hongmengwang/default.yaml

## default.yaml
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  hub: docker.io/istio
  tag: 1.4.3
  defaultNamespace: istio-system

  # Traffic management feature
  trafficManagement:
    enabled: true
    components:
      pilot:
        enabled: true
        k8s:
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
          hpaSpec:
            maxReplicas: 5
            minReplicas: 1
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-pilot
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 80
          readinessProbe:
            httpGet:
              path: /ready
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 30
            timeoutSeconds: 5
          resources:
            requests:
              cpu: 500m
              memory: 2048Mi
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

  # Policy feature
  policy:
    enabled: true
    components:
      policy:
        enabled: true
        k8s:
          hpaSpec:
            maxReplicas: 5
            minReplicas: 1
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-policy
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 80
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

  # Telemetry feature
  telemetry:
    enabled: true
    components:
      telemetry:
        enabled: true
        k8s:
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: GOMAXPROCS
              value: "6"
          hpaSpec:
            maxReplicas: 5
            minReplicas: 1
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-telemetry
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 80
          replicaCount: 1
          resources:
            requests:
              cpu: 1000m
              memory: 1G
            limits:
              cpu: 4800m
              memory: 4G
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

  # Security feature
  security:
    enabled: true
    components:
      citadel:
        enabled: true
        k8s:
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"
      certManager:
        enabled: false
      nodeAgent:
        enabled: false

  # Config management feature
  configManagement:
    enabled: true
    components:
      galley:
        enabled: true
        k8s:
          replicaCount: 1
          resources:
            requests:
              cpu: 100m
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

  # Auto injection feature
  autoInjection:
    enabled: true
    components:
      injector:
        enabled: true
        k8s:
          replicaCount: 1
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

  # Istio Gateway feature
  gateways:
    enabled: true
    components:
      ingressGateway:
        enabled: true
        k8s:
          hpaSpec:
            maxReplicas: 5
            minReplicas: 1
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-ingressgateway
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 80
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 2000m
              memory: 1024Mi
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"

      egressGateway:
        enabled: true
        k8s:
          hpaSpec:
            maxReplicas: 5
            minReplicas: 1
            scaleTargetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: istio-egressgateway
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  targetAverageUtilization: 80
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 2000m
              memory: 1024Mi
          strategy:
            rollingUpdate:
              maxSurge: "100%"
              maxUnavailable: "25%"
  # Istio CNI feature
  cni:
    enabled: false

