The module is not enabled by default in any bundles.

How to explicitly enable the module…

Note that the configOverrides parameter of the InitConfiguration resource is used when installing Deckhouse, not ModuleConfig.

Set the istioEnabled: true or istioEnabled: false in the configOverrides parameter to explicitly enable or disable the module when installing Deckhouse.

Use the istio section of the configOverrides parameter to configure the module when installing Deckhouse.

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the istio module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  enabled: true

Example of disabling the istio module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  enabled: false

The module is configured using the ModuleConfig custom resource named istio (learn more about setting up Deckhouse…).

Example of the ModuleConfig/istio resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  version: 2
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 2

  • additionalVersionsarray of strings

    Additional versions of Istio control plane to install. You can use specific namespace labels (istio.io/rev=) to switch between installed revisions.

    Default: []

  • allianceobject

    Common options both for federation and multicluster.

    This feature is available in enterprise edition only.

    • alliance.ingressGatewayobject

      ingressgateway settings.

      This feature is available in enterprise edition only.

      • alliance.ingressGateway.inletstring

        The method for exposing ingressgateway.

        • LoadBalancer — is a recommended method if you have a cloud-based cluster and it supports Load Balancing.
        • NodePort — for installations that do not have the LB.

        Default: "LoadBalancer"

        This feature is available in enterprise edition only.

        Allowed values: LoadBalancer, NodePort

        Example:

        inlet: LoadBalancer
        
      • alliance.ingressGateway.nodePortobject

        Special settings for NodePort inlet.

        This feature is available in enterprise edition only.

        Examples:

        nodePort: {}
        
        nodePort:
          port: 30001
        
        • alliance.ingressGateway.nodePort.portinteger

          Static port number for NodePort-type Service. Must be in range, set by kube-apiserver –service-node-port-range argument (default is 30000-32767).

          Allowed values: 1024 <= X <= 65535

      • alliance.ingressGateway.nodeSelectorobject

        ingressgateway DaemonSet nodeSelector.

        The same as the spec.nodeSelector pod parameter in Kubernetes.

        This feature is available in enterprise edition only.

        Example:

        nodeSelector:
          type: ingress
        
      • alliance.ingressGateway.serviceAnnotationsobject

        Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex Cloud (using the yandex.cpi.flant.com/listener-subnet-id annotation).

        This feature is available in enterprise edition only.

        Example:

        serviceAnnotations:
          yandex.cpi.flant.com/listener-subnet-id: xyz-123
        
      • alliance.ingressGateway.tolerationsarray of objects

        ingressgateway DaemonSet tolerations.

        The same as spec.tolerations for the Kubernetes pod.

        This feature is available in enterprise edition only.

        Example:

        tolerations:
        - operator: Exists
        
        • alliance.ingressGateway.tolerations.effectstring
        • alliance.ingressGateway.tolerations.keystring
        • alliance.ingressGateway.tolerations.operatorstring
        • alliance.ingressGateway.tolerations.tolerationSecondsinteger
        • alliance.ingressGateway.tolerations.valuestring
  • authobject

    Options related to authentication or authorization in the application.

    Example:

    auth:
      externalAuthentication:
        authURL: https://dex.d8.svc.cluster.local/dex/auth
        authSignInURL: https://example.com/dex/sign_in
      allowedUserGroups:
      - admins
    
    • auth.allowedUserGroupsarray of strings

      An array of user groups that can access module’s public web interfaces.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • auth.externalAuthenticationobject

      Parameters to enable external authentication based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.

      External authentication is enabled automatically if the user-authn module is enabled.

      • auth.externalAuthentication.authSignInURLstring

        The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

        Example:

        authSignInURL: https://example.com/dex/sign_in
        
      • auth.externalAuthentication.authURLstring

        The URL of the authentication service.

        If the user is authenticated, the service should return an HTTP 200 response code.

        Example:

        authURL: https://example.com/dex/auth
        
    • auth.satisfyAnyboolean

      Enables single authentication.

      If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).

      Default: false

      Example:

      satisfyAny: true
      
    • auth.whitelistSourceRangesarray of strings

      An array if CIDRs that are allowed to authenticate in module’s public web interfaces.

      Example:

      whitelistSourceRanges:
      - 1.1.1.1/32
      
  • caobject

    Explicitly specified root certificate. It signs individual service certificates to use in mutual TLS connections.

    • ca.certstring

      The root or intermediate certificate in PEM format.

    • ca.chainstring

      A certificate chain in PEM format if cert is an intermediate certificate.

    • ca.keystring

      The key to the root certificate in PEM format.

    • ca.rootstring

      The root certificate in PEM format if cert is an intermediate certificate.

  • controlPlaneobject

    istiod specific settings.

    • controlPlane.nodeSelectorobject

      Optional nodeSelector for istiod. The same as the spec.nodeSelector pod parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

    • controlPlane.resourcesManagement

      istiod resources management options.

      Examples:

      resourcesManagement:
        mode: VPA
        vpa:
          mode: Auto
          cpu:
            min: 50m
            max: 2
            limitRatio: 1.5
          memory:
            min: 256Mi
            max: 2Gi
            limitRatio: 1.5
      
      resourcesManagement:
        mode: Static
        static:
          requests:
            cpu: 55m
            memory: 256Mi
          limits:
            cpu: 2
            memory: 2Gi
      
      • controlPlane.resourcesManagement.modestring

        The mode for managing resource requests. Classical Static requests/limit or VPA.

        Default: "VPA"

        Allowed values: VPA, Static

      • controlPlane.resourcesManagement.staticobject

        Static resource management settings.

        • controlPlane.resourcesManagement.static.limitsobject

          Limits configuration.

          • controlPlane.resourcesManagement.static.limits.cpu

            CPU limits.

          • controlPlane.resourcesManagement.static.limits.memory

            Memory limits.

        • controlPlane.resourcesManagement.static.requestsobject

          Requests configuration.

          • controlPlane.resourcesManagement.static.requests.cpu

            CPU requests.

          • controlPlane.resourcesManagement.static.requests.memory

            Memory requests.

      • controlPlane.resourcesManagement.vpaobject

        Parameters of the VPA mode.

        • controlPlane.resourcesManagement.vpa.cpuobject

          CPU-related parameters.

          • controlPlane.resourcesManagement.vpa.cpu.limitRationumber

            The coefficient to calculate cpu limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

          • controlPlane.resourcesManagement.vpa.cpu.max

            Maximum allowed CPU requests.

            Default: 2

          • controlPlane.resourcesManagement.vpa.cpu.min

            Minimum allowed CPU requests.

            Default: 50m

        • controlPlane.resourcesManagement.vpa.memoryobject

          The amount of memory requested.

          • controlPlane.resourcesManagement.vpa.memory.limitRationumber

            The coefficient to calculate memory limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

          • controlPlane.resourcesManagement.vpa.memory.max

            Maximum allowed memory requests.

            Default: 2Gi

          • controlPlane.resourcesManagement.vpa.memory.min

            Minimum allowed memory requests.

            Default: 256Mi

        • controlPlane.resourcesManagement.vpa.modestring

          The VPA usage mode.

          Default: "Auto"

          Allowed values: Initial, Auto

    • controlPlane.tolerationsarray of objects

      Optional tolerations for istiod. The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      • controlPlane.tolerations.effectstring
      • controlPlane.tolerations.keystring
      • controlPlane.tolerations.operatorstring
      • controlPlane.tolerations.tolerationSecondsinteger
      • controlPlane.tolerations.valuestring
  • enableHTTP10boolean

    Whether to handle HTTP/1.0 requests in istio-sidecars or deny them with 426 Upgrade Required response.

    Default: false

    Example:

    enableHTTP10: true
    
  • federationobject

    Parameters for federating with other clusters.

    This feature is available in enterprise edition only.

    • federation.enabledboolean

      Designate this cluster as a federation member (see Enabling federation).

      Default: false

      Example:

      enabled: true
      
  • globalVersionstring

    Specific version of Istio control-plane which handles unspecific versions of data-plane (namespaces with istio-injection=enabled label, not istio.io/rev=). Must be in supported versions list (kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.supportedVersions'). By default — the latest version in supported versions list.

    Default: "1.16"

  • highAvailabilityboolean

    Manually enable the high availability mode.

    By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

    Example:

    highAvailability: true
    
  • httpsobject

    What certificate type to use with module’s public web interfaces.

    This parameter completely overrides the global.modules.https settings.

    Examples:

    https:
      mode: CustomCertificate
      customCertificate:
        secretName: foobar
    
    https:
      mode: CertManager
      certManager:
        clusterIssuerName: letsencrypt
    
    • https.certManagerobject
      • https.certManager.clusterIssuerNamestring

        What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

        Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

        Default: "letsencrypt"

    • https.customCertificateobject
      • https.customCertificate.secretNamestring

        The name of the secret in the d8-system namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

        This secret must have the kubernetes.io/tls format.

        Default: "false"

    • https.modestring

      The HTTPS usage mode:

      • CertManager — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
      • CustomCertificate — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from the d8-system namespace.
      • OnlyInURI — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

      Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (mode: Disabled).

      Default: "CertManager"

      Allowed values: CertManager, CustomCertificate, OnlyInURI

  • multiclusterobject

    Multicluster parameters.

    This feature is available in enterprise edition only.

    • multicluster.enabledboolean

      Designate this cluster as a multicluster member (see Enabling multicluster).

      Default: false

      Example:

      enabled: true
      
  • nodeSelectorobject

    Optional nodeSelector for istio-operator, metadata-exporter and kiali. The same as the spec.nodeSelector pod parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

  • outboundTrafficPolicyModestring

    How to handle requests directed to external services which aren’t registered in service mesh.

    • AllowAny — allow.
    • RegistryOnly — deny. In this case to work with external services you need to register them with ServiceEntry CR or to organize egressgateway.

