istio-controlplane values.yaml
π
profileπ
Type: string
"default"
Description: The istio profile to use
hubπ
Type: string
"registry1.dso.mil/ironbank/opensource/istio"
Description: The hub to use for all images, images are built as .Values.hub/<component>:.Values.tag
tagπ
Type: string
"1.22.3"
Description: The tag to use for all images
enterpriseπ
Type: bool
false
Description: Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
tidHubπ
Type: string
"registry1.dso.mil/ironbank/tetrate/istio"
tidTagπ
Type: string
"1.22.3-tetratefips-v0"
domainπ
Type: string
"dev.bigbang.mil"
Description: The domain to use for the default gateway
mtls.modeπ
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
revisionπ
Type: string
""
Description: Revision of the Istio control plane
openshiftπ
Type: bool
false
Description: Openshift feature switch toggle
imagePullSecretsπ
Type: list
[]
Description: Pull secrets for images
monitoringπ
Type: object
enabled: false
Description: Big Bang Monitoring interaction controls
monitoring.enabledπ
Type: bool
false
Description: Toggle monitoring on/off (controls networkPolicies)
kialiπ
Type: object
enabled: false
Description: Big Bang Kiali interaction controls
kiali.enabledπ
Type: bool
false
Description: Toggle kiali on/off (controls networkPolicies)
authserviceπ
Type: object
enabled: false
Description: If authservice is enabled, it will be added to extension providers as an external authorization system. https://istio.io/latest/docs/tasks/security/authorization/authz-custom/
ingressGatewaysπ
Type: object
istio-ingressgateway:
enabled: true
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Ingress gateways, The following items are automatically set for every ingress gateway: - label: βapp: {name of ingress gateway}β
ingressGateways.istio-ingressgatewayπ
Type: object
enabled: true
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: This key becomes the name of the ingressGateway
ingressGateways.istio-ingressgateway.extraLabelsπ
Type: object
{}
Description: Labels to use for selecting the ingress gateway from the service Automatic labels: βapp: {ingress gateway name}β and istio: ingressgateway
ingressGateways.istio-ingressgateway.k8sπ
Type: object
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
ingressGateways.istio-ingressgateway.k8s.service.typeπ
Type: string
"LoadBalancer"
Description: βLoadBalancerβ or βNodePortβ
ingressGateways.istio-ingressgateway.k8s.podAnnotationsπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
ingressGateways.istio-ingressgateway.k8s.serviceAnnotationsπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
ingressGateways.istio-ingressgateway.k8s.nodeSelectorπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
ingressGateways.istio-ingressgateway.k8s.affinityπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
ingressGateways.istio-ingressgateway.k8s.tolerationsπ
Type: list
[]
Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
egressGatewaysπ
Type: object
istio-egressgateway:
enabled: false
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Egress gateways, The following items are automatically set for every egress gateway: - label: βapp: {name of egress gateway}β
egressGateways.istio-egressgatewayπ
Type: object
enabled: false
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: This key becomes the name of the egressGateway
egressGateways.istio-egressgateway.extraLabelsπ
Type: object
{}
Description: Labels to use for selecting the egress gateway from the service Automatic labels: βapp: {egress gateway name}β and istio: egressgateway
egressGateways.istio-egressgateway.k8sπ
Type: object
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
egressGateways.istio-egressgateway.k8s.service.typeπ
Type: string
"LoadBalancer"
Description: βLoadBalancerβ or βNodePortβ
egressGateways.istio-egressgateway.k8s.podAnnotationsπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
egressGateways.istio-egressgateway.k8s.serviceAnnotationsπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
egressGateways.istio-egressgateway.k8s.nodeSelectorπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
egressGateways.istio-egressgateway.k8s.affinityπ
Type: object
{}
Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
egressGateways.istio-egressgateway.k8s.tolerationsπ
Type: list
[]
Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
gatewaysπ
Type: object
main:
autoHttpRedirect:
enabled: true
selector:
app: istio-ingressgateway
servers:
- hosts:
- '*.{{ .Values.domain }}'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: wildcard-cert
mode: SIMPLE
Description: See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
gateways.mainπ
Type: object
autoHttpRedirect:
enabled: true
selector:
app: istio-ingressgateway
servers:
- hosts:
- '*.{{ .Values.domain }}'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: wildcard-cert
mode: SIMPLE
Description: This key becomes the name of the gateway
gateways.main.autoHttpRedirectπ
Type: object
enabled: true
Description: Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. Must add in HTTP server config if disabling.
istiodπ
Type: object
affinity: {}
env: []
hpaSpec:
maxReplicas: 3
metrics:
- resource:
name: cpu
target:
averageUtilization: 60
type: Utilization
type: Resource
minReplicas: 1
nodeSelector: {}
podAnnotations: {}
replicaCount: 1
resources:
limits:
cpu: 500m
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
serviceAnnotations: {}
strategy: {}
tolerations: []
Description: istiod / pilot configuration
istiod.podAnnotationsπ
Type: object
{}
Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
istiod.serviceAnnotationsπ
Type: object
{}
Description: k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
istiod.nodeSelectorπ
Type: object
{}
Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
istiod.affinityπ
Type: object
{}
Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
istiod.tolerationsπ
Type: list
[]
Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tracing.enabledπ
Type: bool
false
tracing.addressπ
Type: string
"jaeger-collector.jaeger.svc"
tracing.portπ
Type: int
9411
tracing.samplingπ
Type: int
10
Description: percent of traces to send to jaeger
cni.image.hubπ
Type: string
"registry1.dso.mil/ironbank/opensource/istio"
cni.image.nameπ
Type: string
"install-cni"
cni.image.tagπ
Type: string
"1.22.3"
cni.podAnnotationsπ
Type: object
{}
Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
cni.nodeSelectorπ
Type: object
{}
Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
cni.affinityπ
Type: object
{}
Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
cni.tolerationsπ
Type: list
[]
Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
meshConfigπ
Type: object
meshMTLS:
minProtocolVersion: TLSV1_2
Description: Global mesh-wide settings https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig
defaultConfigπ
Type: object
{}
Description: Default Proxy Config for the entire mesh (inserts under meshConfig in IstioOperator resource)
values.globalπ
Type: object
proxy:
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
proxy_init:
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
Description: Global IstioOperator values
values.defaultRevisionπ
Type: string
"default"
Description: Set defaultRevision name, must be non-empty to deploy validating webhook
values.pilotπ
Type: object
env:
ENABLE_NATIVE_SIDECARS: true
Description: Istio pilot values. https://github.com/istio/istio/blob/master/manifests/charts/istio-control/istio-discovery/values.yaml
envoyFiltersπ
Type: list
[]
Description: Custom EnvoyFilters. https://istio.io/latest/docs/reference/config/networking/envoy-filter/
networkPoliciesπ
Type: object
additionalPolicies: []
controlPlaneCidr: 0.0.0.0/0
enabled: false
Description: Big Bang NetworkPolicy controls
networkPolicies.enabledπ
Type: bool
false
Description: Toggle ALL NetworkPolicies on/off
networkPolicies.controlPlaneCidrπ
Type: string
"0.0.0.0/0"
Description: See kubectl cluster-info
and then resolve to IP
postInstallHook.imageπ
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
Description: Image used to run readiness check, requires kubectl
postInstallHook.tagπ
Type: string
"2.1.0"
postInstallHook.securityContextπ
Type: object
fsGroup: 1001
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Pod security context for readiness check
postInstallHook.containerSecurityContextπ
Type: object
capabilities:
drop:
- ALL
Description: Container security context for readiness check
postInstallHook.containerResources.resources.requests.cpuπ
Type: string
"100m"
postInstallHook.containerResources.resources.requests.memoryπ
Type: string
"256Mi"
postInstallHook.containerResources.resources.limits.cpuπ
Type: string
"100m"
postInstallHook.containerResources.resources.limits.memoryπ
Type: string
"256Mi"
hardened.enabledπ
Type: bool
false
hardened.customAuthorizationPoliciesπ
Type: list
[]
hardened.ingressGateway.authzRules[0]π
Type: object
{}