The istio module: configuration

Schema version: 2

• additionalVersionsarray of strings

  Additional versions of Istio control plane to install. You can use specific namespace labels (istio.io/rev=) to switch between installed revisions.

  Default: []

• allianceobject

  Common options both for federation and multicluster.

  • alliance.ingressGatewayobject

    ingressgateway settings.

    • alliance.ingressGateway.inletstring

      The method for exposing ingressgateway.

      • LoadBalancer — is a recommended method if you have a cloud-based cluster and it supports Load Balancing.
      • NodePort — for installations that do not have the LB.

      Default: "LoadBalancer"

      Allowed values: LoadBalancer, NodePort

      Example:

      inlet: LoadBalancer
      

    • alliance.ingressGateway.nodePortobject

      Special settings for NodePort inlet.

      Examples:

      nodePort: {}
      

      nodePort:
        port: 30001
      

      • alliance.ingressGateway.nodePort.portinteger

        Static port number for NodePort-type Service. Must be in range, set by kube-apiserver –service-node-port-range argument (default is 30000-32767).

        Allowed values: 1024 <= X <= 65535

    • alliance.ingressGateway.nodeSelectorobject

      ingressgateway DaemonSet nodeSelector.

      The same as the spec.nodeSelector pod parameter in Kubernetes.

      Example:

      nodeSelector:
        type: ingress
      

    • alliance.ingressGateway.serviceAnnotationsobject

      Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex Cloud (using the yandex.cpi.flant.com/listener-subnet-id annotation).

      Example:

      serviceAnnotations:
        yandex.cpi.flant.com/listener-subnet-id: xyz-123
      

    • alliance.ingressGateway.tolerationsarray of objects

      ingressgateway DaemonSet tolerations.

      The same as spec.tolerations for the Kubernetes pod.

      Example:

      tolerations:
      - operator: Exists
      

      • alliance.ingressGateway.tolerations.effectstring
      • alliance.ingressGateway.tolerations.keystring
      • alliance.ingressGateway.tolerations.operatorstring
      • alliance.ingressGateway.tolerations.tolerationSecondsinteger
      • alliance.ingressGateway.tolerations.valuestring
• authobject

  Options related to authentication or authorization in the application.

  Example:

  auth:
    externalAuthentication:
      authURL: https://dex.d8.svc.cluster.local/dex/auth
      authSignInURL: https://example.com/dex/sign_in
    allowedUserGroups:
    - admins
  

  • auth.allowedUserGroupsarray of strings

    An array of user groups that can access module’s public web interfaces.

    This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

    Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

  • auth.externalAuthenticationobject

    Parameters to enable external authentication based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.

    External authentication is enabled automatically if the user-authn module is enabled.

    • auth.externalAuthentication.authSignInURLstring

      The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      Example:

      authSignInURL: https://example.com/dex/sign_in
      

    • auth.externalAuthentication.authURLstring

      The URL of the authentication service.

      If the user is authenticated, the service should return an HTTP 200 response code.

      Example:

      authURL: https://example.com/dex/auth
      

  • auth.satisfyAnyboolean

    Enables single authentication.

    If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).

    Default: false

    Example:

    satisfyAny: true
    

  • auth.whitelistSourceRangesarray of strings

    An array if CIDRs that are allowed to authenticate in module’s public web interfaces.

    Example:

    whitelistSourceRanges:
    - 1.1.1.1/32
    

• caobject

  Explicitly specified root certificate. It signs individual service certificates to use in mutual TLS connections.

  • ca.certstring

    The root or intermediate certificate in PEM format.

  • ca.chainstring

    A certificate chain in PEM format if cert is an intermediate certificate.

  • ca.keystring

    The key to the root certificate in PEM format.

  • ca.rootstring

    The root certificate in PEM format if cert is an intermediate certificate.

• controlPlaneobject

  istiod specific settings.

  • controlPlane.nodeSelectorobject

    Optional nodeSelector for istiod. The same as the spec.nodeSelector pod parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

  • controlPlane.resourcesManagement

    istiod resources management options.

    Examples:

    resourcesManagement:
      mode: VPA
      vpa:
        mode: Auto
        cpu:
          min: 50m
          max: 2
          limitRatio: 1.5
        memory:
          min: 256Mi
          max: 2Gi
          limitRatio: 1.5
    

    resourcesManagement:
      mode: Static
      static:
        requests:
          cpu: 55m
          memory: 256Mi
        limits:
          cpu: 2
          memory: 2Gi
    

    • controlPlane.resourcesManagement.modestring

      The mode for managing resource requests. Classical Static requests/limit or VPA.