    Default: "AllowAny"

    Allowed values: AllowAny, RegistryOnly

    Example:

    outboundTrafficPolicyMode: AllowAny
    
  • proxyConfigobject

    Mesh-wide defaults for ProxyConfig configurations.

    • proxyConfig.holdApplicationUntilProxyStartsboolean

      With this feature, the sidecar-injector injects the sidecar at the first place of Pod’s container list and adds a postStart hook to be sure if the Envoy proxy is initialized before the application. So the Envoy is able to handle requests without application network errors.

      This global flag can be overriden per Pod by an annotation — proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'.

      Default: false

      Example:

      holdApplicationUntilProxyStarts: true
      
  • sidecarobject

    Network settings for traffic capture by istio sidecar.

    • sidecar.excludeInboundPortsarray of strings

      The range of inbound ports whose traffic is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeInboundPorts annotation.

      Default: []

      Example:

      excludeInboundPorts:
      - '8080'
      - '8443'
      
      • Element of the arraystring

        Pattern: ^[0-9]{1,5}$

    • sidecar.excludeOutboundIPRangesarray of strings

      Traffic to these IP ranges is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation.

      Default: []

      Example:

      excludeOutboundIPRanges:
      - 10.1.1.0/24
      
      • Element of the arraystring

        Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

    • sidecar.excludeOutboundPortsarray of strings

      The range of outbound ports whose traffic is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundPorts annotation.

      Default: []

      Example:

      excludeOutboundPorts:
      - '8080'
      - '8443'
      
      • Element of the arraystring

        Pattern: ^[0-9]{1,5}$

    • sidecar.includeOutboundIPRangesarray of strings

      Traffic to these IP ranges is forcibly routed through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/includeOutboundIPRanges annotation.

      Default: ["0.0.0.0/0"]

      Example:

      includeOutboundIPRanges:
      - 10.1.1.0/24
      
      • Element of the arraystring

        Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

    • sidecar.resourcesManagement

      Manages Istio sidecar container resources.

      Caution! The setting only applies to new Pods with istio-proxy.

      Example:

      resourcesManagement:
        static:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            memory: 1Gi
      
      • sidecar.resourcesManagement.modestring

        The mode for managing resource requests. Classical Static requests/limit.

        Default: "Static"

        Allowed values: Static

      • sidecar.resourcesManagement.staticobject

        Static resource management settings.

        • sidecar.resourcesManagement.static.limitsobject

          Limits configuration.

          • sidecar.resourcesManagement.static.limits.cpu

            CPU limits.

          • sidecar.resourcesManagement.static.limits.memory

            Memory limits.

            Default: 1Gi

        • sidecar.resourcesManagement.static.requestsobject

          Requests configuration.

          • sidecar.resourcesManagement.static.requests.cpu

            CPU requests.

            Default: 100m

          • sidecar.resourcesManagement.static.requests.memory

            Memory requests.

            Default: 128Mi

  • tolerationsarray of objects

    Optional tolerations for istio-operator, metadata-exporter and kiali. The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    • tolerations.effectstring
    • tolerations.keystring
    • tolerations.operatorstring
    • tolerations.tolerationSecondsinteger
    • tolerations.valuestring
  • tracingobject

    Tracing parameters.

    • tracing.collectorobject

      Tracing collection settings.

      • tracing.collector.zipkinobject

        Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.

        If tracing is enabled, this settings section is mandatory.

        • tracing.collector.zipkin.addressstring

          Network address of zipkin collector in <IP of FQDN>:<port> format.

          Pattern: [0-9a-zA-Z\.-]+

          Example:

          address: zipkin.myjaeger.svc:9411
          
    • tracing.enabledboolean

      Turn on or off tracing collection and displaying in kiali.

      Default: false

      Example:

      enabled: true
      
    • tracing.kialiobject

      Span displaying settings for kiali.

      When not configured, kiali won’t show any tracing dashboards.

      Examples:

      kiali: {}
      
      kiali:
        jaegerURLForUsers: https://tracing-service:4443/jaeger
        jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
      
      • tracing.kiali.jaegerGRPCEndpointstring

        Accessible from cluster address of jaeger GRPC interface for system queries by kiali.

        When not configured, kiali will only show external links using the jaegerURLForUsers config without interpretationing.

        Example:

        jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
        
      • tracing.kiali.jaegerURLForUsersstring

        Jaeger UI address for users. Mandatory parameter if kiali is enabled.

        Example:

        jaegerURLForUsers: https://tracing-service:4443/jaeger
        
    • tracing.samplingnumber

      The sampling rate option can be used to control what percentage of requests get reported to your tracing system.

      This should be configured depending upon your traffic in the mesh and the amount of tracing data you want to collect.

      It is possible to override this option with the following Pod annotation:

      proxy.istio.io/config: |
        tracing:
          sampling: 100.0
      

      Default: 1.0

      Allowed values: 0.01 <= X <= 100.0

      Example:

      sampling: 50.05
      

Authentication

user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.

Use kubectl to see password:

kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.auth.password'

Delete secret to re-generate password:

kubectl -n d8-istio delete secret/kiali-basic-auth

Note! The auth.password parameter is deprecated.