# Make sure these values match kuberzero-istio !!! global: #hub: docker.io/istio #tag: 1.9.3 logAsJson: true jwtPolicy: first-party-jwt priorityClassName: "system-cluster-critical" defaultPodDisruptionBudget: enabled: false arch: amd64: 2 istio-ingress: enabled: false gateways: istio-ingressgateway: autoscaleEnabled: false replicaCount: 1 rollingMaxSurge: 1 rollingMaxUnavailable: 0 resources: requests: cpu: 50m memory: 64Mi limits: # cpu: 100m memory: 512Mi externalTrafficPolicy: Local podAntiAffinityLabelSelector: - key: app operator: In topologyKey: kubernetes.io/hostname values: istio-ingressgateway type: NodePort podAnnotations: proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json configVolumes: - name: custom-bootstrap-volume mountPath: /etc/istio/custom-bootstrap configMapName: istio-gateway-bootstrap-config # The node selector is normally the list of nodeports, see CloudBender nodeSelector: node.kubernetes.io/ingress.public: "30080_30443" ports: - name: status-port port: 15021 nodePort: 30021 protocol: TCP - name: http2 port: 80 targetPort: 8080 nodePort: 30080 protocol: TCP - name: https port: 443 targetPort: 8443 nodePort: 30443 protocol: TCP ## multi-cluster - disabled on public LBs #- name: tcp-istiod # port: 15012 # targetPort: 15012 # nodePort: 30012 # protocol: TCP ## multi-cluster sni east-west #- name: tls # port: 15443 # targetPort: 15443 # nodePort: 30044 # protocol: TCP dnsNames: [] # - '*.example.com' meshConfig: defaultConfig: proxyMetadata: # ISTIO_META_HTTP10: 1 istio-private-ingress: enabled: false gateways: istio-ingressgateway: # name and labels make the ingress private name: istio-private-ingressgateway labels: app: istio-private-ingressgateway istio: private-ingressgateway autoscaleEnabled: false replicaCount: 1 rollingMaxSurge: 1 rollingMaxUnavailable: 0 resources: requests: cpu: 50m memory: 64Mi limits: # cpu: 100m memory: 512Mi externalTrafficPolicy: Local podAntiAffinityLabelSelector: - key: app operator: In topologyKey: kubernetes.io/hostname values: istio-private-ingressgateway type: NodePort podAnnotations: # sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' nodeSelector: node.kubernetes.io/ingress.private: "31080_31443" #nodeSelector: "31080_31443_31671_31672_31224" ports: - name: status-port port: 15021 nodePort: 31021 protocol: TCP - name: http2 port: 80 targetPort: 8080 nodePort: 31080 protocol: TCP - name: https port: 443 targetPort: 8443 nodePort: 31443 protocol: TCP # multi-cluster - name: tcp-istiod port: 15012 targetPort: 15012 nodePort: 31012 protocol: TCP # multi-cluster sni east-west - name: tls port: 15443 targetPort: 15443 nodePort: 31044 protocol: TCP #- name: fluentd-forward # port: 24224 # nodePort: 31224 #- name: amqps # port: 5671 # nodePort: 31671 #- name: amqp # port: 5672 # nodePort: 31672 #- name: redis # port: 6379 # nodePort: 31379 dnsNames: [] # - '*.example.com' meshConfig: defaultConfig: proxyMetadata: # ISTIO_META_HTTP10: 1