The module is not enabled by default in any bundles.
The module is configured using the ModuleConfig custom resource named istio
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/istio
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: istio
spec:
version: 2
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 2
- additionalVersionsarray of strings
Additional versions of Istio control plane to install. You can use specific namespace labels (
istio.io/rev=
) to switch between installed revisions.Default:
[]
- allianceobject
Common options both for federation and multicluster.
This feature is available in enterprise edition only.
- alliance.ingressGatewayobject
ingressgateway settings.
This feature is available in enterprise edition only.
- alliance.ingressGateway.inletstring
The method for exposing ingressgateway.
LoadBalancer
— is a recommended method if you have a cloud-based cluster and it supports Load Balancing.NodePort
— for installations that do not have the LB.
Default:
"LoadBalancer"
This feature is available in enterprise edition only.
Allowed values:
LoadBalancer
,NodePort
Example:
inlet: LoadBalancer
- alliance.ingressGateway.nodePortobject
Special settings for NodePort inlet.
This feature is available in enterprise edition only.
Examples:
nodePort: {}
nodePort: port: 30001
- alliance.ingressGateway.nodePort.portinteger
Static port number for NodePort-type Service. Must be in range, set by kube-apiserver –service-node-port-range argument (default is 30000-32767).
Allowed values:
1024 <= X <= 65535
- alliance.ingressGateway.nodePort.portinteger
- alliance.ingressGateway.nodeSelectorobject
ingressgateway DaemonSet nodeSelector.
The same as the
spec.nodeSelector
pod parameter in Kubernetes.This feature is available in enterprise edition only.
Example:
nodeSelector: type: ingress
- alliance.ingressGateway.serviceAnnotationsobject
Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex Cloud (using the
yandex.cpi.flant.com/listener-subnet-id
annotation).This feature is available in enterprise edition only.
Example:
serviceAnnotations: yandex.cpi.flant.com/listener-subnet-id: xyz-123
- alliance.ingressGateway.tolerationsarray of objects
ingressgateway DaemonSet tolerations.
The same as
spec.tolerations
for the Kubernetes pod.This feature is available in enterprise edition only.
Example:
tolerations: - operator: Exists
- alliance.ingressGateway.tolerations.effectstring
- alliance.ingressGateway.tolerations.keystring
- alliance.ingressGateway.tolerations.operatorstring
- alliance.ingressGateway.tolerations.tolerationSecondsinteger
- alliance.ingressGateway.tolerations.valuestring
- alliance.ingressGateway.inletstring
- alliance.ingressGatewayobject
- authobject
Options related to authentication or authorization in the application.
Example:
auth: externalAuthentication: authURL: https://dex.d8.svc.cluster.local/dex/auth authSignInURL: https://example.com/dex/sign_in allowedUserGroups: - admins
- auth.allowedUserGroupsarray of strings
An array of user groups that can access module’s public web interfaces.
This parameter is used if the
user-authn
module is enabled or theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- auth.externalAuthenticationobject
Parameters to enable external authentication based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.
External authentication is enabled automatically if the user-authn module is enabled.
- auth.externalAuthentication.authSignInURLstring
The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
Example:
authSignInURL: https://example.com/dex/sign_in
- auth.externalAuthentication.authURLstring
The URL of the authentication service.
If the user is authenticated, the service should return an HTTP 200 response code.
Example:
authURL: https://example.com/dex/auth
- auth.externalAuthentication.authSignInURLstring
- auth.satisfyAnyboolean
Enables single authentication.
If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).
Default:
false
Example:
satisfyAny: true
- auth.whitelistSourceRangesarray of strings
An array if CIDRs that are allowed to authenticate in module’s public web interfaces.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- auth.allowedUserGroupsarray of strings
- caobject
Explicitly specified root certificate. It signs individual service certificates to use in mutual TLS connections.
- ca.certstring
The root or intermediate certificate in PEM format.
