github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/templates/configmap.yaml (about)

     1  {{- if .Values.pilot.enabled }}
     2  apiVersion: v1
     3  kind: ConfigMap
     4  metadata:
     5    name: istio
     6    namespace: {{ .Release.Namespace }}
     7    labels:
     8      app: {{ template "istio.name" . }}
     9      chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    10      release: {{ .Release.Name }}
    11      heritage: {{ .Release.Service }}
    12  data:
    13    mesh: |-
    14      # Set the following variable to true to disable policy checks by the Mixer.
    15      # Note that metrics will still be reported to the Mixer.
    16      disablePolicyChecks: {{ .Values.global.disablePolicyChecks }}
    17  
    18      # Set enableTracing to false to disable request tracing.
    19      enableTracing: {{ .Values.global.enableTracing }}
    20  
    21      # Set accessLogFile to empty string to disable access log.
    22      accessLogFile: "{{ .Values.global.proxy.accessLogFile }}"
    23      #
    24      # Deprecated: mixer is using EDS
    25      {{- if .Values.mixer.enabled }}
    26      {{- if .Values.global.controlPlaneSecurityEnabled }}
    27      mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004
    28      mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004
    29      {{- else }}
    30      mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091
    31      mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091
    32      {{- end }}
    33  
    34      # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
    35      # Default is false which means the traffic is denied when the client is unable to connect to Mixer.
    36      policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
    37      {{- end }}
    38  
    39      {{- if .Values.ingress.enabled }}
    40      # This is the k8s ingress service name, update if you used a different name
    41      ingressService: istio-{{ .Values.global.k8sIngressSelector }}
    42      {{- end }}
    43  
    44      # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
    45      # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. 
    46      sdsUdsPath: ""
    47      
    48      # How frequently should Envoy fetch key/cert from NodeAgent.
    49      sdsRefreshDelay: 15s
    50  
    51      #
    52      defaultConfig:
    53        #
    54        # TCP connection timeout between Envoy & the application, and between Envoys.
    55        connectTimeout: 10s
    56        #
    57        ### ADVANCED SETTINGS #############
    58        # Where should envoy's configuration be stored in the istio-proxy container
    59        configPath: "/etc/istio/proxy"
    60        binaryPath: "/usr/local/bin/envoy"
    61        # The pseudo service name used for Envoy.
    62        serviceCluster: istio-proxy
    63        # These settings that determine how long an old Envoy
    64        # process should be kept alive after an occasional reload.
    65        drainDuration: 45s
    66        parentShutdownDuration: 1m0s
    67        #
    68        # The mode used to redirect inbound connections to Envoy. This setting
    69        # has no effect on outbound traffic: iptables REDIRECT is always used for
    70        # outbound connections.
    71        # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
    72        # The "REDIRECT" mode loses source addresses during redirection.
    73        # If "TPROXY", use iptables TPROXY to redirect to Envoy.
    74        # The "TPROXY" mode preserves both the source and destination IP
    75        # addresses and ports, so that they can be used for advanced filtering
    76        # and manipulation.
    77        # The "TPROXY" mode also configures the sidecar to run with the
    78        # CAP_NET_ADMIN capability, which is required to use TPROXY.
    79        #interceptionMode: REDIRECT
    80        #
    81        # Port where Envoy listens (on local host) for admin commands
    82        # You can exec into the istio-proxy container in a pod and
    83        # curl the admin port (curl http://localhost:15000/) to obtain
    84        # diagnostic information from Envoy. See
    85        # https://lyft.github.io/envoy/docs/operations/admin.html
    86        # for more details
    87        proxyAdminPort: 15000
    88        #
    89        # Set concurrency to a specific number to control the number of Proxy worker threads.
    90        # If set to 0 (default), then start worker thread for each CPU thread/core.
    91        concurrency: {{ .Values.global.proxy.concurrency }}
    92        #
    93        # Zipkin trace collector
    94        zipkinAddress: zipkin.{{ .Release.Namespace }}:9411
    95  
    96      {{- if .Values.global.proxy.envoyStatsd.enabled }}
    97        #
    98        # Statsd metrics collector converts statsd metrics into Prometheus metrics.
    99        statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }}
   100      {{- end }}
   101  
   102      {{- if .Values.global.controlPlaneSecurityEnabled }}
   103        #
   104        # Mutual TLS authentication between sidecars and istio control plane.
   105        controlPlaneAuthPolicy: MUTUAL_TLS
   106        #
   107        # Address where istio Pilot service is running
   108        discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005
   109      {{- else }}
   110        #
   111        # Mutual TLS authentication between sidecars and istio control plane.
   112        controlPlaneAuthPolicy: NONE
   113        #
   114        # Address where istio Pilot service is running
   115        discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007
   116      {{- end }}
   117  {{- end }}