Created
December 4, 2018 01:30
-
-
Save cknowles/f606fb0e0462759a0354ef737c9e7cc8 to your computer and use it in GitHub Desktop.
Istio helm install custom values
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Common settings. | |
global: | |
proxy: | |
# istio egress capture whitelist | |
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly | |
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" | |
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would | |
# be allowed by the sidecar | |
# TODO configure native Istio ServiceEntry and get rid of this - https://istio.io/docs/tasks/traffic-management/egress/#configuring-istio-external-services | |
includeIPRanges: "10.2.0.0/16,10.3.0.0/16" # pod and service CIDR for our kube-aws clusters | |
excludeIPRanges: "" | |
# Default mtls policy. If true, mtls between services will be enabled by default. | |
mtls: | |
# TODO enable once services are migrated to use mTLS | |
# ref https://preliminary.istio.io/docs/concepts/security/#permissive-mode | |
enabled: false | |
# A minimal set of requested resources to applied to all deployments so that | |
# Horizontal Pod Autoscaler will be able to function (if set). | |
# Each component can overwrite these default values by adding its own resources | |
# block in the relevant section below and setting the desired resources values. | |
defaultResources: | |
requests: | |
cpu: 100m | |
# | |
# Gateways Configuration | |
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. | |
# You can add more gateways in addition to the defaults but make sure those are uniquely named | |
# and that NodePorts are not conflicting. | |
# Disable specifc gateway by setting the `enabled` to false. | |
# | |
gateways: | |
istio-ingressgateway: | |
autoscaleMin: 2 | |
serviceAnnotations: | |
service.beta.kubernetes.io/aws-load-balancer-type: "nlb" | |
externalTrafficPolicy: Local | |
istio-egressgateway: | |
enabled: false # use cases on https://istio.io/docs/examples/advanced-egress/egress-gateway/#use-case but not valid for us | |
autoscaleMin: 2 | |
# | |
# mixer configuration | |
# | |
mixer: | |
resources: | |
requests: | |
cpu: 300m | |
istio-policy: | |
autoscaleMin: 2 | |
istio-telemetry: | |
autoscaleMin: 2 | |
# | |
# pilot configuration | |
# | |
pilot: | |
autoscaleMin: 2 | |
traceSampling: 100.0 # 0.0 to 100.0 with a precision of 0.01 | |
prometheus: | |
enabled: false # required by kiali | |
tracing: | |
enabled: true | |
jaeger: | |
ingress: | |
enabled: true | |
# Used to create an Ingress record. | |
hosts: | |
- jaeger.${APP_DOMAIN_NAME} | |
annotations: | |
kubernetes.io/ingress.class: traefik | |
traefik.ingress.kubernetes.io/whitelist-source-range: "${IP_HK_OFFICE_CIDR}, ${IP_PL_OFFICE_CIDR}, ${IP_PL_OFFICE_2_CIDR}, ${IP_BASTION_1_CIDR}, ${IP_BASTION_2_CIDR}, ${IP_BASTION_3_CIDR}" | |
ingress.kubernetes.io/whitelist-x-forwarded-for: 'true' | |
kiali: | |
enabled: false | |
# Certmanager uses ACME to sign certificates. Since Istio gateways are | |
# mounting the TLS secrets the Certificate CRDs must be created in the | |
# istio-system namespace. Once the certificate has been created, the | |
# gateway must be updated by adding 'secretVolumes'. After the gateway | |
# restart, DestinationRules can be created using the ACME-signed certificates. | |
certmanager: | |
enabled: true | |
tag: v0.5.2 | |
email: ops+lets-encrypt@obfuscated.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment