This module is disabled by default. To enable it, add the following lines to the deckhouse ConfigMap:

data:
  istioEnabled: "true"

Parameters

  • allianceobject

    Common options both for federation and multicluster.

    • ingressGatewayobject

      ingressgateway settings.

      • inletstring

        The method for exposing ingressgateway.

        • LoadBalancer — is a recommended method if you have a cloud-based cluster and it supports Load Balancing.
        • NodePort — for installations that do not have the LB.

        Default: "LoadBalancer"

        Allowed values: LoadBalancer, NodePort

        Example:

        inlet: LoadBalancer
        
      • nodeSelectorobject

        ingressgateway DaemonSet nodeSelector.

        The same as the spec.nodeSelector pod parameter in Kubernetes.

        Example:

        nodeSelector:
          type: ingress
        
      • serviceAnnotationsobject

        Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex.Cloud (using the yandex.cpi.flant.com/listener-subnet-id annotation).

        Example:

        serviceAnnotations:
          yandex.cpi.flant.com/listener-subnet-id: xyz-123
        
      • tolerationsarray of objects

        ingressgateway DaemonSet tolerations.

        The same as spec.tolerations for the Kubernetes pod.

        Example:

        tolerations:
        - operator: Exists
        
        • effectstring
        • keystring
        • operatorstring
        • tolerationSecondsinteger
        • valuestring
  • authobject

    Options related to authentication or authorization in the application.

    • allowedUserGroupsarray of strings

      An array of user groups that can access Grafana & Prometheus.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • externalAuthenticationobject

      A set of parameters to enable external authentication (it is based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.

      The externalAuthentication parameters are set automatically if the user-authn module is enabled.

      • authSignInURLstring

        The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

        Example:

        authSignInURL: https://myhost.ru/dex/sign_in
        
      • authURLstring

        The URL of the authentication service.

        If the user is authenticated, the service should return an HTTP 200 response code.

        Examples:

        authURL: https://dex.d8.svc.cluster.local/dex/auth
        
        authURL: https://myhost.ru/dex/auth
        
    • passwordstring

      The password for http authorization of the admin user (it is generated automatically, but you can change it).

      This parameter is used if the externalAuthentication is not enabled.

    • satisfyAnyboolean

      Enables single authentication.

      If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).

      Default: false

    • whitelistSourceRangesarray of strings

      An array if CIDRs that are allowed to authenticate in Grafana & Prometheus.

      Example:

      whitelistSourceRanges:
      - 1.1.1.1/32
      
  • caobject

    Explicitly specified root certificate. It signs individual service certificates to use in mutual TLS connections.

    • certstring

      The root or intermediate certificate in PEM format.

    • chainstring

      A certificate chain in PEM format if cert is an intermediate certificate.

    • keystring

      The key to the root certificate in PEM format.

    • rootstring

      The root certificate in PEM format if cert is an intermediate certificate.

  • federationobject

    Parameters for federating with other clusters.

    • enabledboolean

      Designate this cluster as a federation member (see Enabling federation).

      Default: false

      Example:

      enabled: true
      
  • globalVersionstring

    Example:

    globalVersion: 1.8.5
    
  • httpsobject

    What certificate type to use with Grafana/Prometheus.

    This parameter completely overrides the global.modules.https settings.

    Examples:

    https:
      mode: CustomCertificate
      customCertificate:
        secretName: foobar
    
    https:
      mode: CertManager
      certManager:
        clusterIssuerName: letsencrypt
    
    • certManagerobject
      • clusterIssuerNamestring

        What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

        Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

        Default: "letsencrypt"

    • customCertificateobject
      • secretNamestring

        The name of the secret in the d8-system namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

        This secret must have the kubernetes.io/tls format.

        Default: "false"

    • modestring

      The HTTPS usage mode:

      • CertManager — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
      • CustomCertificate — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from the d8-system namespace.
      • OnlyInURI — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

      Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (mode: Disabled).

