Skip to content

Instantly share code, notes, and snippets.

@Stocco
Created Oct 16, 2018
Embed
What would you like to do?
# Common settings.
global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.0.0
# Gateway used for legacy k8s Ingress resources. By default it is
# using 'istio:ingress', to match 0.8 config. It requires that
# ingress.enabled is set to true. You can also set it
# to ingressgateway, or any other gateway you define in the 'gateway'
# section.
k8sIngressSelector: ingress
# k8sIngressHttps will add port 443 on the ingress and ingressgateway.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
k8sIngressHttps: false
proxy:
image: proxyv2
# Resources for the sidecar.
resources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Configures the access log for each sidecar. Setting it to an empty string will
# disable access log for sidecar.
accessLogFile: "/dev/stdout"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Can also be disabled (e.g. when Mixer is not installed).
envoyStatsd:
enabled: true
host: istio-statsd-prom-bridge
port: 9125
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxy_init
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
# disablePolicyChecks disables mixer policy checks.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any clustser configured with privte docker registry.
imagePullSecrets:
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Whether to perform server-side validation of configuration.
configValidation: true
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
meshExpansionILB: false
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Not recommended for user to configure this. Hyperkube image to use when creating custom resources
hyperkube:
hub: quay.io/coreos
tag: v1.7.6_coreos.0
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low prioroty class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Include the crd definition when generating the template.
# For 'helm template' and helm install > 2.10 it should be true.
# For helm < 2.9, crds must be installed ahead of time with
# 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
# and this options must be set off.
crds: true
#
# ingress configuration
#
ingress:
enabled: true
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
service:
annotations: {}
loadBalancerIP: ""
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
- port: 80
name: http
nodePort: 32000
- port: 443
name: https
targetPort: 80
selector:
istio: ingress
#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
gateways:
enabled: true
istio-ingressgateway:
enabled: true
labels:
app: istio-ingressgateway
istio: ingressgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 1800m
# memory: 256Mi
loadBalancerIP: ""
serviceAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
- port: 443
name: https
targetPort: 80
- port: 31400
name: tcp
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
istio-egressgateway:
enabled: true
labels:
app: istio-egressgateway
istio: egressgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
serviceAnnotations: {}
type: ClusterIP #change to NodePort or LoadBalancer if need be
ports:
- port: 80
name: http2
- port: 443
name: https
secretVolumes:
- name: egressgateway-certs
secretName: istio-egressgateway-certs
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
mountPath: /etc/istio/egressgateway-ca-certs
# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
# as non-mtls ports to support upgrades and gradual transition.
istio-ilbgateway:
enabled: false
labels:
app: istio-ilbgateway
istio: ilbgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources:
requests:
cpu: 800m
memory: 512Mi
#limits:
# cpu: 1800m
# memory: 256Mi
loadBalancerIP: ""
serviceAnnotations:
cloud.google.com/load-balancer-type: "internal"
type: LoadBalancer
ports:
## You can add custom gateway ports - google ILB default quota is 5 ports,
- port: 15011
name: grpc-pilot-mtls
# Insecure port - only for migration from 0.8. Will be removed in 1.1
- port: 15010
name: grpc-pilot
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Port 5353 is forwarded to kube-dns
- port: 5353
name: tcp-dns
secretVolumes:
- name: ilbgateway-certs
secretName: istio-ilbgateway-certs
mountPath: /etc/istio/ilbgateway-certs
- name: ilbgateway-ca-certs
secretName: istio-ilbgateway-ca-certs
mountPath: /etc/istio/ilbgateway-ca-certs
#
# sidecar-injector webhook configuration
#
sidecarInjectorWebhook:
enabled: true
replicaCount: 1
image: sidecar_injector
enableNamespacesByDefault: false
#
# galley configuration
#
galley:
enabled: true
replicaCount: 1
image: galley
#
# mixer configuration
#
mixer:
enabled: true
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
image: mixer
istio-policy:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
istio-telemetry:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
prometheusStatsdExporter:
hub: docker.io/prom
tag: v0.6.0
#
# pilot configuration
#
pilot:
enabled: true
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 1
image: pilot
sidecar: true
traceSampling: 100.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
#
# security configuration
#
security:
replicaCount: 1
image: citadel
selfSigned: true # indicate if self-signed CA is used.
#
# addons configuration
#
telemetry-gateway:
gatewayName: ingressgateway
grafanaEnabled: true
prometheusEnabled: true
grafana:
enabled: true
replicaCount: 1
image: grafana
security:
enabled: true
adminUser: admin
adminPassword: admin
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 3000
internalPort: 3000
prometheus:
enabled: true
replicaCount: 1
hub: docker.io/prom
tag: v2.3.1
service:
annotations: {}
nodePort:
enabled: false
port: 32090
servicegraph:
enabled: true
replicaCount: 1
image: servicegraph
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 8088
internalPort: 8088
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- servicegraph.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: servicegraph-tls
# hosts:
# - servicegraph.local
# prometheus addres
prometheusAddr: http://prometheus:9090
tracing:
enabled: true
provider: jaeger
jaeger:
hub: docker.io/jaegertracing
tag: 1.5
memory:
max_traces: 50000
ui:
port: 16686
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- jaeger.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: jaeger-tls
# hosts:
# - jaeger.local
replicaCount: 1
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 9411
internalPort: 9411
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- tracing.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: tracing-tls
# hosts:
# - tracing.local
kiali:
enabled: true
replicaCount: 1
hub: docker.io/kiali
tag: latest@sha256:3122cd0a5e11c408f10ff22133b636ecd09c9f116368c5586c36dfe5050a121c
ingress:
enabled: false
## Used to create an Ingress record.
# hosts:
# - kiali.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: kiali-tls
# hosts:
# - kiali.local
dashboard:
username: admin
# Default admin passphrase for kiali. Must be set during setup, and
# changed by overriding the secret
passphrase: admin
# Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs
# grafanaURL:
# Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs
# jaegerURL:
# Certmanager uses ACME to sign certificates. Since Istio gateways are
# mounting the TLS secrets the Certificate CRDs must be created in the
# istio-system namespace. Once the certificate has been created, the
# gateway must be updated by adding 'secretVolumes'. After the gateway
# restart, DestinationRules can be created using the ACME-signed certificates.
certmanager:
enabled: false
hub: quay.io/jetstack
tag: v0.3.1
resources: {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment