github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/templates/configmap.yaml (about) 1 {{- if .Values.pilot.enabled }} 2 apiVersion: v1 3 kind: ConfigMap 4 metadata: 5 name: istio 6 namespace: {{ .Release.Namespace }} 7 labels: 8 app: {{ template "istio.name" . }} 9 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 10 release: {{ .Release.Name }} 11 heritage: {{ .Release.Service }} 12 data: 13 mesh: |- 14 # Set the following variable to true to disable policy checks by the Mixer. 15 # Note that metrics will still be reported to the Mixer. 16 disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} 17 18 # Set enableTracing to false to disable request tracing. 19 enableTracing: {{ .Values.global.enableTracing }} 20 21 # Set accessLogFile to empty string to disable access log. 22 accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" 23 # 24 # Deprecated: mixer is using EDS 25 {{- if .Values.mixer.enabled }} 26 {{- if .Values.global.controlPlaneSecurityEnabled }} 27 mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 28 mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 29 {{- else }} 30 mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091 31 mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091 32 {{- end }} 33 34 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. 35 # Default is false which means the traffic is denied when the client is unable to connect to Mixer. 36 policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} 37 {{- end }} 38 39 {{- if .Values.ingress.enabled }} 40 # This is the k8s ingress service name, update if you used a different name 41 ingressService: istio-{{ .Values.global.k8sIngressSelector }} 42 {{- end }} 43 44 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get 45 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. 46 sdsUdsPath: "" 47 48 # How frequently should Envoy fetch key/cert from NodeAgent. 49 sdsRefreshDelay: 15s 50 51 # 52 defaultConfig: 53 # 54 # TCP connection timeout between Envoy & the application, and between Envoys. 55 connectTimeout: 10s 56 # 57 ### ADVANCED SETTINGS ############# 58 # Where should envoy's configuration be stored in the istio-proxy container 59 configPath: "/etc/istio/proxy" 60 binaryPath: "/usr/local/bin/envoy" 61 # The pseudo service name used for Envoy. 62 serviceCluster: istio-proxy 63 # These settings that determine how long an old Envoy 64 # process should be kept alive after an occasional reload. 65 drainDuration: 45s 66 parentShutdownDuration: 1m0s 67 # 68 # The mode used to redirect inbound connections to Envoy. This setting 69 # has no effect on outbound traffic: iptables REDIRECT is always used for 70 # outbound connections. 71 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. 72 # The "REDIRECT" mode loses source addresses during redirection. 73 # If "TPROXY", use iptables TPROXY to redirect to Envoy. 74 # The "TPROXY" mode preserves both the source and destination IP 75 # addresses and ports, so that they can be used for advanced filtering 76 # and manipulation. 77 # The "TPROXY" mode also configures the sidecar to run with the 78 # CAP_NET_ADMIN capability, which is required to use TPROXY. 79 #interceptionMode: REDIRECT 80 # 81 # Port where Envoy listens (on local host) for admin commands 82 # You can exec into the istio-proxy container in a pod and 83 # curl the admin port (curl http://localhost:15000/) to obtain 84 # diagnostic information from Envoy. See 85 # https://lyft.github.io/envoy/docs/operations/admin.html 86 # for more details 87 proxyAdminPort: 15000 88 # 89 # Set concurrency to a specific number to control the number of Proxy worker threads. 90 # If set to 0 (default), then start worker thread for each CPU thread/core. 91 concurrency: {{ .Values.global.proxy.concurrency }} 92 # 93 # Zipkin trace collector 94 zipkinAddress: zipkin.{{ .Release.Namespace }}:9411 95 96 {{- if .Values.global.proxy.envoyStatsd.enabled }} 97 # 98 # Statsd metrics collector converts statsd metrics into Prometheus metrics. 99 statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }} 100 {{- end }} 101 102 {{- if .Values.global.controlPlaneSecurityEnabled }} 103 # 104 # Mutual TLS authentication between sidecars and istio control plane. 105 controlPlaneAuthPolicy: MUTUAL_TLS 106 # 107 # Address where istio Pilot service is running 108 discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005 109 {{- else }} 110 # 111 # Mutual TLS authentication between sidecars and istio control plane. 112 controlPlaneAuthPolicy: NONE 113 # 114 # Address where istio Pilot service is running 115 discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007 116 {{- end }} 117 {{- end }}