- ca.chainstring
A certificate chain in PEM format if
cert
is an intermediate certificate. - ca.keystring
The key to the root certificate in PEM format.
- ca.rootstring
The root certificate in PEM format if
cert
is an intermediate certificate.
- ca.certstring
- controlPlaneobject
istiod specific settings.
- controlPlane.nodeSelectorobject
Optional
nodeSelector
for istiod. The same as thespec.nodeSelector
pod parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically. - controlPlane.resourcesManagement
istiod resources management options.
Examples:
resourcesManagement: mode: VPA vpa: mode: Auto cpu: min: 50m max: 2 limitRatio: 1.5 memory: min: 256Mi max: 2Gi limitRatio: 1.5
resourcesManagement: mode: Static static: requests: cpu: 55m memory: 256Mi limits: cpu: 2 memory: 2Gi
- controlPlane.resourcesManagement.modestring
The mode for managing resource requests. Classical
Static
requests/limit orVPA
.Default:
"VPA"
Allowed values:
VPA
,Static
- controlPlane.resourcesManagement.staticobject
Static resource management settings.
- controlPlane.resourcesManagement.static.limitsobject
Limits configuration.
- controlPlane.resourcesManagement.static.limits.cpu
CPU limits.
- controlPlane.resourcesManagement.static.limits.memory
Memory limits.
- controlPlane.resourcesManagement.static.limits.cpu
- controlPlane.resourcesManagement.static.requestsobject
Requests configuration.
- controlPlane.resourcesManagement.static.requests.cpu
CPU requests.
- controlPlane.resourcesManagement.static.requests.memory
Memory requests.
- controlPlane.resourcesManagement.static.requests.cpu
- controlPlane.resourcesManagement.static.limitsobject
- controlPlane.resourcesManagement.vpaobject
Parameters of the VPA mode.
- controlPlane.resourcesManagement.vpa.cpuobject
CPU-related parameters.
- controlPlane.resourcesManagement.vpa.cpu.limitRationumber
The coefficient to calculate cpu limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.
- controlPlane.resourcesManagement.vpa.cpu.max
Maximum allowed CPU requests.
Default:
2
- controlPlane.resourcesManagement.vpa.cpu.min
Minimum allowed CPU requests.
Default:
50m
- controlPlane.resourcesManagement.vpa.cpu.limitRationumber
- controlPlane.resourcesManagement.vpa.memoryobject
The amount of memory requested.
- controlPlane.resourcesManagement.vpa.memory.limitRationumber
The coefficient to calculate memory limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.
- controlPlane.resourcesManagement.vpa.memory.max
Maximum allowed memory requests.
Default:
2Gi
- controlPlane.resourcesManagement.vpa.memory.min
Minimum allowed memory requests.
Default:
256Mi
- controlPlane.resourcesManagement.vpa.memory.limitRationumber
- controlPlane.resourcesManagement.vpa.modestring
The VPA usage mode.
Default:
"Auto"
Allowed values:
Initial
,Auto
- controlPlane.resourcesManagement.vpa.cpuobject
- controlPlane.resourcesManagement.modestring
- controlPlane.tolerationsarray of objects
Optional
tolerations
for istiod. The same asspec.tolerations
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.- controlPlane.tolerations.effectstring
- controlPlane.tolerations.keystring
- controlPlane.tolerations.operatorstring
- controlPlane.tolerations.tolerationSecondsinteger
- controlPlane.tolerations.valuestring
- controlPlane.nodeSelectorobject
- enableHTTP10boolean
Whether to handle HTTP/1.0 requests in istio-sidecars or deny them with
426 Upgrade Required
response.Default:
false
Example:
enableHTTP10: true
- federationobject
Parameters for federating with other clusters.
This feature is available in enterprise edition only.
- federation.enabledboolean
Designate this cluster as a federation member (see Enabling federation).