  # Global values passed through to helm global.yaml.
  values:
    global:
      logging:
        level: "default:info"
      logAsJson: false
      k8sIngress:
        enabled: false
        gatewayName: ingressgateway
        enableHttps: false
      proxy:
        image: proxyv2
        clusterDomain: "cluster.local"
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
        concurrency: 2
        accessLogFile: ""
        accessLogFormat: ""
        accessLogEncoding: TEXT
        envoyAccessLogService:
          enabled: false
          host: # example: accesslog-service.istio-system
          port: # example: 15000
        logLevel: warning
        componentLogLevel: "misc:error"
        dnsRefreshRate: 300s
        protocolDetectionTimeout: 100ms
        privileged: false
        enableCoreDump: false
        statusPort: 15020
        readinessInitialDelaySeconds: 1
        readinessPeriodSeconds: 2
        readinessFailureThreshold: 30
        includeIPRanges: "*"
        excludeIPRanges: ""
        excludeOutboundPorts: ""
        kubevirtInterfaces: ""
        includeInboundPorts: "*"
        excludeInboundPorts: ""
        autoInject: enabled
        envoyStatsd:
          enabled: false
          host: # example: statsd-svc.istio-system
          port: # example: 9125
        envoyMetricsService:
          enabled: false
          host: # example: metrics-service.istio-system
          port: # example: 15000
          tlsSettings:
            mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
            clientCertificate: # example: /etc/istio/ms/cert-chain.pem
            privateKey:        # example: /etc/istio/ms/key.pem
            caCertificates:    # example: /etc/istio/ms/root-cert.pem
            sni:               # example: ms.somedomain
            subjectAltNames: []
          tcpKeepalive:
            probes: 3
            time: 10s
            interval: 10s
        tracer: "zipkin"
      proxy_init:
        image: proxyv2
        resources:
          limits:
            cpu: 100m
            memory: 50Mi
          requests:
            cpu: 10m
            memory: 10Mi
      imagePullPolicy: IfNotPresent
      certificates: []
      operatorManageWebhooks: false
      controlPlaneSecurityEnabled: true
      disablePolicyChecks: true
      policyCheckFailOpen: false
      enableTracing: true
      tracer:
        lightstep:
          address: ""                # example: lightstep-satellite:443
          accessToken: ""            # example: abcdefg1234567
          secure: true               # example: true|false
          cacertPath: ""             # example: /etc/lightstep/cacert.pem
        zipkin:
          address: ""
        datadog:
          address: "$(HOST_IP):8126"
      mtls:
        enabled: false
        auto: false
      imagePullSecrets: []
      arch:
        amd64: 2
        s390x: 2
        ppc64le: 2
      oneNamespace: false
      defaultNodeSelector: {}
      configValidation: true
      meshExpansion:
        enabled: false
        useILB: false
      multiCluster:
        enabled: false
        clusterName: ""
      omitSidecarInjectorConfigMap: false
      network: ""
      defaultResources:
        requests:
          cpu: 10m
      defaultPodDisruptionBudget:
        enabled: true
      priorityClassName: ""
      useMCP: true
      trustDomain: "cluster.local"
      outboundTrafficPolicy:
        mode: ALLOW_ANY
      sds:
        enabled: false
        udsPath: ""
        token:
          aud: istio-ca
      meshNetworks: {}
      localityLbSetting:
        enabled: true
      enableHelmTest: false
    pilot:
      autoscaleEnabled: true
      autoscaleMin: 1
      autoscaleMax: 5
      replicaCount: 1
      image: pilot
      traceSampling: 1.0
      configNamespace: istio-config
      appNamespaces: []
      env: {}
      cpu:
        targetAverageUtilization: 80
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      keepaliveMaxServerConnectionAge: 30m
      enableProtocolSniffingForOutbound: true
      enableProtocolSniffingForInbound: false
      deploymentLabels:
      meshNetworks:
        networks: {}
      configMap: true
      ingress:
        ingressService: istio-ingressgateway
        ingressControllerMode: "OFF"
        ingressClass: istio
      policy:
        enabled: false
      useMCP: true
    telemetry:
      enabled: true
      v1:
        enabled: true
      v2:
        # For Null VM case now. If enabled, will set disableMixerHttpReports to true and not define mixerReportServer
        # also enable metadata exchange and stats filter.
        enabled: false
        # prometheus stats filter settings.
        prometheus:
          # stats filter would be enabled when telemetry and v2 is enabled.
          enabled: true
        # stackdriver filter settings.
        stackdriver:
          enabled: false
          logging: false
          monitoring: false
          topology: false
          #  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
          configOverride: {}
    mixer:
      adapters:
        stdio:
          enabled: false
          outputAsJson: false
        prometheus:
          enabled: true
          metricsExpiryDuration: 10m
        kubernetesenv:
          enabled: true
        stackdriver:
          enabled: false
          auth:
            appCredentials: false
            apiKey: ""
            serviceAccountPath: ""
          tracer:
            enabled: false
            sampleProbability: 1
        useAdapterCRDs: false

      telemetry:
        image: mixer
        replicaCount: 1
        autoscaleEnabled: true
        sessionAffinityEnabled: false
        loadshedding:
          mode: enforce
          latencyThreshold: 100ms
        reportBatchMaxEntries: 100
        reportBatchMaxTime: 1s
        useMCP: true
        env:
          GOMAXPROCS: "6"
        nodeSelector: {}
        tolerations: []
        podAntiAffinityLabelSelector: []
        podAntiAffinityTermLabelSelector: []

      policy:
        autoscaleEnabled: true
        image: mixer
        sessionAffinityEnabled: false
        adapters:
          kubernetesenv:
            enabled: true
          useAdapterCRDs: false

