The istio module: configuration

Default: []

• ingressGatewayobject

  ingressgateway settings.

  • inletstring

    The method for exposing ingressgateway.

    • LoadBalancer — is a recommended method if you have a cloud-based cluster and it supports Load Balancing.
    • NodePort — for installations that do not have the LB.

    Default: "LoadBalancer"

    Allowed values: LoadBalancer, NodePort

    Example:

    inlet: LoadBalancer
    

  • nodePortobject

    Special settings for NodePort inlet.

    Examples:

    nodePort: {}
    

    nodePort:
      port: 30001
    

    • portinteger

      Static port number for NodePort-type Service. Must be in range, set by kube-apiserver –service-node-port-range argument (default is 30000-32767).

      Allowed values: 1024 <= X <= 65535

  • nodeSelectorobject

    ingressgateway DaemonSet nodeSelector.

    The same as the spec.nodeSelector pod parameter in Kubernetes.

    Example:

    nodeSelector:
      type: ingress
    

  • serviceAnnotationsobject

    Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex.Cloud (using the yandex.cpi.flant.com/listener-subnet-id annotation).

    Example:

    serviceAnnotations:
      yandex.cpi.flant.com/listener-subnet-id: xyz-123
    

  • tolerationsarray of objects

    ingressgateway DaemonSet tolerations.

    The same as spec.tolerations for the Kubernetes pod.

    Example:

    tolerations:
    - operator: Exists
    

    • effectstring
    • keystring
    • operatorstring
    • tolerationSecondsinteger
    • valuestring

Example:

auth:
  externalAuthentication:
    authURL: https://dex.d8.svc.cluster.local/dex/auth
    authSignInURL: https://example.com/dex/sign_in
  allowedUserGroups:
  - admins

• allowedUserGroupsarray of strings

  An array of user groups that can access module’s public web interfaces.

  This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

  Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

• externalAuthenticationobject

  A set of parameters to enable external authentication (it is based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module.

  The externalAuthentication parameters are set automatically if the user-authn module is enabled.

  • authSignInURLstring

    The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

    Example:

    authSignInURL: https://example.com/dex/sign_in
    

  • authURLstring

    The URL of the authentication service.

    If the user is authenticated, the service should return an HTTP 200 response code.

    Example:

    authURL: https://example.com/dex/auth
    

• passwordstring

  The password for http authorization of the admin user (it is generated automatically, but you can change it).

  This parameter is used if the externalAuthentication is not enabled.

• satisfyAnyboolean

  Enables single authentication.

  If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).

  Default: false

  Example:

  satisfyAny: true
  

• whitelistSourceRangesarray of strings

  An array if CIDRs that are allowed to authenticate in module’s public web interfaces.

  Example:

  whitelistSourceRanges:
  - 1.1.1.1/32
  

• certstring

  The root or intermediate certificate in PEM format.

• chainstring

  A certificate chain in PEM format if cert is an intermediate certificate.

• keystring

  The key to the root certificate in PEM format.

• rootstring

  The root certificate in PEM format if cert is an intermediate certificate.

• nodeSelectorobject

  Optional nodeSelector for istiod. The same as the spec.nodeSelector pod parameter in Kubernetes.

  If the parameter is omitted or false, it will be determined automatically.

• resourcesManagement

  istiod resources management options.

  Examples:

  resourcesManagement:
    mode: VPA
    vpa:
      mode: Auto
      cpu:
        min: 50m
        max: 2
        limitRatio: 1.5
      memory:
        min: 256Mi
        max: 2Gi
        limitRatio: 1.5
  

  resourcesManagement:
    mode: Static
    static:
      requests:
        cpu: 55m
        memory: 256Mi
      limits:
        cpu: 2
        memory: 2Gi
  

  • modestring

    The mode for managing resource requests. Classical Static requests/limit or VPA.

    Default: "VPA"

    Allowed values: VPA, Static

  • staticobject

    Static resource management settings.

    • limitsobject

      Limits configuration.

      • cpu

        CPU limits.

      • memory

        Memory limits.

    • requestsobject

      Requests configuration.

      • cpu

        CPU requests.

      • memory

        Memory requests.

  • vpaobject

    Parameters of the VPA mode.

    • cpuobject

      CPU-related parameters.

      • limitRationumber

        The coefficient to calculate cpu limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

      • max

        Maximum allowed CPU requests.

        Default: 2

      • min

        Minimum allowed CPU requests.

        Default: 50m

    • memoryobject

      The amount of memory requested.

      • limitRationumber

        The coefficient to calculate memory limits. It is optionally used to calculate initial limits for Pod. VPA for its part keeps the initial limits/requests ratio during further resource tunings.

      • max

        Maximum allowed memory requests.

        Default: 2Gi

      • min

        Minimum allowed memory requests.

        Default: 256Mi

    • modestring

      The VPA usage mode.

      Default: "Auto"

      Allowed values: Initial, Auto

• tolerationsarray of objects

  Optional tolerations for istiod. The same as spec.tolerations for the Kubernetes pod.

  If the parameter is omitted or false, it will be determined automatically.

  • effectstring
  • keystring
  • operatorstring
  • tolerationSecondsinteger
  • valuestring

Default: false

Example:

enableHTTP10: true

• enabledboolean

  Designate this cluster as a federation member (see Enabling federation).

  Default: false

  Example:

  enabled: true
  

Default: "1.13"

Example:

highAvailability: true

Examples:

https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt

• certManagerobject
  • clusterIssuerNamestring

    What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

    Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

    Default: "letsencrypt"

• customCertificateobject
  • secretNamestring

    The name of the secret in the d8-system namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

    This secret must have the kubernetes.io/tls format.

    Default: "false"

• modestring

  The HTTPS usage mode:

  • CertManager — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
  • CustomCertificate — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from the d8-system namespace.
  • OnlyInURI — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

  Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (mode: Disabled).

  Default: "CertManager"

  Allowed values: CertManager, CustomCertificate, OnlyInURI

• enabledboolean

  Designate this cluster as a multicluster member (see Enabling multicluster).

  Default: false

  Example:

  enabled: true
  

Default: "AllowAny"

Allowed values: AllowAny, RegistryOnly

Example:

outboundTrafficPolicyMode: AllowAny

• holdApplicationUntilProxyStartsboolean

  With this feature, the sidecar-injector injects the sidecar at the first place of Pod’s container list and adds a postStart hook to be sure if the Envoy proxy is initialized before the application. So the Envoy is able to handle requests without application network errors.

  This global flag can be overriden per Pod by an annotation — proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'.

  Default: false

  Example:

  holdApplicationUntilProxyStarts: true
  

• excludeInboundPortsarray of strings

  The range of inbound ports whose traffic is guaranteed not to flow through Istio.

  You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeInboundPorts annotation.

  Default: []

  Example:

  excludeInboundPorts:
  - '8080'
  - '8443'
  

  • Element of the arraystring

    Pattern: ^[0-9]{1,5}$

• excludeOutboundIPRangesarray of strings

  Traffic to these IP ranges is guaranteed not to flow through Istio.

  You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation.

  Default: []

  Example:

  excludeOutboundIPRanges:
  - 10.1.1.0/24
  

  • Element of the arraystring

    Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

• excludeOutboundPortsarray of strings

  The range of outbound ports whose traffic is guaranteed not to flow through Istio.

  You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundPorts annotation.

  Default: []

  Example:

  excludeOutboundPorts:
  - '8080'
  - '8443'
  

  • Element of the arraystring

    Pattern: ^[0-9]{1,5}$

• includeOutboundIPRangesarray of strings

  Traffic to these IP ranges is forcibly routed through Istio.

  You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/includeOutboundIPRanges annotation.

  Default: ["0.0.0.0/0"]

  Example:

  includeOutboundIPRanges:
  - 10.1.1.0/24
  

  • Element of the arraystring

    Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

Default: "MutualPermissive"

Allowed values: Off, MutualPermissive, Mutual

Example:

tlsMode: Mutual

• effectstring
• keystring
• operatorstring
• tolerationSecondsinteger
• valuestring

• collectorobject

  Tracing collection settings.

  • zipkinobject

    Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.

    If tracing is enabled, this settings section is mandatory.

    • addressstring

      Network address of zipkin collector in <IP of FQDN>:<port> format.

      Pattern: [0-9a-zA-Z\.-]+

      Example:

      address: zipkin.myjaeger.svc:9411
      

• enabledboolean

  Turn on or off tracing collection and displaying in kiali.

  Default: false

  Example:

  enabled: true
  

• kialiobject

  Span displaying settings for kiali.

  When not configured, kiali won’t show any tracing dashboards.

  Examples:

  kiali: {}
  

  kiali:
    jaegerURLForUsers: https://tracing-service:4443/jaeger
    jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
  

  • jaegerGRPCEndpointstring

    Accessible from cluster address of jaeger GRPC interface for system queries by kiali.

    When not configured, kiali will only show external links using the jaegerURLForUsers config without interpretationing.

    Example:

    jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
    

  • jaegerURLForUsersstring

    Jaeger UI address for users. Mandatory parameter if kiali is enabled.

    Example:

    jaegerURLForUsers: https://tracing-service:4443/jaeger