Available with limitations inCE, BE, SE, SE+, CSE Lite (1.67)

Available without limitations in:  EE

The module has 16 alerts.

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/istio resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable istio

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable istio

Conversions

The module is configured using the ModuleConfig resource, the schema of which contains a version number. When you apply an old version of the ModuleConfig schema in a cluster, automatic transformations are performed. To manually update the ModuleConfig schema version, the following steps must be completed sequentially for each version :

  • Updates from version 1 to 2:

    Delete .settings.auth.password.

  • Updates from version 2 to 3:
    • Move .settings.enableHTTP10 to .settings.dataPlane.enableHTTP10.
    • Move .settings.proxyConfig to .settings.dataPlane.proxyConfig.

Settings

The module is configured using the ModuleConfig custom resource named istio (learn more about setting up Deckhouse…).

Example of the ModuleConfig/istio resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: istio
spec:
  version: 3
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 3

  • settings
    object
    • settings.additionalVersions
      array of strings

      Additional versions of Istio control plane to install. You can use specific namespace labels (istio.io/rev=) to switch between installed revisions.

      Default: []

      • Element of the array
        string

        Pattern: ^[0-9]+\.[0-9]+$

    • settings.alliance
      object

      Available in editions: EE

      Common options both for federation and multicluster.

      • settings.alliance.ingressGateway
        object

        Available in editions: EE

        ingressgateway settings.

        • settings.alliance.ingressGateway.advertise
          array of objects

          Available in editions: EE

          The actual addresses that will be announced to remote clusters for organizing intercluster application requests. If not specified, the addresses will be discovered automatically.

          Default: []

          Example:

          advertise:
- address: 172.16.0.5
  port: 15443
          • settings.alliance.ingressGateway.advertise.address
            string

            Required value

            Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$

            Example:

            address: 172.16.0.5
          • settings.alliance.ingressGateway.advertise.port
            integer

            Required value

            Allowed values: 1024 <= X <= 65535

        • settings.alliance.ingressGateway.inlet
          string

          Available in editions: EE

          The method for exposing ingressgateway.

          • LoadBalancer — is a recommended method if you have a cloud-based cluster and it supports Load Balancing.
          • NodePort — for installations that do not have the LB.

          Default: LoadBalancer

          Allowed values: LoadBalancer, NodePort

          Example:

          inlet: LoadBalancer
        • settings.alliance.ingressGateway.nodePort
          object

          Available in editions: EE

          Special settings for NodePort inlet.

          Examples:

          nodePort: {}

          nodePort:
  port: 30001
          • settings.alliance.ingressGateway.nodePort.port
            integer

            Static port number for NodePort-type Service. Must be in range, set by kube-apiserver –service-node-port-range argument (default is 30000-32767).

            Allowed values: 1024 <= X <= 65535

        • settings.alliance.ingressGateway.nodeSelector
          object

          Available in editions: EE

          ingressgateway DaemonSet nodeSelector.

          The same as the spec.nodeSelector pod parameter in Kubernetes.

          Example:

          nodeSelector:
  type: ingress
        • settings.alliance.ingressGateway.serviceAnnotations
          object

          Available in editions: EE

          Additional service annotations. They can be used, e.g., for configuring a local LB in the Yandex Cloud (using the yandex.cpi.flant.com/listener-subnet-id annotation).

          Example:

          serviceAnnotations:
  yandex.cpi.flant.com/listener-subnet-id: xyz-123
        • settings.alliance.ingressGateway.tolerations
          array of objects

          Available in editions: EE

          ingressgateway DaemonSet tolerations.

          The same as spec.tolerations for the Kubernetes pod.

          Example:

          tolerations:
- operator: Exists
          • settings.alliance.ingressGateway.tolerations.effect
            string
          • settings.alliance.ingressGateway.tolerations.key
            string
          • settings.alliance.ingressGateway.tolerations.operator
            string
          • settings.alliance.ingressGateway.tolerations.tolerationSeconds
            integer
          • settings.alliance.ingressGateway.tolerations.value
            string
    • settings.auth
      object

      Options related to authentication or authorization in the application.

