github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/values.yaml (about) 1 # Common settings. 2 global: 3 # Default hub for Istio images. 4 # Releases are published to docker hub under 'istio' project. 5 # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly 6 hub: gcr.io/istio-release 7 8 # Default tag for Istio images. 9 tag: release-1.0-latest-daily 10 11 # Gateway used for legacy k8s Ingress resources. By default it is 12 # using 'istio:ingress', to match 0.8 config. It requires that 13 # ingress.enabled is set to true. You can also set it 14 # to ingressgateway, or any other gateway you define in the 'gateway' 15 # section. 16 k8sIngressSelector: ingress 17 18 # k8sIngressHttps will add port 443 on the ingress and ingressgateway. 19 # It REQUIRES that the certificates are installed in the 20 # expected secrets - enabling this option without certificates 21 # will result in LDS rejection and the ingress will not work. 22 k8sIngressHttps: false 23 24 proxy: 25 image: proxyv2 26 27 # Resources for the sidecar. 28 resources: 29 requests: 30 cpu: 10m 31 # memory: 128Mi 32 # limits: 33 # cpu: 100m 34 # memory: 128Mi 35 36 # Controls number of Proxy worker threads. 37 # If set to 0 (default), then start worker thread for each CPU thread/core. 38 concurrency: 0 39 40 # Configures the access log for each sidecar. Setting it to an empty string will 41 # disable access log for sidecar. 42 accessLogFile: "/dev/stdout" 43 44 #If set to true, istio-proxy container will have privileged securityContext 45 privileged: false 46 47 # If set, newly injected sidecars will have core dumps enabled. Core dumps will always be written to the same 48 # file to prevent storage filling up indefinitely. Add a timestamp option to core_pattern to keep all cores: 49 # e.g. sysctl -w kernel.core_pattern=/var/lib/istio/core.%e.%p.%t 50 enableCoreDump: false 51 52 # Default port for Pilot agent health checks. A value of 0 will disable health checking. 53 # statusPort: 15020 54 statusPort: 0 55 56 # The initial delay for readiness probes in seconds. 57 readinessInitialDelaySeconds: 1 58 59 # The period between readiness probes. 60 readinessPeriodSeconds: 2 61 62 # The number of successive failed probes before indicating readiness failure. 63 readinessFailureThreshold: 30 64 65 # istio egress capture whitelist 66 # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly 67 # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" 68 # would only capture egress traffic on those two IP Ranges, all other outbound traffic would 69 # be allowed by the sidecar 70 includeIPRanges: "*" 71 excludeIPRanges: "" 72 73 # istio ingress capture whitelist 74 # examples: 75 # Redirect no inbound traffic to Envoy: --includeInboundPorts="" 76 # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" 77 # Redirect only selected ports: --includeInboundPorts="80,8080" 78 includeInboundPorts: "*" 79 excludeInboundPorts: "" 80 81 # This controls the 'policy' in the sidecar injector. 82 autoInject: enabled 83 84 # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument 85 # would be <host>:<port>). 86 # Disabled by default. 87 # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. 88 envoyStatsd: 89 # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. 90 enabled: false 91 host: # example: statsd-svc 92 port: # example: 9125 93 94 # This controls the stats collection for proxies. To disable stats 95 # collection, set the prometheusPort to 0. 96 stats: 97 prometheusPort: 15090 98 99 proxy_init: 100 # Base name for the proxy_init container, used to configure iptables. 101 image: proxy_init 102 103 # imagePullPolicy is applied to istio control plane components. 104 # local tests require IfNotPresent, to avoid uploading to dockerhub. 105 # TODO: Switch to Always as default, and override in the local tests. 106 imagePullPolicy: IfNotPresent 107 108 # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are 109 # propagated, not recommended for tests. 110 controlPlaneSecurityEnabled: false 111 112 # disablePolicyChecks disables mixer policy checks. 