      Default: "CertManager"

      Allowed values: CertManager, CustomCertificate, OnlyInURI

  • multiclusterobject

    Multicluster parameters.

    • enabledboolean

      Designate this cluster as a multicluster member (see Enabling multicluster).

      Default: false

      Example:

      enabled: true
      
  • nodeSelectorobject

    Optional nodeSelector for istio-operator, metadata-exporter and kiali. The same as the spec.nodeSelector pod parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

  • outboundTrafficPolicyModestring

    How to handle requests directed to external services which aren’t registered in service mesh.

    • AllowAny — allow.
    • RegistryOnly — deny. In this case to work with external services you need to register them with ServiceEntry CR or to organize egressgateway.

    Default: "AllowAny"

    Allowed values: AllowAny, RegistryOnly

    Example:

    outboundTrafficPolicyMode: AllowAny
    
  • sidecarobject

    Network settings for traffic capture by istio sidecar.

    • excludeInboundPortsarray of strings

      The range of inbound ports whose traffic is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeInboundPorts annotation.

      Default: []

      Example:

      excludeInboundPorts:
      - '8080'
      - '8443'
      

      Pattern: ^[0-9]{1,5}$

    • excludeOutboundIPRangesarray of strings

      Traffic to these IP ranges is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation.

      Default: []

      Example:

      excludeOutboundIPRanges:
      - 10.1.1.0/24
      

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

    • excludeOutboundPortsarray of strings

      The range of outbound ports whose traffic is guaranteed not to flow through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundPorts annotation.

      Default: []

      Example:

      excludeOutboundPorts:
      - '8080'
      - '8443'
      

      Pattern: ^[0-9]{1,5}$

    • includeOutboundIPRangesarray of strings

      Traffic to these IP ranges is forcibly routed through Istio.

      You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/includeOutboundIPRanges annotation.

      Default: ["0.0.0.0/0"]

      Example:

      includeOutboundIPRanges:
      - 10.1.1.0/24
      

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

  • tlsModestring

    The mode for transparent encryption of inter-pod traffic (Mutual TLS).

    • Off — outgoing requests are not encrypted; incoming unencrypted requests are accepted.
    • MutualPermissive — outgoing requests are encrypted; incoming unencrypted requests are accepted. This mode is useful when migrating to mTLS.
    • Mutual — outgoing requests are encrypted; incoming unencrypted requests are rejected (pods accept only encrypted requests). You can manage the mTLS mode separately for each application and for its client connections using the AuthorizationPolicy and DestinationRule resources.

    Default: "Off"

    Allowed values: Off, MutualPermissive, Mutual

  • tolerationsarray of objects

    Optional tolerations for istio-operator, metadata-exporter and kiali. The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    • effectstring
    • keystring
    • operatorstring
    • tolerationSecondsinteger
    • valuestring
  • tracingobject

    Tracing parameters.

    • collectorobject

      Tracing collection settings.

      • zipkinobject

        Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.

        If tracing is enabled, this settings section is mandatory.

        • addressstring

          Network address of zipkin collector in <IP of FQDN>:<port> format.

          Pattern: [0-9a-zA-Z\.-]+

          Example:

          address: zipkin.myjaeger.svc:9411
          
    • enabledboolean

      Turn on or off tracing collection and displaying in kiali.

      Default: false

    • kialiobject

      Span displaying settings for kiali.

      When not configured, kiali won’t show any tracing dashboards.

      Examples:

      kiali: {}
      
      kiali:
        jaegerURLForUsers: https://tracing-service:4443/jaeger
      
      kiali:
        jaegerURLForUsers: https://tracing-service:4443/jaeger
        jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
      
      • jaegerGRPCEndpointstring

        Accessible from cluster address of jaeger GRPC interface for system queries by kiali.

        When not configured, kiali will only show external links using the jaegerURLForUsers config without interpretationing.

        Example:

        jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
        
      • jaegerURLForUsersstring

        Jaeger UI address for users. Mandatory parameter if kiali is enabled.

        Example:

        jaegerURLForUsers: https://tracing-service:4443/jaeger