Default:
false
Example:
enabled: true
- federation.enabledboolean
- globalVersionstring
Specific version of Istio control-plane which handles unspecific versions of data-plane (namespaces with
istio-injection=enabled
label, notistio.io/rev=
). Must be in supported versions list (kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.supportedVersions'
). By default — the latest version in supported versions list.Default:
"1.16"
- highAvailabilityboolean
Manually enable the high availability mode.
By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.
Example:
highAvailability: true
- httpsobject
What certificate type to use with module’s public web interfaces.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- https.certManagerobject
- https.certManager.clusterIssuerNamestring
What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.
Currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are available. Also, you can define your own.Default:
"letsencrypt"
- https.certManager.clusterIssuerNamestring
- https.customCertificateobject
- https.customCertificate.secretNamestring
The name of the secret in the
d8-system
namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.This secret must have the kubernetes.io/tls format.
Default:
"false"
- https.customCertificate.secretNamestring
- https.modestring
The HTTPS usage mode:
CertManager
— Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in thecertManager.clusterIssuerName
parameter.CustomCertificate
— Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from thed8-system
namespace.OnlyInURI
— Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in theuser-authn
will be generated using the HTTPS scheme.
Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (
mode: Disabled
).Default:
"CertManager"
Allowed values:
CertManager
,CustomCertificate
,OnlyInURI
- https.certManagerobject
- multiclusterobject
Multicluster parameters.
This feature is available in enterprise edition only.
- multicluster.enabledboolean
Designate this cluster as a multicluster member (see Enabling multicluster).
Default:
false
Example:
enabled: true
- multicluster.enabledboolean
- nodeSelectorobject
Optional
nodeSelector
for istio-operator, metadata-exporter and kiali. The same as thespec.nodeSelector
pod parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically. - outboundTrafficPolicyModestring
How to handle requests directed to external services which aren’t registered in service mesh.
AllowAny
— allow.RegistryOnly
— deny. In this case to work with external services you need to register them with ServiceEntry CR or to organize egressgateway.
Default:
"AllowAny"
Allowed values:
AllowAny
,RegistryOnly
Example:
outboundTrafficPolicyMode: AllowAny
- proxyConfigobject
Mesh-wide defaults for ProxyConfig configurations.
- proxyConfig.holdApplicationUntilProxyStartsboolean
With this feature, the sidecar-injector injects the sidecar at the first place of Pod’s container list and adds a postStart hook to be sure if the Envoy proxy is initialized before the application. So the Envoy is able to handle requests without application network errors.
This global flag can be overriden per Pod by an annotation —
proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'
.Default:
false
Example:
holdApplicationUntilProxyStarts: true
- proxyConfig.holdApplicationUntilProxyStartsboolean
- sidecarobject
Network settings for traffic capture by istio sidecar.
- sidecar.excludeInboundPortsarray of strings
The range of inbound ports whose traffic is guaranteed not to flow through Istio.
You can redefine this parameter for single Pod using the
traffic.sidecar.istio.io/excludeInboundPorts
annotation.Default:
[]
Example:
excludeInboundPorts: - '8080' - '8443'
- Element of the arraystring
Pattern:
^[0-9]{1,5}$
- Element of the arraystring
- sidecar.excludeOutboundIPRangesarray of strings
Traffic to these IP ranges is guaranteed not to flow through Istio.
You can redefine this parameter for single Pod using the
traffic.sidecar.istio.io/excludeOutboundIPRanges
annotation.Default:
[]
Example:
excludeOutboundIPRanges: - 10.1.1.0/24
- Element of the arraystring
Pattern:
^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- Element of the arraystring
- sidecar.excludeOutboundPortsarray of strings
The range of outbound ports whose traffic is guaranteed not to flow through Istio.
You can redefine this parameter for single Pod using the
traffic.sidecar.istio.io/excludeOutboundPorts
annotation.Default:
[]
Example:
excludeOutboundPorts: - '8080' - '8443'
- Element of the arraystring
Pattern:
^[0-9]{1,5}$
- Element of the arraystring
- sidecar.includeOutboundIPRangesarray of strings
Traffic to these IP ranges is forcibly routed through Istio.