      Example:

      auth:
  externalAuthentication:
    authURL: https://dex.d8.svc.cluster.local/dex/auth
    authSignInURL: https://example.com/dex/sign_in
  allowedUserGroups:
  - admins
      • settings.auth.allowedUserEmails
        array of strings

        An array of emails of users that can access module’s public web interfaces.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      • settings.auth.allowedUserGroups
        array of strings

        An array of user groups that can access module’s public web interfaces.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

        Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

      • settings.auth.externalAuthentication
        object

        Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.

        External authentication is enabled automatically if the user-authn module is enabled.

        • settings.auth.externalAuthentication.authSignInURL
          string

          The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

          Example:

          authSignInURL: https://example.com/dex/sign_in
        • settings.auth.externalAuthentication.authURL
          string

          The URL of the authentication service.

          If the user is authenticated, the service should return an HTTP 200 response code.

          Example:

          authURL: https://example.com/dex/auth
      • settings.auth.satisfyAny
        boolean

        Enables single authentication.

        If used together with the whitelistSourceRanges parameter, it authorizes all the users from above networks (no need to enter a username and password).

        Default: false

        Example:

        satisfyAny: true
      • settings.auth.whitelistSourceRanges
        array of strings

        An array if CIDRs that are allowed to authenticate in module’s public web interfaces.

        Example:

        whitelistSourceRanges:
- 1.1.1.1/32
    • settings.ca
      object

      Explicitly specified root certificate. It signs individual service certificates to use in mutual TLS connections. To create a certificate, you can use the example, in which basicConstraints = CA:FALSE needs to be replaced with basicConstraints = CA:TRUE.

      • settings.ca.cert
        string

        The root or intermediate certificate in PEM format.

      • settings.ca.chain
        string

        A certificate chain in PEM format if cert is an intermediate certificate.

      • settings.ca.key
        string

        The key to the root certificate in PEM format.

      • settings.ca.root
        string

        The root certificate in PEM format if cert is an intermediate certificate.

    • settings.controlPlane
      object

      istiod specific settings.

      • settings.controlPlane.nodeSelector
        object

        Optional nodeSelector for istiod. The same as the spec.nodeSelector pod parameter in Kubernetes.

        If the parameter is omitted or false, it will be determined automatically.

      • settings.controlPlane.replicasManagement
        object

        Replication management settings and scaling of istiod.

        Examples:

        replicasManagement:
  mode: Standard

        replicasManagement:
  mode: Static
  static:
    replicas: 3

        replicasManagement:
  mode: HPA
  hpa:
    minReplicas: 2
    maxReplicas: 5
    metrics:
    - type: CPU
      targetAverageUtilization: 80
        • settings.controlPlane.replicasManagement.hpa
          object

          Options for replicas management for the HPA mode.

          • settings.controlPlane.replicasManagement.hpa.maxReplicas
            number

            Required value

            The upper limit for the number of replicas to which the HPA can scale up. It cannot be less that minReplicas.

            Allowed values: 1 <= X

          • settings.controlPlane.replicasManagement.hpa.metrics
            array of objects

            Required value

            The HPA will use these metrics to decide whether to increase or decrease the number of replicates.

            • settings.controlPlane.replicasManagement.hpa.metrics.targetAverageUtilization
              number

              Required value

              The target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.

              Allowed values: 1 <= X <= 100

            • settings.controlPlane.replicasManagement.hpa.metrics.type
              string

              Required value

              Metric type.

              Allowed values: CPU

          • settings.controlPlane.replicasManagement.hpa.minReplicas
            number

            Required value

            The lower limit for the number of replicas to which the HPA can scale down.

            Allowed values: 1 <= X

        • settings.controlPlane.replicasManagement.mode
          string

          Replicas management mode:

          • Standard — replicas management and scaling mode according to the global fault tolerance mode (the highAvailability parameter);
          • Static — the mode, where the number of replicas is specified explicitly (the static.replicas parameter);
          • HPA — the mode, where the number of replicas is calculated automatically using HPA based on CPU usage. You can configure this mode by modifying parameters in the hpa parameter section.

          Default: Standard

          Allowed values: Standard, Static, HPA

        • settings.controlPlane.replicasManagement.static
          object

          Options for replicas management for the Static mode.