      Default: "VPA"

      Allowed values: VPA, Static

    • controlPlane.resourcesManagement.staticobject

      Static resource management settings.

      • controlPlane.resourcesManagement.static.limitsobject

        Limits configuration.

        • controlPlane.resourcesManagement.static.limits.cpu

          CPU limits.

        • controlPlane.resourcesManagement.static.limits.memory

          Memory limits.

      • controlPlane.resourcesManagement.static.requestsobject

        Requests configuration.

        • controlPlane.resourcesManagement.static.requests.cpu

          CPU requests.

        • controlPlane.resourcesManagement.static.requests.memory

          Memory requests.

    • controlPlane.resourcesManagement.vpaobject

      Parameters of the VPA mode.

      • controlPlane.resourcesManagement.vpa.cpuobject

        CPU-related parameters.

        • controlPlane.resourcesManagement.vpa.cpu.limitRationumber

          The coefficient to calculate cpu limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

        • controlPlane.resourcesManagement.vpa.cpu.max

          Maximum allowed CPU requests.

          Default: 2

        • controlPlane.resourcesManagement.vpa.cpu.min

          Minimum allowed CPU requests.

          Default: 50m

      • controlPlane.resourcesManagement.vpa.memoryobject

        The amount of memory requested.

        • controlPlane.resourcesManagement.vpa.memory.limitRationumber

          The coefficient to calculate memory limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

        • controlPlane.resourcesManagement.vpa.memory.max

          Maximum allowed memory requests.

          Default: 2Gi

        • controlPlane.resourcesManagement.vpa.memory.min

          Minimum allowed memory requests.

          Default: 256Mi

      • controlPlane.resourcesManagement.vpa.modestring

        The VPA usage mode.

        Default: "Auto"

        Allowed values: Initial, Auto

  • controlPlane.tolerationsarray of objects

    Optional tolerations for istiod. The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    • controlPlane.tolerations.effectstring
    • controlPlane.tolerations.keystring
    • controlPlane.tolerations.operatorstring
    • controlPlane.tolerations.tolerationSecondsinteger
    • controlPlane.tolerations.valuestring
• enableHTTP10boolean

  Whether to handle HTTP/1.0 requests in istio-sidecars or deny them with 426 Upgrade Required response.

  Default: false

  Example:

  enableHTTP10: true
  

• federationobject

  Parameters for federating with other clusters.

  • federation.enabledboolean

    Designate this cluster as a federation member (see Enabling federation).

    Default: false

    Example:

    enabled: true
    

• globalVersionstring

  Specific version of Istio control-plane which handles unspecific versions of data-plane (namespaces with istio-injection=enabled label, not istio.io/rev=). Must be in supported versions list (kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.supportedVersions'). By default — the latest version in supported versions list.

  Default: "1.13"

• highAvailabilityboolean

  Manually enable the high availability mode.

  By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

  Example:

  highAvailability: true
  

• httpsobject

  What certificate type to use with module’s public web interfaces.

  This parameter completely overrides the global.modules.https settings.

  Examples:

  https:
    mode: CustomCertificate
    customCertificate:
      secretName: foobar
  

  https:
    mode: CertManager
    certManager:
      clusterIssuerName: letsencrypt
  

  • https.certManagerobject
    • https.certManager.clusterIssuerNamestring

      What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

      Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

      Default: "letsencrypt"

  • https.customCertificateobject
    • https.customCertificate.secretNamestring

      The name of the secret in the d8-system namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

      This secret must have the kubernetes.io/tls format.

      Default: "false"

  • https.modestring

    The HTTPS usage mode:

    • CertManager — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
    • CustomCertificate — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from the d8-system namespace.
    • OnlyInURI — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

    Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (mode: Disabled).

    Default: "CertManager"

    Allowed values: CertManager, CustomCertificate, OnlyInURI

• multiclusterobject

  Multicluster parameters.

  • multicluster.enabledboolean

    Designate this cluster as a multicluster member (see Enabling multicluster).

    Default: false

    Example:

    enabled: true
    

• nodeSelectorobject

  Optional nodeSelector for istio-operator, metadata-exporter and kiali. The same as the spec.nodeSelector pod parameter in Kubernetes.

  If the parameter is omitted or false, it will be determined automatically.

• outboundTrafficPolicyModestring

  How to handle requests directed to external services which aren’t registered in service mesh.

  • AllowAny — allow.
  • RegistryOnly — deny. In this case to work with external services you need to register them with ServiceEntry CR or to organize egressgateway.

  Default: "AllowAny"

  Allowed values: AllowAny, RegistryOnly

  Example:

  outboundTrafficPolicyMode: AllowAny
  

• proxyConfigobject

  Mesh-wide defaults for ProxyConfig configurations.

  • proxyConfig.holdApplicationUntilProxyStartsboolean

    With this feature, the sidecar-injector injects the sidecar at the first place of Pod’s container list and adds a postStart hook to be sure if the Envoy proxy is initialized before the application. So the Envoy is able to handle requests without application network errors.

    This global flag can be overriden per Pod by an annotation — proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'.

    Default: false

    Example:

    holdApplicationUntilProxyStarts: true
    

• sidecarobject

  Network settings for traffic capture by istio sidecar.

  • sidecar.excludeInboundPortsarray of strings

    The range of inbound ports whose traffic is guaranteed not to flow through Istio.

    You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeInboundPorts annotation.

    Default: []

    Example:

    excludeInboundPorts:
    - '8080'
    - '8443'
    

    • Element of the arraystring

      Pattern: ^[0-9]{1,5}$

  • sidecar.excludeOutboundIPRangesarray of strings

    Traffic to these IP ranges is guaranteed not to flow through Istio.

    You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation.

    Default: []

    Example:

    excludeOutboundIPRanges:
    - 10.1.1.0/24
    

    • Element of the arraystring

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

  • sidecar.excludeOutboundPortsarray of strings

    The range of outbound ports whose traffic is guaranteed not to flow through Istio.

    You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundPorts annotation.

    Default: []

    Example:

    excludeOutboundPorts:
    - '8080'
    - '8443'
    

    • Element of the arraystring

      Pattern: ^[0-9]{1,5}$

  • sidecar.includeOutboundIPRangesarray of strings

    Traffic to these IP ranges is forcibly routed through Istio.

    You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/includeOutboundIPRanges annotation.

    Default: ["0.0.0.0/0"]

    Example:

    includeOutboundIPRanges:
    - 10.1.1.0/24
    

    • Element of the arraystring

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

• tolerationsarray of objects

  Optional tolerations for istio-operator, metadata-exporter and kiali. The same as spec.tolerations for the Kubernetes pod.

  If the parameter is omitted or false, it will be determined automatically.

  • tolerations.effectstring
  • tolerations.keystring
  • tolerations.operatorstring
  • tolerations.tolerationSecondsinteger
  • tolerations.valuestring
• tracingobject

  Tracing parameters.

  • tracing.collectorobject

    Tracing collection settings.

    • tracing.collector.zipkinobject

      Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.

      If tracing is enabled, this settings section is mandatory.

      • tracing.collector.zipkin.addressstring

        Network address of zipkin collector in <IP of FQDN>:<port> format.

        Pattern: [0-9a-zA-Z\.-]+

        Example:

        address: zipkin.myjaeger.svc:9411
        

  • tracing.enabledboolean

    Turn on or off tracing collection and displaying in kiali.

    Default: false

    Example:

    enabled: true
    

  • tracing.kialiobject

    Span displaying settings for kiali.

    When not configured, kiali won’t show any tracing dashboards.

    Examples:

    kiali: {}
    

    kiali:
      jaegerURLForUsers: https://tracing-service:4443/jaeger
      jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
    

    • tracing.kiali.jaegerGRPCEndpointstring

      Accessible from cluster address of jaeger GRPC interface for system queries by kiali.

      When not configured, kiali will only show external links using the jaegerURLForUsers config without interpretationing.

      Example:

      jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
      

    • tracing.kiali.jaegerURLForUsersstring

      Jaeger UI address for users. Mandatory parameter if kiali is enabled.

      Example:

      jaegerURLForUsers: https://tracing-service:4443/jaeger
      

  • tracing.samplingnumber

    The sampling rate option can be used to control what percentage of requests get reported to your tracing system.

    This should be configured depending upon your traffic in the mesh and the amount of tracing data you want to collect.

    It is possible to override this option with the following Pod annotation:

    proxy.istio.io/config: |
      tracing:
        sampling: 100.0
    

    Default: 1.0

    Allowed values: 0.01 <= X <= 100.0

    Example:

    sampling: 50.05