    galley:
      image: galley
      enableAnalysis: false

    security:
      image: citadel
      selfSigned: true # indicate if self-signed CA is used.
      trustDomain: cluster.local # indicate the domain used in SPIFFE identity URL
      enableNamespacesByDefault: true
      dnsCerts:
        istio-pilot-service-account.istio-control: istio-pilot.istio-control

    certmanager:
      hub: quay.io/jetstack
      tag: v0.6.2
      image: cert-manager-controller

    nodeagent:
      image: node-agent-k8s

    gateways:
      istio-egressgateway:
        autoscaleEnabled: true
        zvpn:
          suffix: global
          enabled: true
        type: ClusterIP
        env:
          ISTIO_META_ROUTER_MODE: "sni-dnat"
        ports:
          - port: 80
            name: http2
          - port: 443
            name: https
          - port: 15443
            targetPort: 15443
            name: tls
        secretVolumes:
          - name: egressgateway-certs
            secretName: istio-egressgateway-certs
            mountPath: /etc/istio/egressgateway-certs
          - name: egressgateway-ca-certs
            secretName: istio-egressgateway-ca-certs
            mountPath: /etc/istio/egressgateway-ca-certs

      istio-ingressgateway:
        autoscaleEnabled: true
        applicationPorts: ""
        debug: info
        domain: ""
        type: LoadBalancer
        zvpn:
          enabled: true
          suffix: global
        sds:
          enabled: false
          image: node-agent-k8s
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 2000m
              memory: 1024Mi
        env:
          ISTIO_META_ROUTER_MODE: "sni-dnat"
        ports:
          - port: 15020
            targetPort: 15020
            name: status-port
          - port: 80
            targetPort: 80
            name: http2
          - port: 443
            name: https
          - port: 15029
            targetPort: 15029
            name: kiali
          - port: 15030
            targetPort: 15030
            name: prometheus
          - port: 15031
            targetPort: 15031
            name: grafana
          - port: 15032
            targetPort: 15032
            name: tracing
          - port: 15443
            targetPort: 15443
            name: tls
        meshExpansionPorts:
          - port: 15011
            targetPort: 15011
            name: tcp-pilot-grpc-tls
          - port: 8060
            targetPort: 8060
            name: tcp-citadel-grpc-tls
          - port: 853
            targetPort: 853
            name: tcp-dns-tls
        secretVolumes:
          - name: ingressgateway-certs
            secretName: istio-ingressgateway-certs
            mountPath: /etc/istio/ingressgateway-certs
          - name: ingressgateway-ca-certs
            secretName: istio-ingressgateway-ca-certs
            mountPath: /etc/istio/ingressgateway-ca-certs

    sidecarInjectorWebhook:
      image: sidecar_injector
      enableNamespacesByDefault: false
      rewriteAppHTTPProbe: false
      selfSigned: false
      injectLabel: istio-injection
      objectSelector:
        enabled: false
        autoInject: true

    prometheus:
      enabled: true
      replicaCount: 1
      hub: docker.io/prom
      tag: v2.12.0
      retention: 6h
      scrapeInterval: 15s
      contextPath: /prometheus
      ingress:
        enabled: false
        hosts:
          - prometheus.local
        annotations:
        tls:
      security:
        enabled: true
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []

    grafana:
      enabled: true
      replicaCount: 1
      image:
        repository: grafana/grafana
        tag: 6.4.3
      persist: false
      storageClassName: ""
      accessMode: ReadWriteMany
      security:
        enabled: false
        secretName: grafana
        usernameKey: username
        passphraseKey: passphrase
      contextPath: /grafana
      service:
        annotations: {}
        name: http
        type: ClusterIP
        externalPort: 3000
        loadBalancerIP:
        loadBalancerSourceRanges:
      ingress:
        enabled: false
        hosts:
          - grafana.local
        annotations:
        tls:
      datasources:
        datasources.yaml:
          apiVersion: 1
          datasources:
      dashboardProviders:
        dashboardproviders.yaml:
          apiVersion: 1
          providers:
            - name: 'istio'
              orgId: 1
              folder: 'istio'
              type: file
              disableDeletion: false
              options:
                path: /var/lib/grafana/dashboards/istio
      nodeSelector: {}
      tolerations: []
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      env: {}
      envSecrets: {}