You can redefine this parameter for single Pod using the
traffic.sidecar.istio.io/includeOutboundIPRanges
annotation.Default:
["0.0.0.0/0"]
Example:
includeOutboundIPRanges: - 10.1.1.0/24
- Element of the arraystring
Pattern:
^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- Element of the arraystring
- sidecar.resourcesManagement
Manages Istio sidecar container resources.
Caution! The setting only applies to new Pods with
istio-proxy
.Example:
resourcesManagement: static: requests: cpu: 100m memory: 128Mi limits: memory: 1Gi
- sidecar.resourcesManagement.modestring
The mode for managing resource requests. Classical
Static
requests/limit.Default:
"Static"
Allowed values:
Static
- sidecar.resourcesManagement.staticobject
Static resource management settings.
- sidecar.resourcesManagement.static.limitsobject
Limits configuration.
- sidecar.resourcesManagement.static.limits.cpu
CPU limits.
- sidecar.resourcesManagement.static.limits.memory
Memory limits.
Default:
1Gi
- sidecar.resourcesManagement.static.limits.cpu
- sidecar.resourcesManagement.static.requestsobject
Requests configuration.
- sidecar.resourcesManagement.static.requests.cpu
CPU requests.
Default:
100m
- sidecar.resourcesManagement.static.requests.memory
Memory requests.
Default:
128Mi
- sidecar.resourcesManagement.static.requests.cpu
- sidecar.resourcesManagement.static.limitsobject
- sidecar.resourcesManagement.modestring
- sidecar.excludeInboundPortsarray of strings
- tolerationsarray of objects
Optional
tolerations
for istio-operator, metadata-exporter and kiali. The same asspec.tolerations
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.- tolerations.effectstring
- tolerations.keystring
- tolerations.operatorstring
- tolerations.tolerationSecondsinteger
- tolerations.valuestring
- tracingobject
Tracing parameters.
- tracing.collectorobject
Tracing collection settings.
- tracing.collector.zipkinobject
Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.
If tracing is enabled, this settings section is mandatory.
- tracing.collector.zipkin.addressstring
Network address of zipkin collector in
<IP of FQDN>:<port>
format.Pattern:
[0-9a-zA-Z\.-]+
Example:
address: zipkin.myjaeger.svc:9411
- tracing.collector.zipkin.addressstring
- tracing.collector.zipkinobject
- tracing.enabledboolean
Turn on or off tracing collection and displaying in kiali.
Default:
false
Example:
enabled: true
- tracing.kialiobject
Span displaying settings for kiali.
When not configured, kiali won’t show any tracing dashboards.
Examples:
kiali: {}
kiali: jaegerURLForUsers: https://tracing-service:4443/jaeger jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
- tracing.kiali.jaegerGRPCEndpointstring
Accessible from cluster address of jaeger GRPC interface for system queries by kiali.
When not configured, kiali will only show external links using the
jaegerURLForUsers
config without interpretationing.Example:
jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
- tracing.kiali.jaegerURLForUsersstring
Jaeger UI address for users. Mandatory parameter if kiali is enabled.
Example:
jaegerURLForUsers: https://tracing-service:4443/jaeger
- tracing.kiali.jaegerGRPCEndpointstring
- tracing.samplingnumber
The sampling rate option can be used to control what percentage of requests get reported to your tracing system.
This should be configured depending upon your traffic in the mesh and the amount of tracing data you want to collect.
It is possible to override this option with the following Pod annotation:
proxy.istio.io/config: | tracing: sampling: 100.0
Default:
1.0
Allowed values:
0.01 <= X <= 100.0
Example:
sampling: 50.05
- tracing.collectorobject
Authentication
user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.
Use kubectl to see password:
kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.auth.password'
Delete secret to re-generate password:
kubectl -n d8-istio delete secret/kiali-basic-auth
Note! The
auth.password
parameter is deprecated.