          • settings.controlPlane.replicasManagement.static.replicas
            number

            Required value

            Desired number of replicas.

            Allowed values: 1 <= X

      • settings.controlPlane.resourcesManagement
        object

        Settings for CPU and memory requests and limits by istiod pods.

        Examples:

        resourcesManagement:
  mode: VPA
  vpa:
    mode: Auto
    cpu:
      min: 50m
      max: 2
      limitRatio: 1.5
    memory:
      min: 256Mi
      max: 2Gi
      limitRatio: 1.5

        resourcesManagement:
  mode: Static
  static:
    requests:
      cpu: 55m
      memory: 256Mi
    limits:
      cpu: '2'
      memory: 2Gi
        • settings.controlPlane.resourcesManagement.mode
          string

          Resource management mode:

          • Static — allows you to specify requests/limits. The parameters of this mode are defined in the static parameter section;
          • VPA — uses VPA. You can configure this mode by modifying parameters in the vpa parameter section.

          Default: VPA

          Allowed values: VPA, Static

        • settings.controlPlane.resourcesManagement.static
          object

          Resource management options for the Static mode.

          • settings.controlPlane.resourcesManagement.static.limits
            object

            Configuring CPU and memory limits.

            • settings.controlPlane.resourcesManagement.static.limits.cpu
              string

              Configuring CPU limits.

            • settings.controlPlane.resourcesManagement.static.limits.memory

              Configuring memory limits.

          • settings.controlPlane.resourcesManagement.static.requests
            object

            Resource requests settings for pods.

            • settings.controlPlane.resourcesManagement.static.requests.cpu
              string

              Configuring CPU requests.

              Pattern: ^[0-9]+m?$

            • settings.controlPlane.resourcesManagement.static.requests.memory

              Configuring memory requests.

        • settings.controlPlane.resourcesManagement.vpa
          object

          Resource management options for the VPA mode.

          • settings.controlPlane.resourcesManagement.vpa.cpu
            object

            CPU-related VPA settings.

            • settings.controlPlane.resourcesManagement.vpa.cpu.limitRatio
              number

              The CPU limits/requests ratio.

              This ratio is used for calculating the initial CPU limits for a pod.

              If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.

            • settings.controlPlane.resourcesManagement.vpa.cpu.max

              The maximum value that the VPA can set for the CPU requests.

              Default: 2

            • settings.controlPlane.resourcesManagement.vpa.cpu.min

              The minimum value that the VPA can set for the CPU requests.

              Default: 50m

          • settings.controlPlane.resourcesManagement.vpa.memory
            object

            Memory-related VPA settings.

            • settings.controlPlane.resourcesManagement.vpa.memory.limitRatio
              number

              The memory limits/requests ratio.

              This ratio is used for calculating the initial memory limits for a pod.

              If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.

            • settings.controlPlane.resourcesManagement.vpa.memory.max

              The maximum memory requests the VPA can set.

              Default: 2Gi

            • settings.controlPlane.resourcesManagement.vpa.memory.min

              The minimum memory requests the VPA can set.

              Default: 256Mi

          • settings.controlPlane.resourcesManagement.vpa.mode
            string

            VPA operating mode.

            Default: Auto

            Allowed values: Initial, Auto

      • settings.controlPlane.tolerations
        array of objects

        Optional tolerations for istiod. The same as spec.tolerations for the Kubernetes pod.

        If the parameter is omitted or false, it will be determined automatically.

        • settings.controlPlane.tolerations.effect
          string
        • settings.controlPlane.tolerations.key
          string
        • settings.controlPlane.tolerations.operator
          string
        • settings.controlPlane.tolerations.tolerationSeconds
          integer
        • settings.controlPlane.tolerations.value
          string
    • settings.dataPlane
      object
      • settings.dataPlane.enableHTTP10
        boolean

        Whether to handle HTTP/1.0 requests in istio-sidecars or deny them with 426 Upgrade Required response.

        Default: false

        Example:

        enableHTTP10: true
      • settings.dataPlane.proxyConfig
        object

        Mesh-wide defaults for ProxyConfig configurations.

