Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
namespace: istio-system
name: istiocontrolplane
# https://istio.io/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
spec:
# see profiles on https://istio.io/docs/setup/additional-setup/config-profiles/
profile: demo
tag: 1.5.2
hub: docker.io/istio
namespace: istio-system
# Make sure no sidecar is ever injected for CronJobs for PostgreSQL backups.
# Use it as a placeholder for other workloads requiring this behaviour.
components:
sidecarInjector:
spec:
neverInjectSelector:
matchExpressions:
- {key: application, operator: In, values: [spilo-logical-backup]}
# https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig
# meshConfig:
# disablePolicyChecks: true
# connectTimeout: 10s
# enableTracing: true
# enableEnvoyAccessLogService: true
# outboundTrafficPolicy:
# mode: ALLOW_ANY
# enableAutoMtls: false
# Used for customized values not belonging to the official Istio.
unvalidatedValues:
k8s:
host: {{ .Values.k8s.host }}
vault:
host: {{ .Values.vault.address }}
values:
# https://istio.io/docs/reference/config/installation-options/#global-options
global:
sds:
enabled: true
# https://istio.io/docs/reference/config/installation-options/#kiali-options
kiali:
enabled: true
tag: v1.18.1
createDemoSecret: true
contextPath: /kiali
dashboard:
auth:
strategy: login # Can be anonymous, login, or openshift
secretName: kiali # You must create a secret with this name - one is not provided out-of-box.
grafanaURL: 'https://{{ .Values.k8s.host }}/istio/grafana'
jaegerURL: 'https://tracing.{{ .Values.k8s.host }}'
viewOnlyMode: false # Bind the service account to a role with only read access
# prometheusAddr: http://prometheus-server.monitoring:80
# https://istio.io/docs/reference/config/installation-options/#grafana-options
grafana:
enabled: true
env:
GF_SERVER_ROOT_URL: 'https://{{ .Values.k8s.host }}/istio/grafana'
# This requires a Secret in place.
security:
enabled: true
secretName: grafana
usernameKey: username
passphraseKey: passphrase
# https://istio.io/docs/reference/config/installation-options/#prometheus-options
prometheus:
enabled: true
retention: 6h
scrapeInterval: 15s
security:
enabled: true
# https://istio.io/docs/reference/config/installation-options/#tracing-options
tracing:
enabled: true
jaeger:
resources:
requests:
cpu: 256m
memory: 512m
ephemeral-storage: 1Mi
# https://istio.io/docs/reference/config/installation-options/#gateways-options
gateways:
enabled: true
istio-ingressgateway:
enabled: true
autoscaleEnabled: true
autoscaleMin: 3
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 4096Mi
type: NodePort
ports:
## You can add custom gateway ports
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15020
targetPort: 15020
name: status-port
- port: 80
targetPort: 80
name: http2
nodePort: 30500
- port: 443
targetPort: 443
name: https2
nodePort: 31381
- port: 444
targetPort: 444
name: https
nodePort: 31380
- name: tls
port: 15443
targetPort: 15443
sds:
enabled: true
istio-egressgateway:
enabled: true
# https://istio.io/docs/reference/config/installation-options/#pilot-options
pilot:
autoscaleEnabled: true
autoscaleMin: 3
traceSampling: 100.0
# This makes liveness check work even when mTLS is enabled.
sidecarInjectorWebhook:
rewriteAppHTTPProbe: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment