github.com/replicatedcom/ship@v0.50.0/integration/init/istio/expected/.ship/upstream/templates/configmap.yaml (about) 1 {{- if .Values.pilot.enabled }} 2 apiVersion: v1 3 kind: ConfigMap 4 metadata: 5 name: istio 6 namespace: {{ .Release.Namespace }} 7 labels: 8 app: {{ template "istio.name" . }} 9 chart: {{ template "istio.chart" . }} 10 heritage: {{ .Release.Service }} 11 release: {{ .Release.Name }} 12 data: 13 mesh: |- 14 # Set the following variable to true to disable policy checks by the Mixer. 15 # Note that metrics will still be reported to the Mixer. 16 disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} 17 18 # Set enableTracing to false to disable request tracing. 19 enableTracing: {{ .Values.global.enableTracing }} 20 21 # Set accessLogFile to empty string to disable access log. 22 accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" 23 # 24 # Deprecated: mixer is using EDS 25 {{- if .Values.mixer.enabled }} 26 {{- if .Values.global.controlPlaneSecurityEnabled }} 27 mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 28 mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 29 {{- else }} 30 mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091 31 mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091 32 {{- end }} 33 {{- end }} 34 35 {{- if .Values.ingress.enabled }} 36 # This is the k8s ingress service name, update if you used a different name 37 ingressService: istio-{{ .Values.global.k8sIngressSelector }} 38 {{- end }} 39 40 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get 41 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. 42 sdsUdsPath: "" 43 44 # 45 defaultConfig: 46 # 47 # TCP connection timeout between Envoy & the application, and between Envoys. 48 connectTimeout: 10s 49 # 50 ### ADVANCED SETTINGS ############# 51 # Where should envoy's configuration be stored in the istio-proxy container 52 configPath: "/etc/istio/proxy" 53 binaryPath: "/usr/local/bin/envoy" 54 # The pseudo service name used for Envoy. 55 serviceCluster: istio-proxy 56 # These settings that determine how long an old Envoy 57 # process should be kept alive after an occasional reload. 58 drainDuration: 45s 59 parentShutdownDuration: 1m0s 60 # 61 # The mode used to redirect inbound connections to Envoy. This setting 62 # has no effect on outbound traffic: iptables REDIRECT is always used for 63 # outbound connections. 64 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. 65 # The "REDIRECT" mode loses source addresses during redirection. 66 # If "TPROXY", use iptables TPROXY to redirect to Envoy. 67 # The "TPROXY" mode preserves both the source and destination IP 68 # addresses and ports, so that they can be used for advanced filtering 69 # and manipulation. 70 # The "TPROXY" mode also configures the sidecar to run with the 71 # CAP_NET_ADMIN capability, which is required to use TPROXY. 72 #interceptionMode: REDIRECT 73 # 74 # Port where Envoy listens (on local host) for admin commands 75 # You can exec into the istio-proxy container in a pod and 76 # curl the admin port (curl http://localhost:15000/) to obtain 77 # diagnostic information from Envoy. See 78 # https://lyft.github.io/envoy/docs/operations/admin.html 79 # for more details 80 proxyAdminPort: 15000 81 # 82 # Set concurrency to a specific number to control the number of Proxy worker threads. 83 # If set to 0 (default), then start worker thread for each CPU thread/core. 84 concurrency: {{ .Values.global.proxy.concurrency }} 85 # 86 tracing: 87 {{- if eq .Values.global.proxy.tracer "lightstep" }} 88 lightstep: 89 # Address of the LightStep Satellite pool 90 address: {{ .Values.global.tracer.lightstep.address }} 91 # Access Token used to communicate with the Satellite pool 92 accessToken: {{ .Values.global.tracer.lightstep.accessToken }} 93 # Whether communication with the Satellite pool should be secure 94 secure: {{ .Values.global.tracer.lightstep.secure }} 95 # Path to the file containing the cacert to use when verifying TLS 96 cacertPath: {{ .Values.global.tracer.lightstep.cacertPath }} 97 {{- else if eq .Values.global.proxy.tracer "zipkin" }} 98 zipkin: 99 # Address of the Zipkin collector 100 {{- if .Values.global.tracer.zipkin.address }} 101 address: {{ .Values.global.tracer.zipkin.address }} 102 {{- else }} 103 address: zipkin.{{ .Release.Namespace }}:9411 104 {{- end }} 105 {{- end }} 106 107 {{- if .Values.global.proxy.envoyStatsd.enabled }} 108 # 109 # Statsd metrics collector converts statsd metrics into Prometheus metrics. 110 statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }} 111 {{- end }} 112 113 {{- if .Values.global.controlPlaneSecurityEnabled }} 114 # 115 # Mutual TLS authentication between sidecars and istio control plane. 116 controlPlaneAuthPolicy: MUTUAL_TLS 117 # 118 # Address where istio Pilot service is running 119 discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15011 120 {{- else }} 121 # 122 # Mutual TLS authentication between sidecars and istio control plane. 123 controlPlaneAuthPolicy: NONE 124 # 125 # Address where istio Pilot service is running 126 discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15010 127 {{- end }} 128 {{- end }}