        • settings.dataPlane.proxyConfig.holdApplicationUntilProxyStarts
          boolean

          With this feature, the sidecar-injector injects the sidecar at the first place of Pod’s container list and adds a postStart hook to be sure if the Envoy proxy is initialized before the application. So the Envoy is able to handle requests without application network errors.

          This global flag can be overriden per Pod by an annotation — proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'.

          Default: false

          Example:

          holdApplicationUntilProxyStarts: true
        • settings.dataPlane.proxyConfig.idleTimeout
          string

          Timeout for connections without application activity established between the client’s istio-sidecar and the service. When the timeout expires, the connection between the sidecar and the service is closed, but the connection between the application and the sidecar is not closed. If set to 0s, the timeout is disabled.

          This global flag can be overriden per Pod by an annotation:

              proxy.istio.io/config: |-
      proxyMetadata:
        ISTIO_META_IDLE_TIMEOUT: "12h"

          Warning! Disabling this timeout (setting the value to 0s) is very likely to result in leaky connections due to TCP FIN packet loss, etc. Warning! After changing this setting, a restart of the client pods is required.

          Default: 1h

          Pattern: ^[0-9]+(s|m|h)$

          Example:

          idleTimeout: 24h
      • settings.dataPlane.trafficRedirectionSetupMode
        string

        Managing the redirection mode of application traffic to be forwarded under Istio control in the Pod’s network namespace.

        • CNIPlugin — in this mode, the configuration is performed by a CNI plugin when creating a Pod on a node. This mode does not require additional permissions for Pods and is recommended. This mode has limitations when using application init-containers that perform network communication with other services.
        • InitContainer — classic mode, each application Pod is automatically injected with a special init-container that configures the network environment of the Pod. In order to perform this configuration, the init-container is given additional permissions, which may not meet the security requirements of individual installations.

        Default: InitContainer

        Allowed values: CNIPlugin, InitContainer

        Examples:

        trafficRedirectionSetupMode: CNIPlugin

        trafficRedirectionSetupMode: InitContainer
      • settings.dataPlane.ztunnel
        object

        ztunnel specific settings.

        • settings.dataPlane.ztunnel.resourcesManagement
          object

          Settings for CPU and memory requests and limits by istiod pods.

          Examples:

          resourcesManagement:
  mode: VPA
  vpa:
    mode: Auto
    cpu:
      min: 50m
      max: 2
      limitRatio: 1.5
    memory:
      min: 256Mi
      max: 2Gi
      limitRatio: 1.5

          resourcesManagement:
  mode: Static
  static:
    requests:
      cpu: 55m
      memory: 256Mi
    limits:
      cpu: '2'
      memory: 2Gi
          • settings.dataPlane.ztunnel.resourcesManagement.mode
            string

            Resource management mode:

            • Static — allows you to specify requests/limits. The parameters of this mode are defined in the static parameter section;
            • VPA — uses VPA. You can configure this mode by modifying parameters in the vpa parameter section.

            Default: VPA

            Allowed values: VPA, Static

          • settings.dataPlane.ztunnel.resourcesManagement.static
            object

            Resource management options for the Static mode.

            • settings.dataPlane.ztunnel.resourcesManagement.static.limits
              object

              Configuring CPU and memory limits.

              • settings.dataPlane.ztunnel.resourcesManagement.static.limits.cpu
                string

                Configuring CPU limits.

              • settings.dataPlane.ztunnel.resourcesManagement.static.limits.memory

                Configuring memory limits.

            • settings.dataPlane.ztunnel.resourcesManagement.static.requests
              object

              Resource requests settings for pods.

              • settings.dataPlane.ztunnel.resourcesManagement.static.requests.cpu
                string

                Configuring CPU requests.

                Pattern: ^[0-9]+m?$

              • settings.dataPlane.ztunnel.resourcesManagement.static.requests.memory

                Configuring memory requests.

          • settings.dataPlane.ztunnel.resourcesManagement.vpa
            object

            Resource management options for the VPA mode.

            • settings.dataPlane.ztunnel.resourcesManagement.vpa.cpu
              object

              CPU-related VPA settings.

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.cpu.limitRatio
                number

                The CPU limits/requests ratio.

