Skip to content

istio-controlplane values.yaml📜

profile📜

Type: string

Default value
"default"

Description: The istio profile to use

hub📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/istio"

Description: The hub to use for all images, images are built as “.Values.hub/COMPONENT_NAME:.Values.tag”

tag📜

Type: string

Default value
"1.23.3"

Description: The tag to use for all images

enterprise📜

Type: bool

Default value
false

Description: Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription

tidHub📜

Type: string

Default value
"registry1.dso.mil/ironbank/tetrate/istio"

tidTag📜

Type: string

Default value
"1.23.3-tetratefips-v0"

domain📜

Type: string

Default value
"dev.bigbang.mil"

Description: The domain to use for the default gateway

mtls.mode📜

Type: string

Default value
"STRICT"

Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic

revision📜

Type: string

Default value
""

Description: Revision of the Istio control plane

openshift📜

Type: bool

Default value
false

Description: Openshift feature switch toggle

imagePullSecrets📜

Type: list

Default value
[]

Description: Pull secrets for images

monitoring📜

Type: object

Default value
enabled: false

Description: Big Bang Monitoring interaction controls

monitoring.enabled📜

Type: bool

Default value
false

Description: Toggle monitoring on/off (controls networkPolicies)

kiali📜

Type: object

Default value
enabled: false

Description: Big Bang Kiali interaction controls

kiali.enabled📜

Type: bool

Default value
false

Description: Toggle kiali on/off (controls networkPolicies)

authservice📜

Type: object

Default value
enabled: false

Description: If authservice is enabled, it will be added to extension providers as an external authorization system. https://istio.io/latest/docs/tasks/security/authorization/authz-custom/

ingressGateways📜

Type: object

Default value
istio-ingressgateway:
  enabled: true
  extraLabels: {}
  k8s:
    affinity: {}
    nodeSelector: {}
    podAnnotations: {}
    resources: {}
    service:
      type: LoadBalancer
    serviceAnnotations: {}
    tolerations: []

Description: Ingress gateways, The following items are automatically set for every ingress gateway: - label: “app: {name of ingress gateway}”

ingressGateways.istio-ingressgateway📜

Type: object

Default value
enabled: true
extraLabels: {}
k8s:
  affinity: {}
  nodeSelector: {}
  podAnnotations: {}
  resources: {}
  service:
    type: LoadBalancer
  serviceAnnotations: {}
  tolerations: []

Description: This key becomes the name of the ingressGateway

ingressGateways.istio-ingressgateway.extraLabels📜

Type: object

Default value
{}

Description: Labels to use for selecting the ingress gateway from the service Automatic labels: ‘app: {ingress gateway name}’ and istio: ingressgateway

ingressGateways.istio-ingressgateway.k8s📜

Type: object

Default value
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
  type: LoadBalancer
serviceAnnotations: {}
tolerations: []

Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec

ingressGateways.istio-ingressgateway.k8s.service.type📜

Type: string

Default value
"LoadBalancer"

Description: “LoadBalancer” or “NodePort”

ingressGateways.istio-ingressgateway.k8s.podAnnotations📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

ingressGateways.istio-ingressgateway.k8s.serviceAnnotations📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

ingressGateways.istio-ingressgateway.k8s.nodeSelector📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

ingressGateways.istio-ingressgateway.k8s.affinity📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity

ingressGateways.istio-ingressgateway.k8s.tolerations📜

Type: list

Default value
[]

Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

egressGateways📜

Type: object

Default value
istio-egressgateway:
  enabled: false
  extraLabels: {}
  k8s:
    affinity: {}
    nodeSelector: {}
    podAnnotations: {}
    resources: {}
    service:
      type: LoadBalancer
    serviceAnnotations: {}
    tolerations: []

Description: Egress gateways, The following items are automatically set for every egress gateway: - label: “app: {name of egress gateway}”

egressGateways.istio-egressgateway📜

Type: object

Default value
enabled: false
extraLabels: {}
k8s:
  affinity: {}
  nodeSelector: {}
  podAnnotations: {}
  resources: {}
  service:
    type: LoadBalancer
  serviceAnnotations: {}
  tolerations: []