    tracing:
      enabled: true
      provider: jaeger
      nodeSelector: {}
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      jaeger:
        hub: docker.io/jaegertracing
        tag: "1.14"
        memory:
          max_traces: 50000
        spanStorageType: badger
        persist: false
        storageClassName: ""
        accessMode: ReadWriteMany
      zipkin:
        hub: docker.io/openzipkin
        tag: 2.14.2
        probeStartupDelay: 200
        queryPort: 9411
        resources:
          limits:
            cpu: 300m
            memory: 900Mi
          requests:
            cpu: 150m
            memory: 900Mi
        javaOptsHeap: 700
        maxSpans: 500000
        node:
          cpus: 2
      opencensus:
        hub: docker.io/omnition
        tag: 0.1.9
        resources:
          limits:
            cpu: "1"
            memory: 2Gi
          requests:
            cpu: 200m
            memory: 400Mi
        exporters:
          stackdriver:
            enable_tracing: true
      service:
        annotations: {}
        name: http-query
        type: ClusterIP
        externalPort: 9411
      ingress:
        enabled: false
        hosts:
        annotations:
        tls:
    istiocoredns:
      enabled: false
      coreDNSImage: coredns/coredns
      coreDNSTag: 1.6.2
      coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1

    kiali:
      enabled: true
      replicaCount: 1
      hub: quay.io/kiali
      tag: v1.9
      contextPath: /kiali
      nodeSelector: {}
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      ingress:
        enabled: false
        hosts:
          - kiali.local
        annotations:
        tls:
      dashboard:
        secretName: kiali
        usernameKey: username
        passphraseKey: passphrase
        viewOnlyMode: false
        grafanaURL:
        jaegerURL:
      prometheusNamespace:
      createDemoSecret: false
      security:
        enabled: false
        cert_file: /kiali-cert/cert-chain.pem
        private_key_file: /kiali-cert/key.pem

    # TODO: derive from operator API
    version: ""
    clusterResources: true

## install.sh
#!/bin/bash

# istio env
ISTIO_VERSION=1.4.3
INSTALL_ENV=default

# download istio release version
curl -L https://istio.io/downloadIstio | sh -
cd istio-${ISTIO_VERSION}

# verify installation
bin/istioctl verify-install

# customize installation env
# bin/istioctl manifest apply \
# --set values.global.mtls.auto=true \
# --set values.security.citadelHealthCheck=true \
# --set values.pilot.policy.enabled=true \
# --set values.gateways.istio-egressgateway.enabled=true \
# --set values.gateways.istio-ingressgateway.type=LoadBalancer \
# --set values.global.disablePolicyChecks=false \
# --set values.global.k8sIngress.gatewayName=ingressgateway \
# --set cni.enabled=true \
# --set cni.components.cni.enabled=true \
# --set values.cni.logLevel=info \
# --set values.kiali.enabled=true \
# --set values.grafana.enabled=true \
# --set values.tracing.enabled=true \
# --set profile=default

# install istio by specify env file
bin/istioctl manifest apply -f default.yaml

# delete istio
# bin/istioctl manifest generate -f default.yaml | kubectl delete -f -
	apiVersion: install.istio.io/v1alpha2
	kind: IstioControlPlane
	spec:
	hub: docker.io/istio
	tag: 1.4.3
	defaultNamespace: istio-system

