istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/packaging/common/sidecar.env

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/packaging/common/sidecar.env (about)

     1  # Environment variables used to configure istio startup
     2  
     3  # Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio
     4  # sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar
     5  # will not be used via iptables.
     6  # ISTIO_SERVICE_CIDR=
     7  
     8  # Name of the service exposed by the machine.
     9  # ISTIO_SERVICE=myservice
    10  
    11  # The mode used to redirect inbound connections to Envoy. This setting
    12  # has no effect on outbound traffic: iptables REDIRECT is always used for
    13  # outbound connections.
    14  # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
    15  # The "REDIRECT" mode loses source addresses during redirection.
    16  # If "TPROXY", use iptables TPROXY to redirect to Envoy.
    17  # The "TPROXY" mode preserves both the source and destination IP
    18  # addresses and ports, so that they can be used for advanced filtering
    19  # and manipulation.
    20  # The "TPROXY" mode also configures the sidecar to run with the
    21  # CAP_NET_ADMIN capability, which is required to use TPROXY.
    22  # If not set, defaults to "REDIRECT".
    23  # ISTIO_INBOUND_INTERCEPTION_MODE=REDIRECT
    24  
    25  # When the interception mode is "TPROXY", the iptables skb mark that is set on
    26  # every inbound packet to be redirected to Envoy.
    27  # If not set, defaults to "1337".
    28  # ISTIO_INBOUND_TPROXY_MARK=1337
    29  
    30  # When the interception mode is "TPROXY", the number of the routing table that
    31  # is configured and used to route inbound connections to the loopback interface
    32  # in order to be redirected to Envoy.
    33  # If not set, defaults to "133".
    34  # ISTIO_INBOUND_TPROXY_ROUTE_TABLE=133
    35  
    36  # Comma separated list of local ports that will use Istio sidecar for inbound services.
    37  # If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar.
    38  # If not set, no rules will be enabled
    39  # ISTIO_INBOUND_PORTS=
    40  
    41  # List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to *
    42  # Port 22 is automatically excluded
    43  # ISTIO_INBOUND_EXCLUDE_PORTS=
    44  
    45  # Namespace of the cluster.
    46  # ISTIO_NAMESPACE=default
    47  
    48  # Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used.
    49  # Needed if the host has multiple IP.
    50  # ISTIO_SVC_IP=
    51  
    52  # If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must
    53  # also configure the mesh expansion machines:
    54  # ISTIO_PILOT_PORT=15005
    55  # ISTIO_CP_AUTH=MUTUAL_TLS
    56  
    57  # Fine tuning - useful if installing/building binaries instead of using the .deb file, or running
    58  # multiple instances.
    59  
    60  # Port used by Envoy. Defaults to 15001, used in the autogenerated config
    61  # ENVOY_PORT=15001
    62  
    63  # User running Envoy. For testing you can use a regular user ID - however running iptables requires
    64  # root or netadmin capability. The debian file creates user istio.
    65  # ENVOY_USER=istio-proxy
    66  
    67  # Uncomment to enable debugging
    68  # ISTIO_AGENT_FLAGS="--proxyLogLevel debug"
    69  
    70  # Directory for stdout redirection. The redirection is required because envoy attempts to open
    71  # /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver
    72  # needs to be made, envoy reopens the file on SIGUSR1
    73  # ISTIO_LOG_DIR=/var/log/istio
    74  
    75  # Installation directory for istio binaries, customize in case you're using a binary.
    76  # This is likely to change - current path matches the docker layout in 0.1
    77  # ISTIO_BIN_BASE=/usr/local/bin
    78  
    79  # Location of istio configs.
    80  # ISTIO_CFG=/var/lib/istio
    81  
    82  # Ignore Istio iptables custom rules
    83  # Enable this flag if you would like to manage iptables yourself. Default to false (true/false)
    84  # ISTIO_CUSTOM_IP_TABLES=false
    85  
    86  # Location of provisioning certificates. VM provisioning tools must generate a certificate with
    87  # the expected SAN. Istio-agent will use it to connect to istiod and get fresh certificates.
    88  # PROV_CERT=/var/run/secrets/istio
    89  
    90  # Location to save the certificates from the CA. Setting this to the same location with PROV_CERT
    91  # allows rotation of the secrets. Users may also use longer-lived PROV_CERT, rotated under the control
    92  # of the provisioning tool.
    93  # Istiod may return a certificate with additional information and shorter lived, to be used for
    94  # workload communication. In order to use the certificate with applications not supporting SDS, set this
    95  # environment variable. If the value is different from PROV_CERTS the workload certs will be saved, but
    96  # the provisioning cert will remain under control of the VM provisioning tools.
    97  # OUTPUT_CERTS=/var/run/secrets/istio
    98  # OUTPUT_CERTS=/etc/certs
    99  
   100  # Address of the CA. The CA must implement the Istio protocol, accepting the provisioning certificate
   101  # and returning workload certificates. Istiod is implementing the protocol, and is the default value
   102  # if CA_ADDR is not set.
   103  # CA_ADDR
   104  # set CA_ADDR if your istiod.istio-system.svc is on port other than 15012
   105  # CA_ADDR=istiod.istio-system.svc:32018