# Make sure these values match kuberzero-istio !!! global: #hub: docker.io/istio tag: 1.11.5-distroless logAsJson: true priorityClassName: "system-cluster-critical" defaultPodDisruptionBudget: enabled: false arch: amd64: 2 istio-ingress: enabled: false telemetry: enabled: false gateways: istio-ingressgateway: autoscaleEnabled: false replicaCount: 1 rollingMaxSurge: 1 rollingMaxUnavailable: 0 resources: requests: cpu: 50m memory: 64Mi limits: # cpu: 100m memory: 512Mi externalTrafficPolicy: Local podAntiAffinityLabelSelector: - key: app operator: In topologyKey: kubernetes.io/hostname values: istio-ingressgateway type: NodePort podAnnotations: proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json configVolumes: - name: custom-bootstrap-volume mountPath: /etc/istio/custom-bootstrap configMapName: istio-gateway-bootstrap-config # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch nodeSelector: node.kubernetes.io/ingress.public: "Exists" # Only nodes who are fronted with matching NLB #affintiy: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: node.kubernetes.io/ingress.public # operator: Exists # Map port 80/443 to 8080/8443 so we don't need to root # ports is extended as follows: # noGateway: true -> this port does NOT get mapped to a Gateway port # tls: optional gateway port setting # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! ports: - name: status-port port: 15021 nodePort: 30021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 30080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 30443 gatewayProtocol: HTTPS tls: mode: SIMPLE certificates: - name: ingress-cert dnsNames: [] # - '*.example.com' proxyProtocol: true meshConfig: defaultConfig: proxyMetadata: # ISTIO_META_HTTP10: 1 istio-private-ingress: enabled: false telemetry: enabled: false gateways: istio-ingressgateway: # name and labels make the ingress private name: istio-private-ingressgateway labels: app: istio-private-ingressgateway istio: private-ingressgateway autoscaleEnabled: false replicaCount: 1 rollingMaxSurge: 1 rollingMaxUnavailable: 0 resources: requests: cpu: 50m memory: 64Mi limits: # cpu: 100m memory: 512Mi externalTrafficPolicy: Local podAntiAffinityLabelSelector: - key: app operator: In topologyKey: kubernetes.io/hostname values: istio-private-ingressgateway type: NodePort podAnnotations: proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' # custom hardened bootstrap config env: ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json configVolumes: - name: custom-bootstrap-volume mountPath: /etc/istio/custom-bootstrap configMapName: istio-gateway-bootstrap-config # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch nodeSelector: node.kubernetes.io/ingress.private: "Exists" # Only nodes who are fronted with matching NLB #affintiy: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: node.kubernetes.io/ingress.private # operator: Exists ports: - name: status-port port: 15021 nodePort: 31021 noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 31080 gatewayProtocol: HTTP2 tls: httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 31443 gatewayProtocol: HTTPS tls: mode: SIMPLE #- name: fluentd-forward # port: 24224 # nodePort: 31224 # gatewayProtocol: TLS # tls: # mode: SIMPLE #- name: amqps # port: 5671 # nodePort: 31671 #- name: amqp # port: 5672 # nodePort: 31672 #- name: redis # port: 6379 # nodePort: 31379 certificates: - name: private-ingress-cert dnsNames: [] #- '*.example.com' proxyProtocol: true meshConfig: defaultConfig: proxyMetadata: # ISTIO_META_HTTP10: 1