	# Traffic management feature
	trafficManagement:
	enabled: true
	components:
	pilot:
	enabled: true
	k8s:
	env:
	- name: POD_NAME
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.namespace
	hpaSpec:
	maxReplicas: 5
	minReplicas: 1
	scaleTargetRef:
	apiVersion: apps/v1
	kind: Deployment
	name: istio-pilot
	metrics:
	- type: Resource
	resource:
	name: cpu
	targetAverageUtilization: 80
	readinessProbe:
	httpGet:
	path: /ready
	port: 8080
	initialDelaySeconds: 5
	periodSeconds: 30
	timeoutSeconds: 5
	resources:
	requests:
	cpu: 500m
	memory: 2048Mi
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	# Policy feature
	policy:
	enabled: true
	components:
	policy:
	enabled: true
	k8s:
	hpaSpec:
	maxReplicas: 5
	minReplicas: 1
	scaleTargetRef:
	apiVersion: apps/v1
	kind: Deployment
	name: istio-policy
	metrics:
	- type: Resource
	resource:
	name: cpu
	targetAverageUtilization: 80
	env:
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.namespace
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	# Telemetry feature
	telemetry:
	enabled: true
	components:
	telemetry:
	enabled: true
	k8s:
	env:
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	apiVersion: v1
	fieldPath: metadata.namespace
	- name: GOMAXPROCS
	value: "6"
	hpaSpec:
	maxReplicas: 5
	minReplicas: 1
	scaleTargetRef:
	apiVersion: apps/v1
	kind: Deployment
	name: istio-telemetry
	metrics:
	- type: Resource
	resource:
	name: cpu
	targetAverageUtilization: 80
	replicaCount: 1
	resources:
	requests:
	cpu: 1000m
	memory: 1G
	limits:
	cpu: 4800m
	memory: 4G
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	# Security feature
	security:
	enabled: true
	components:
	citadel:
	enabled: true
	k8s:
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"
	certManager:
	enabled: false
	nodeAgent:
	enabled: false

	# Config management feature
	configManagement:
	enabled: true
	components:
	galley:
	enabled: true
	k8s:
	replicaCount: 1
	resources:
	requests:
	cpu: 100m
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	# Auto injection feature
	autoInjection:
	enabled: true
	components:
	injector:
	enabled: true
	k8s:
	replicaCount: 1
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	# Istio Gateway feature
	gateways:
	enabled: true
	components:
	ingressGateway:
	enabled: true
	k8s:
	hpaSpec:
	maxReplicas: 5
	minReplicas: 1
	scaleTargetRef:
	apiVersion: apps/v1
	kind: Deployment
	name: istio-ingressgateway
	metrics:
	- type: Resource
	resource:
	name: cpu
	targetAverageUtilization: 80
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 2000m
	memory: 1024Mi
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"

	egressGateway:
	enabled: true
	k8s:
	hpaSpec:
	maxReplicas: 5
	minReplicas: 1
	scaleTargetRef:
	apiVersion: apps/v1
	kind: Deployment
	name: istio-egressgateway
	metrics:
	- type: Resource
	resource:
	name: cpu
	targetAverageUtilization: 80
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 2000m
	memory: 1024Mi
	strategy:
	rollingUpdate:
	maxSurge: "100%"
	maxUnavailable: "25%"
	# Istio CNI feature
	cni:
	enabled: false