                This ratio is used for calculating the initial CPU limits for a pod.

                If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.cpu.max

                The maximum value that the VPA can set for the CPU requests.

                Default: 2

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.cpu.min

                The minimum value that the VPA can set for the CPU requests.

                Default: 50m

            • settings.dataPlane.ztunnel.resourcesManagement.vpa.memory
              object

              Memory-related VPA settings.

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.memory.limitRatio
                number

                The memory limits/requests ratio.

                This ratio is used for calculating the initial memory limits for a pod.

                If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.memory.max

                The maximum memory requests the VPA can set.

                Default: 2Gi

              • settings.dataPlane.ztunnel.resourcesManagement.vpa.memory.min

                The minimum memory requests the VPA can set.

                Default: 256Mi

            • settings.dataPlane.ztunnel.resourcesManagement.vpa.mode
              string

              VPA operating mode.

              Default: Auto

              Allowed values: Initial, Auto

    • settings.federation
      object

      Available in editions: EE

      Parameters for federating with other clusters.

      • settings.federation.enabled
        boolean

        Designate this cluster as a federation member (see Enabling federation).

        Default: false

        Example:

        enabled: true
    • settings.globalVersion
      string

      Specific version of Istio control-plane which handles unspecific versions of data plane (namespaces with istio-injection=enabled label, not istio.io/rev=).

      Default: 1.21

      Pattern: ^[0-9]+\.[0-9]+$

    • settings.highAvailability
      boolean

      Manually enable the high availability mode.

      By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

      Example:

      highAvailability: true
    • settings.https
      object

      What certificate type to use with module’s public web interfaces.

      This parameter completely overrides the global.modules.https settings.

      Examples:

      https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

      https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: letsencrypt

      • settings.https.customCertificate
        object
        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy.

          This secret must have the kubernetes.io/tls format.

          Default: false

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will use HTTPS using the certificate from the d8-system namespace.
        • OnlyInURI — Kiali/metadata-exporter (including SPIFFE endpoint)/api-proxy will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

        Caution! Unlike other modules, Istio doesn’t support non-secured HTTP (mode: Disabled).

        Default: CertManager

        Allowed values: CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for Kiali, metadata-exporter and proxy-api.

      Optional. By default, the modules.ingressClass global value is used.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • settings.multicluster
      object

      Available in editions: EE

      Multicluster parameters.

      • settings.multicluster.enabled
        boolean

        Designate this cluster as a multicluster member (see Enabling multicluster).

        Default: false

        Example:

        enabled: true
    • settings.nodeSelector
      object

      Optional nodeSelector for istio-operator, metadata-exporter and Kiali. The same as the spec.nodeSelector pod parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

    • settings.outboundTrafficPolicyMode
      string

      How to handle requests directed to external services which aren’t registered in service mesh.

      • AllowAny — allow.
      • RegistryOnly — deny. In this case to work with external services you need to register them with ServiceEntry custom resource or to organize egressgateway.

      Default: AllowAny

      Allowed values: AllowAny, RegistryOnly

      Example:

      outboundTrafficPolicyMode: AllowAny
    • settings.sidecar
      object

      Network settings for traffic capture by istio sidecar.

      • settings.sidecar.excludeInboundPorts
        array of strings

        The range of inbound ports whose traffic is guaranteed not to flow through Istio.

        You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeInboundPorts annotation.

        Default: []

        Example:

        excludeInboundPorts:
- '8080'
- '8443'
        • Element of the array
          string

          Pattern: ^[0-9]{1,5}$

      • settings.sidecar.excludeOutboundIPRanges
        array of strings

        Traffic to these IP ranges is guaranteed not to flow through Istio.

        You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundIPRanges annotation.

        Default: []

        Example:

        excludeOutboundIPRanges:
- 10.1.1.0/24
        • Element of the array
          string

          Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

      • settings.sidecar.excludeOutboundPorts
        array of strings

        The range of outbound ports whose traffic is guaranteed not to flow through Istio.

        You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/excludeOutboundPorts annotation.

        Default: []

        Example:

        excludeOutboundPorts:
- '8080'
- '8443'
        • Element of the array
          string

          Pattern: ^[0-9]{1,5}$

      • settings.sidecar.includeOutboundIPRanges
        array of strings

        Traffic to these IP ranges is forcibly routed through Istio.

        You can redefine this parameter for single Pod using the traffic.sidecar.istio.io/includeOutboundIPRanges annotation.

        Default: ["0.0.0.0/0"]

        Example:

        includeOutboundIPRanges:
- 10.1.1.0/24
        • Element of the array
          string

          Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

      • settings.sidecar.resourcesManagement
        object

        Manages Istio sidecar container resources.

        Caution! The setting only applies to new Pods with istio-proxy.

        Example:

        resourcesManagement:
  static:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 2000m
      memory: 1Gi
        • settings.sidecar.resourcesManagement.mode
          string

          Resource management mode:

          • Static — allows you to specify requests/limits. The parameters of this mode are defined in the static parameter section;

          Default: Static

          Allowed values: Static

        • settings.sidecar.resourcesManagement.static
          object

          Resource management options for the Static mode.

          • settings.sidecar.resourcesManagement.static.limits
            object

            Configuring CPU and memory limits.

            • settings.sidecar.resourcesManagement.static.limits.cpu
              string

              Configuring CPU limits.

              Default: 2000m

              Pattern: ^[0-9]+m?$

            • settings.sidecar.resourcesManagement.static.limits.memory

              Configuring memory limits.

              Default: 1Gi

          • settings.sidecar.resourcesManagement.static.requests
            object

            Resource requests settings for pods.

            • settings.sidecar.resourcesManagement.static.requests.cpu
              string

              Configuring CPU requests.

              Default: 100m

              Pattern: ^[0-9]+m?$

            • settings.sidecar.resourcesManagement.static.requests.memory

              Configuring memory requests.

              Default: 128Mi

    • settings.tolerations
      array of objects

      Optional tolerations for istio-operator, metadata-exporter and Kiali. The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string
    • settings.tracing
      object

      Tracing parameters.

      • settings.tracing.collector
        object

        Tracing collection settings.

        • settings.tracing.collector.zipkin
          object

          Zipkin protocol parameters used by Istio for sending traces. Jaeger supports this protocol.

          If tracing is enabled, this settings section is mandatory.

          • settings.tracing.collector.zipkin.address
            string

            Network address of zipkin collector in <IP of FQDN>:<port> format.

            Pattern: [0-9a-zA-Z\.-]+

            Example:

            address: zipkin.myjaeger.svc:9411
      • settings.tracing.enabled
        boolean

        Turn on or off tracing collection and displaying in Kiali.

        Default: false

        Example:

        enabled: true
      • settings.tracing.kiali
        object

        Span displaying settings for Kiali.

        When not configured, Kiali won’t show any tracing dashboards.

        Examples:

        kiali: {}

        kiali:
  jaegerURLForUsers: https://tracing-service:4443/jaeger
  jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
        • settings.tracing.kiali.jaegerGRPCEndpoint
          string

          Accessible from cluster address of jaeger GRPC interface for system queries by Kiali.

          When not configured, Kiali will only show external links using the jaegerURLForUsers config without interpretationing.

          Example:

          jaegerGRPCEndpoint: http://tracing.myjaeger.svc:16685/
        • settings.tracing.kiali.jaegerURLForUsers
          string

          Jaeger UI address for users. Mandatory parameter if Kiali is enabled.

          Example:

          jaegerURLForUsers: https://tracing-service:4443/jaeger
      • settings.tracing.sampling
        number

        The sampling rate option can be used to control what percentage of requests get reported to your tracing system.

        This should be configured depending upon your traffic in the mesh and the amount of tracing data you want to collect.

        It is possible to override this option with the following Pod annotation:

        proxy.istio.io/config: |
  tracing:
    sampling: 100.0

        Default: 1.0

        Allowed values: 0.01 <= X <= 100.0

        Example:

        sampling: 50.05

Authentication

user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.

Use d8 k to see password:

d8 k -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values istio -o json | jq '.istio.internal.auth.password'

Delete the Secret to re-generate password:

d8 k -n d8-istio delete secret/kiali-basic-auth

Note! The auth.password parameter is deprecated.