113 # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. 114 disablePolicyChecks: false 115 116 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. 117 # Default is false which means the traffic is denied when the client is unable to connect to Mixer. 118 policyCheckFailOpen: false 119 120 # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. 121 enableTracing: true 122 123 # Default mtls policy. If true, mtls between services will be enabled by default. 124 mtls: 125 # Default setting for service-to-service mtls. Can be set explicitly using 126 # destination rules or service annotations. 127 enabled: false 128 129 # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace 130 # to use for pulling any images in pods that reference this ServiceAccount. 131 # Must be set for any clustser configured with privte docker registry. 132 imagePullSecrets: 133 # - private-registry-key 134 135 # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: 136 # 0 - Never scheduled 137 # 1 - Least preferred 138 # 2 - No preference 139 # 3 - Most preferred 140 arch: 141 amd64: 2 142 s390x: 2 143 ppc64le: 2 144 145 # Whether to restrict the applications namespace the controller manages; 146 # If not set, controller watches all namespaces 147 oneNamespace: false 148 149 # Whether to perform server-side validation of configuration. 150 configValidation: true 151 152 # If set to true, the pilot and citadel mtls will be exposed on the 153 # ingress gateway 154 meshExpansion: false 155 156 # If set to true, the pilot and citadel mtls and the plain text pilot ports 157 # will be exposed on an internal gateway 158 meshExpansionILB: false 159 160 # A minimal set of requested resources to applied to all deployments so that 161 # Horizontal Pod Autoscaler will be able to function (if set). 162 # Each component can overwrite these default values by adding its own resources 163 # block in the relevant section below and setting the desired resources values. 164 defaultResources: 165 requests: 166 cpu: 10m 167 # memory: 128Mi 168 # limits: 169 # cpu: 100m 170 # memory: 128Mi 171 172 # Not recommended for user to configure this. Hyperkube image to use when creating custom resources 173 hyperkube: 174 hub: quay.io/coreos 175 tag: v1.7.6_coreos.0 176 177 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and 178 # system-node-critical, it is better to configure this in order to make sure your Istio pods 179 # will not be killed because of low prioroty class. 180 # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass 181 # for more detail. 182 priorityClassName: "" 183 184 # Include the crd definition when generating the template. 185 # For 'helm template' and helm install > 2.10 it should be true. 186 # For helm < 2.9, crds must be installed ahead of time with 187 # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml 188 # and this options must be set off. 189 crds: true 190 191 # 192 # ingress configuration 193 # 194 ingress: 195 enabled: false 196 replicaCount: 1 197 autoscaleMin: 1 198 autoscaleMax: 5 199 service: 200 annotations: {} 201 loadBalancerIP: "" 202 type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be 203 # Uncomment the following line to preserve client source ip. 204 # externalTrafficPolicy: Local 205 ports: 206 - port: 80 207 name: http 208 nodePort: 32000 209 - port: 443 210 name: https 211 selector: 212 istio: ingress 213 214 # 215 # Gateways Configuration 216 # By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. 217 # You can add more gateways in addition to the defaults but make sure those are uniquely named 218 # and that NodePorts are not conflicting. 219 # Disable specifc gateway by setting the `enabled` to false. 220 # 221 gateways: 222 enabled: true 223 224 istio-ingressgateway: 225 enabled: true 226 labels: 227 app: istio-ingressgateway 228 istio: ingressgateway 229 replicaCount: 1 230 autoscaleMin: 1 231 autoscaleMax: 5 232 resources: {} 233 # limits: 234 # cpu: 100m 235 # memory: 128Mi 236 #requests: 237 # cpu: 1800m 238 # memory: 256Mi 239 cpu: 240 targetAverageUtilization: 80 241 loadBalancerIP: "" 242 serviceAnnotations: {} 243 type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be 244 # Uncomment the following line to preserve client source ip. 245 # externalTrafficPolicy: Local 246 247 ports: 248 ## You can add custom gateway ports 249 - port: 80 250 targetPort: 80 251 name: http2 252 nodePort: 31380 253 - port: 443 254 name: https 255 nodePort: 31390 256 - port: 31400 257 name: tcp 258 nodePort: 31400 259 # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect 260 # to pilot/citadel if global.meshExpansion settings are enabled. 261 - port: 15011 262 targetPort: 15011 263 name: tcp-pilot-grpc-tls 264 - port: 8060 265 targetPort: 8060 266 name: tcp-citadel-grpc-tls 267 - port: 853 268 targetPort: 853 269 name: tcp-dns-tls 270 - port: 15030 271 targetPort: 15030 272 name: http2-prometheus 273 - port: 15031 274 targetPort: 15031 275 name: http2-grafana 276 secretVolumes: 277 - name: ingressgateway-certs 278 secretName: istio-ingressgateway-certs 279 mountPath: /etc/istio/ingressgateway-certs 280 - name: ingressgateway-ca-certs 281 secretName: istio-ingressgateway-ca-certs 282 mountPath: /etc/istio/ingressgateway-ca-certs 283 284 istio-egressgateway: 285 enabled: true 286 labels: 287 app: istio-egressgateway 288 istio: egressgateway 289 replicaCount: 1 290 autoscaleMin: 1 291 autoscaleMax: 5 292 cpu: 293 targetAverageUtilization: 80 294 serviceAnnotations: {} 295 type: ClusterIP #change to NodePort or LoadBalancer if need be 296 ports: 297 - port: 80 298 name: http2 299 - port: 443 300 name: https 301 secretVolumes: 302 - name: egressgateway-certs 303 secretName: istio-egressgateway-certs 304 mountPath: /etc/istio/egressgateway-certs 305 - name: egressgateway-ca-certs 306 secretName: istio-egressgateway-ca-certs 307 mountPath: /etc/istio/egressgateway-ca-certs 308 309 # Mesh ILB gateway creates a gateway of type InternalLoadBalancer, 310 # for mesh expansion. It exposes the mtls ports for Pilot,CA as well 311 # as non-mtls ports to support upgrades and gradual transition. 312 istio-ilbgateway: 313 enabled: false 314 labels: 315 app: istio-ilbgateway 316 istio: ilbgateway 317 replicaCount: 1 318 autoscaleMin: 1 319 autoscaleMax: 5 320 resources: 321 requests: 322 cpu: 800m 323 memory: 512Mi 324 #limits: 325 # cpu: 1800m 326 # memory: 256Mi 327 cpu: 328 targetAverageUtilization: 80 329 loadBalancerIP: "" 330 serviceAnnotations: 331 cloud.google.com/load-balancer-type: "internal" 332 type: LoadBalancer 333 ports: 334 ## You can add custom gateway ports - google ILB default quota is 5 ports, 335 - port: 15011 336 name: grpc-pilot-mtls 337 # Insecure port - only for migration from 0.8. Will be removed in 1.1 338 - port: 15010 339 name: grpc-pilot 340 - port: 8060 341 targetPort: 8060 342 name: tcp-citadel-grpc-tls 343 # Port 853 is reserved for the kube-dns gateway 344 - port: 853 345 name: tcp-dns 346 secretVolumes: 347 - name: ilbgateway-certs 348 secretName: istio-ilbgateway-certs 349 mountPath: /etc/istio/ilbgateway-certs 350 - name: ilbgateway-ca-certs 351 secretName: istio-ilbgateway-ca-certs 352 mountPath: /etc/istio/ilbgateway-ca-certs 353 354 # 355 # sidecar-injector webhook configuration 356 # 357 sidecarInjectorWebhook: 358 enabled: true 359 replicaCount: 1 360 image: sidecar_injector 361 enableNamespacesByDefault: false 362 363 # 364 # galley configuration 365 # 366 galley: 367 enabled: true 368 replicaCount: 1 369 image: galley 370 371 # 372 # mixer configuration 373 # 374 mixer: 375 enabled: true 376 replicaCount: 1 377 autoscaleMin: 1 378 autoscaleMax: 5 379 image: mixer 380 381 env: 382 GODEBUG: gctrace=2 383 384 istio-policy: 385 autoscaleEnabled: true 386 autoscaleMin: 1 387 autoscaleMax: 5 388 cpu: 389 targetAverageUtilization: 80 390 391 istio-telemetry: 392 autoscaleEnabled: true 393 autoscaleMin: 1 394 autoscaleMax: 5 395 cpu: 396 targetAverageUtilization: 80 397 398 prometheusStatsdExporter: 399 hub: docker.io/prom 400 tag: v0.6.0 401 402 # 403 # pilot configuration 404 # 405 pilot: 406 enabled: true 407 replicaCount: 1 408 autoscaleMin: 1 409 autoscaleMax: 5 410 image: pilot 411 sidecar: true 412 traceSampling: 1.0 413 # Resources for a small pilot install 414 resources: 415 requests: 416 cpu: 500m 417 memory: 2048Mi 418 env: 419 PILOT_PUSH_THROTTLE_COUNT: 100 420 GODEBUG: gctrace=2 421 cpu: 422 targetAverageUtilization: 80 423 424 # 425 # security configuration 426 # 427 security: 428 replicaCount: 1 429 image: citadel 430 selfSigned: true # indicate if self-signed CA is used. 431 432 # 433 # addons configuration 434 # 435 telemetry-gateway: 436 gatewayName: ingressgateway 437 grafanaEnabled: false 438 prometheusEnabled: false 439 440 grafana: 441 enabled: false 442 replicaCount: 1 443 image: 444 repository: grafana/grafana 445 tag: 5.2.3 446 persist: false 447 storageClassName: "" 448 security: 449 enabled: false 450 adminUser: admin 451 adminPassword: admin 452 service: 453 annotations: {} 454 name: http 455 type: ClusterIP 456 externalPort: 3000 457 internalPort: 3000 458 459 prometheus: 460 enabled: true 461 replicaCount: 1 462 hub: docker.io/prom 463 tag: v2.3.1 464 465 service: 466 annotations: {} 467 nodePort: 468 enabled: false 469 port: 32090 470 471 servicegraph: 472 enabled: false 473 replicaCount: 1 474 image: servicegraph 475 service: 476 annotations: {} 477 name: http 478 type: ClusterIP 479 externalPort: 8088 480 internalPort: 8088 481 ingress: 482 enabled: false 483 # Used to create an Ingress record. 484 hosts: 485 - servicegraph.local 486 annotations: 487 # kubernetes.io/ingress.class: nginx 488 # kubernetes.io/tls-acme: "true" 489 tls: 490 # Secrets must be manually created in the namespace. 491 # - secretName: servicegraph-tls 492 # hosts: 493 # - servicegraph.local 494 # prometheus addres 495 prometheusAddr: http://prometheus:9090 496 497 tracing: 498 enabled: false 499 provider: jaeger 500 jaeger: 501 hub: docker.io/jaegertracing 502 tag: 1.5 503 memory: 504 max_traces: 50000 505 ui: 506 port: 16686 507 ingress: 508 enabled: false 509 # Used to create an Ingress record. 510 hosts: 511 - jaeger.local 512 annotations: 513 # kubernetes.io/ingress.class: nginx 514 # kubernetes.io/tls-acme: "true" 515 tls: 516 # Secrets must be manually created in the namespace. 517 # - secretName: jaeger-tls 518 # hosts: 519 # - jaeger.local 520 replicaCount: 1 521 service: 522 annotations: {} 523 name: http 524 type: ClusterIP 525 externalPort: 9411 526 internalPort: 9411 527 ingress: 528 enabled: false 529 # Used to create an Ingress record. 530 hosts: 531 - tracing.local 532 annotations: 533 # kubernetes.io/ingress.class: nginx 534 # kubernetes.io/tls-acme: "true" 535 tls: 536 # Secrets must be manually created in the namespace. 537 # - secretName: tracing-tls 538 # hosts: 539 # - tracing.local 540 541 kiali: 542 enabled: false 543 replicaCount: 1 544 hub: docker.io/kiali 545 tag: v0.9 546 ingress: 547 enabled: false 548 ## Used to create an Ingress record. 549 # hosts: 550 # - kiali.local 551 annotations: 552 # kubernetes.io/ingress.class: nginx 553 # kubernetes.io/tls-acme: "true" 554 tls: 555 # Secrets must be manually created in the namespace. 556 # - secretName: kiali-tls 557 # hosts: 558 # - kiali.local 559 dashboard: 560 username: admin 561 # Default admin passphrase for kiali. Must be set during setup, and 562 # changed by overriding the secret 563 passphrase: admin 564 565 # Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs 566 # grafanaURL: 567 568 # Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs 569 # jaegerURL: 570 571 # Certmanager uses ACME to sign certificates. Since Istio gateways are 572 # mounting the TLS secrets the Certificate CRDs must be created in the 573 # istio-system namespace. Once the certificate has been created, the 574 # gateway must be updated by adding 'secretVolumes'. After the gateway 575 # restart, DestinationRules can be created using the ACME-signed certificates. 576 certmanager: 577 enabled: false 578 hub: quay.io/jetstack 579 tag: v0.3.1 580 resources: {}