KubeZero/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml

329 lines
12 KiB
YAML

# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "standard"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.3
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
meshConfig:
enablePrometheusMerge: true
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain