective # ingressgateway services when pods in each cluster cannot directly # talk to one another. All clusters should be using Istio mTLS and must # have a shared root CA for this model to work. enabled: false # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection # to properly label proxies clusterName: "" # Network defines the network this cluster belong to. This name # corresponds to the networks in the map of mesh networks. network: "" # Configure the certificate provider for control plane communication. # Currently, two providers are supported: "kubernetes" and "istiod". # As some platforms may not have kubernetes signing APIs, # Istiod is the default pilotCertProvider: istiod sds: # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the # JWT is intended for the CA. token: aud: istio-ca sts: # The service port used by Security Token Service (STS) server to handle token exchange requests. # Setting this port to a non-zero value enables STS server. servicePort: 0 # The name of the CA for workload certificates. # For example, when caName=GkeWorkloadCertificate, GKE workload certificates # will be used as the certificates for workloads. # The default value is "" and when caName="", the CA will be configured by other # mechanisms (e.g., environmental variable CA_PROVIDER). caName: "" # whether to use autoscaling/v2 template for HPA settings # for internal usage only, not to be configured by users. autoscalingv2API: true base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead istio_cni: # `chained` has been deprecated and will be removed in a future release. use `provider` instead chained: true provider: default # Gateway Settings gateways: # Define the security context for the pod. # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. securityContext: {} # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it seccompProfile: {}