	# Global values passed through to helm global.yaml.
	values:
	global:
	logging:
	level: "default:info"
	logAsJson: false
	k8sIngress:
	enabled: false
	gatewayName: ingressgateway
	enableHttps: false
	proxy:
	image: proxyv2
	clusterDomain: "cluster.local"
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 2000m
	memory: 1024Mi
	concurrency: 2
	accessLogFile: ""
	accessLogFormat: ""
	accessLogEncoding: TEXT
	envoyAccessLogService:
	enabled: false
	host: # example: accesslog-service.istio-system
	port: # example: 15000
	logLevel: warning
	componentLogLevel: "misc:error"
	dnsRefreshRate: 300s
	protocolDetectionTimeout: 100ms
	privileged: false
	enableCoreDump: false
	statusPort: 15020
	readinessInitialDelaySeconds: 1
	readinessPeriodSeconds: 2
	readinessFailureThreshold: 30
	includeIPRanges: "*"
	excludeIPRanges: ""
	excludeOutboundPorts: ""
	kubevirtInterfaces: ""
	includeInboundPorts: "*"
	excludeInboundPorts: ""
	autoInject: enabled
	envoyStatsd:
	enabled: false
	host: # example: statsd-svc.istio-system
	port: # example: 9125
	envoyMetricsService:
	enabled: false
	host: # example: metrics-service.istio-system
	port: # example: 15000
	tlsSettings:
	mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
	clientCertificate: # example: /etc/istio/ms/cert-chain.pem
	privateKey: # example: /etc/istio/ms/key.pem
	caCertificates: # example: /etc/istio/ms/root-cert.pem
	sni: # example: ms.somedomain
	subjectAltNames: []
	tcpKeepalive:
	probes: 3
	time: 10s
	interval: 10s
	tracer: "zipkin"
	proxy_init:
	image: proxyv2
	resources:
	limits:
	cpu: 100m
	memory: 50Mi
	requests:
	cpu: 10m
	memory: 10Mi
	imagePullPolicy: IfNotPresent
	certificates: []
	operatorManageWebhooks: false
	controlPlaneSecurityEnabled: true
	disablePolicyChecks: true
	policyCheckFailOpen: false
	enableTracing: true
	tracer:
	lightstep:
	address: "" # example: lightstep-satellite:443
	accessToken: "" # example: abcdefg1234567
	secure: true # example: true\|false
	cacertPath: "" # example: /etc/lightstep/cacert.pem
	zipkin:
	address: ""
	datadog:
	address: "$(HOST_IP):8126"
	mtls:
	enabled: false
	auto: false
	imagePullSecrets: []
	arch:
	amd64: 2
	s390x: 2
	ppc64le: 2
	oneNamespace: false
	defaultNodeSelector: {}
	configValidation: true
	meshExpansion:
	enabled: false
	useILB: false
	multiCluster:
	enabled: false
	clusterName: ""
	omitSidecarInjectorConfigMap: false
	network: ""
	defaultResources:
	requests:
	cpu: 10m
	defaultPodDisruptionBudget:
	enabled: true
	priorityClassName: ""
	useMCP: true
	trustDomain: "cluster.local"
	outboundTrafficPolicy:
	mode: ALLOW_ANY
	sds:
	enabled: false
	udsPath: ""
	token:
	aud: istio-ca
	meshNetworks: {}
	localityLbSetting:
	enabled: true
	enableHelmTest: false
	pilot:
	autoscaleEnabled: true
	autoscaleMin: 1
	autoscaleMax: 5
	replicaCount: 1
	image: pilot
	traceSampling: 1.0
	configNamespace: istio-config
	appNamespaces: []
	env: {}
	cpu:
	targetAverageUtilization: 80
	nodeSelector: {}
	tolerations: []
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []
	keepaliveMaxServerConnectionAge: 30m
	enableProtocolSniffingForOutbound: true
	enableProtocolSniffingForInbound: false
	deploymentLabels:
	meshNetworks:
	networks: {}
	configMap: true
	ingress:
	ingressService: istio-ingressgateway
	ingressControllerMode: "OFF"
	ingressClass: istio
	policy:
	enabled: false
	useMCP: true
	telemetry:
	enabled: true
	v1:
	enabled: true
	v2:
	# For Null VM case now. If enabled, will set disableMixerHttpReports to true and not define mixerReportServer
	# also enable metadata exchange and stats filter.
	enabled: false
	# prometheus stats filter settings.
	prometheus:
	# stats filter would be enabled when telemetry and v2 is enabled.
	enabled: true
	# stackdriver filter settings.
	stackdriver:
	enabled: false
	logging: false
	monitoring: false
	topology: false
	# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
	configOverride: {}
	mixer:
	adapters:
	stdio:
	enabled: false
	outputAsJson: false
	prometheus:
	enabled: true
	metricsExpiryDuration: 10m
	kubernetesenv:
	enabled: true
	stackdriver:
	enabled: false
	auth:
	appCredentials: false
	apiKey: ""
	serviceAccountPath: ""
	tracer:
	enabled: false
	sampleProbability: 1
	useAdapterCRDs: false

	telemetry:
	image: mixer
	replicaCount: 1
	autoscaleEnabled: true
	sessionAffinityEnabled: false
	loadshedding:
	mode: enforce
	latencyThreshold: 100ms
	reportBatchMaxEntries: 100
	reportBatchMaxTime: 1s
	useMCP: true
	env:
	GOMAXPROCS: "6"
	nodeSelector: {}
	tolerations: []
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []

	policy:
	autoscaleEnabled: true
	image: mixer
	sessionAffinityEnabled: false
	adapters:
	kubernetesenv:
	enabled: true
	useAdapterCRDs: false

	galley:
	image: galley
	enableAnalysis: false

	security:
	image: citadel
	selfSigned: true # indicate if self-signed CA is used.
	trustDomain: cluster.local # indicate the domain used in SPIFFE identity URL
	enableNamespacesByDefault: true
	dnsCerts:
	istio-pilot-service-account.istio-control: istio-pilot.istio-control

	certmanager:
	hub: quay.io/jetstack
	tag: v0.6.2
	image: cert-manager-controller

	nodeagent:
	image: node-agent-k8s

	gateways:
	istio-egressgateway:
	autoscaleEnabled: true
	zvpn:
	suffix: global
	enabled: true
	type: ClusterIP
	env:
	ISTIO_META_ROUTER_MODE: "sni-dnat"
	ports:
	- port: 80
	name: http2
	- port: 443
	name: https
	- port: 15443
	targetPort: 15443
	name: tls
	secretVolumes:
	- name: egressgateway-certs
	secretName: istio-egressgateway-certs
	mountPath: /etc/istio/egressgateway-certs
	- name: egressgateway-ca-certs
	secretName: istio-egressgateway-ca-certs
	mountPath: /etc/istio/egressgateway-ca-certs

	istio-ingressgateway:
	autoscaleEnabled: true
	applicationPorts: ""
	debug: info
	domain: ""
	type: LoadBalancer
	zvpn:
	enabled: true
	suffix: global
	sds:
	enabled: false
	image: node-agent-k8s
	resources:
	requests:
	cpu: 100m
	memory: 128Mi
	limits:
	cpu: 2000m
	memory: 1024Mi
	env:
	ISTIO_META_ROUTER_MODE: "sni-dnat"
	ports:
	- port: 15020
	targetPort: 15020
	name: status-port
	- port: 80
	targetPort: 80
	name: http2
	- port: 443
	name: https
	- port: 15029
	targetPort: 15029
	name: kiali
	- port: 15030
	targetPort: 15030
	name: prometheus
	- port: 15031
	targetPort: 15031
	name: grafana
	- port: 15032
	targetPort: 15032
	name: tracing
	- port: 15443
	targetPort: 15443
	name: tls
	meshExpansionPorts:
	- port: 15011
	targetPort: 15011
	name: tcp-pilot-grpc-tls
	- port: 8060
	targetPort: 8060
	name: tcp-citadel-grpc-tls
	- port: 853
	targetPort: 853
	name: tcp-dns-tls
	secretVolumes:
	- name: ingressgateway-certs
	secretName: istio-ingressgateway-certs
	mountPath: /etc/istio/ingressgateway-certs
	- name: ingressgateway-ca-certs
	secretName: istio-ingressgateway-ca-certs
	mountPath: /etc/istio/ingressgateway-ca-certs

	sidecarInjectorWebhook:
	image: sidecar_injector
	enableNamespacesByDefault: false
	rewriteAppHTTPProbe: false
	selfSigned: false
	injectLabel: istio-injection
	objectSelector:
	enabled: false
	autoInject: true

	prometheus:
	enabled: true
	replicaCount: 1
	hub: docker.io/prom
	tag: v2.12.0
	retention: 6h
	scrapeInterval: 15s
	contextPath: /prometheus
	ingress:
	enabled: false
	hosts:
	- prometheus.local
	annotations:
	tls:
	security:
	enabled: true
	nodeSelector: {}
	tolerations: []
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []

	grafana:
	enabled: true
	replicaCount: 1
	image:
	repository: grafana/grafana
	tag: 6.4.3
	persist: false
	storageClassName: ""
	accessMode: ReadWriteMany
	security:
	enabled: false
	secretName: grafana
	usernameKey: username
	passphraseKey: passphrase
	contextPath: /grafana
	service:
	annotations: {}
	name: http
	type: ClusterIP
	externalPort: 3000
	loadBalancerIP:
	loadBalancerSourceRanges:
	ingress:
	enabled: false
	hosts:
	- grafana.local
	annotations:
	tls:
	datasources:
	datasources.yaml:
	apiVersion: 1
	datasources:
	dashboardProviders:
	dashboardproviders.yaml:
	apiVersion: 1
	providers:
	- name: 'istio'
	orgId: 1
	folder: 'istio'
	type: file
	disableDeletion: false
	options:
	path: /var/lib/grafana/dashboards/istio
	nodeSelector: {}
	tolerations: []
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []
	env: {}
	envSecrets: {}

	tracing:
	enabled: true
	provider: jaeger
	nodeSelector: {}
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []
	jaeger:
	hub: docker.io/jaegertracing
	tag: "1.14"
	memory:
	max_traces: 50000
	spanStorageType: badger
	persist: false
	storageClassName: ""
	accessMode: ReadWriteMany
	zipkin:
	hub: docker.io/openzipkin
	tag: 2.14.2
	probeStartupDelay: 200
	queryPort: 9411
	resources:
	limits:
	cpu: 300m
	memory: 900Mi
	requests:
	cpu: 150m
	memory: 900Mi
	javaOptsHeap: 700
	maxSpans: 500000
	node:
	cpus: 2
	opencensus:
	hub: docker.io/omnition
	tag: 0.1.9
	resources:
	limits:
	cpu: "1"
	memory: 2Gi
	requests:
	cpu: 200m
	memory: 400Mi
	exporters:
	stackdriver:
	enable_tracing: true
	service:
	annotations: {}
	name: http-query
	type: ClusterIP
	externalPort: 9411
	ingress:
	enabled: false
	hosts:
	annotations:
	tls:
	istiocoredns:
	enabled: false
	coreDNSImage: coredns/coredns
	coreDNSTag: 1.6.2
	coreDNSPluginImage: istio/coredns-plugin:0.2-istio-1.1

	kiali:
	enabled: true
	replicaCount: 1
	hub: quay.io/kiali
	tag: v1.9
	contextPath: /kiali
	nodeSelector: {}
	podAntiAffinityLabelSelector: []
	podAntiAffinityTermLabelSelector: []
	ingress:
	enabled: false
	hosts:
	- kiali.local
	annotations:
	tls:
	dashboard:
	secretName: kiali
	usernameKey: username
	passphraseKey: passphrase
	viewOnlyMode: false
	grafanaURL:
	jaegerURL:
	prometheusNamespace:
	createDemoSecret: false
	security:
	enabled: false
	cert_file: /kiali-cert/cert-chain.pem
	private_key_file: /kiali-cert/key.pem

	# TODO: derive from operator API
	version: ""
	clusterResources: true
	#!/bin/bash

	# istio env
	ISTIO_VERSION=1.4.3
	INSTALL_ENV=default

	# download istio release version
	curl -L https://istio.io/downloadIstio \| sh -
	cd istio-${ISTIO_VERSION}

	# verify installation
	bin/istioctl verify-install

	# customize installation env
	# bin/istioctl manifest apply \
	# --set values.global.mtls.auto=true \
	# --set values.security.citadelHealthCheck=true \
	# --set values.pilot.policy.enabled=true \
	# --set values.gateways.istio-egressgateway.enabled=true \
	# --set values.gateways.istio-ingressgateway.type=LoadBalancer \
	# --set values.global.disablePolicyChecks=false \
	# --set values.global.k8sIngress.gatewayName=ingressgateway \
	# --set cni.enabled=true \
	# --set cni.components.cni.enabled=true \
	# --set values.cni.logLevel=info \
	# --set values.kiali.enabled=true \
	# --set values.grafana.enabled=true \
	# --set values.tracing.enabled=true \
	# --set profile=default

	# install istio by specify env file
	bin/istioctl manifest apply -f default.yaml

	# delete istio
	# bin/istioctl manifest generate -f default.yaml \| kubectl delete -f -