Description: This key becomes the name of the egressGateway

egressGateways.istio-egressgateway.extraLabels📜

Type: object

Default value
{}

Description: Labels to use for selecting the egress gateway from the service Automatic labels: ‘app: {egress gateway name}’ and istio: egressgateway

egressGateways.istio-egressgateway.k8s📜

Type: object

Default value
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
  type: LoadBalancer
serviceAnnotations: {}
tolerations: []

Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec

egressGateways.istio-egressgateway.k8s.service.type📜

Type: string

Default value
"LoadBalancer"

Description: “LoadBalancer” or “NodePort”

egressGateways.istio-egressgateway.k8s.podAnnotations📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

egressGateways.istio-egressgateway.k8s.serviceAnnotations📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

egressGateways.istio-egressgateway.k8s.nodeSelector📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

egressGateways.istio-egressgateway.k8s.affinity📜

Type: object

Default value
{}

Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity

egressGateways.istio-egressgateway.k8s.tolerations📜

Type: list

Default value
[]

Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

gateways📜

Type: object

Default value
main:
  autoHttpRedirect:
    enabled: true
  selector:
    app: istio-ingressgateway
  servers:
  - hosts:
    - '*.{{ .Values.domain }}'
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      credentialName: wildcard-cert
      mode: SIMPLE

Description: See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec

gateways.main📜

Type: object

Default value
autoHttpRedirect:
  enabled: true
selector:
  app: istio-ingressgateway
servers:
- hosts:
  - '*.{{ .Values.domain }}'
  port:
    name: https
    number: 8443
    protocol: HTTPS
  tls:
    credentialName: wildcard-cert
    mode: SIMPLE

Description: This key becomes the name of the gateway

gateways.main.autoHttpRedirect📜

Type: object

Default value
enabled: true

Description: Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. Must add in HTTP server config if disabling.

istiod📜

Type: object

Default value
affinity: {}
env: []
hpaSpec:
  maxReplicas: 3
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 60
        type: Utilization
    type: Resource
  minReplicas: 1
nodeSelector: {}
podAnnotations: {}
replicaCount: 1
resources:
  limits:
    cpu: 500m
    memory: 2Gi
  requests:
    cpu: 500m
    memory: 2Gi
serviceAnnotations: {}
strategy: {}
tolerations: []

Description: istiod / pilot configuration

istiod.podAnnotations📜

Type: object

Default value
{}

Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

istiod.serviceAnnotations📜

Type: object

Default value
{}

Description: k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

istiod.nodeSelector📜

Type: object

Default value
{}

Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

istiod.affinity📜

Type: object

Default value
{}

Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity

istiod.tolerations📜

Type: list

Default value
[]

Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

tracing.enabled📜

Type: bool

Default value
false

tracing.address📜

Type: string

Default value
"jaeger-collector.jaeger.svc"

tracing.port📜

Type: int

Default value
9411

tracing.sampling📜

Type: int

Default value
10

Description: percent of traces to send to jaeger

cni.image.hub📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/istio"

cni.image.name📜

Type: string

Default value
"install-cni"

cni.image.tag📜

Type: string

Default value
"1.23.3"

cni.podAnnotations📜

Type: object

Default value
{}

Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

cni.nodeSelector📜

Type: object

Default value
{}

Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

cni.affinity📜

Type: object

Default value
{}

Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity

cni.tolerations📜

Type: list

Default value
[]

Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

meshConfig📜

Type: object

Default value
meshMTLS:
  minProtocolVersion: TLSV1_2

Description: Global mesh-wide settings https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig

defaultConfig📜

Type: object

Default value
{}

Description: Default Proxy Config for the entire mesh (inserts under meshConfig in IstioOperator resource)

values.global📜

Type: object

Default value
proxy:
  resources:
    limits:
      memory: 256Mi
    requests:
      cpu: 100m
      memory: 256Mi
proxy_init:
  resources:
    limits:
      cpu: 100m
      memory: 256Mi
    requests:
      cpu: 100m
      memory: 256Mi

Description: Global IstioOperator values

values.defaultRevision📜

Type: string

Default value
"default"

Description: Set defaultRevision name, must be non-empty to deploy validating webhook

values.pilot📜

Type: object

Default value
env:
  ENABLE_NATIVE_SIDECARS: true

Description: Istio pilot values. https://github.com/istio/istio/blob/master/manifests/charts/istio-control/istio-discovery/values.yaml

envoyFilters📜

Type: list

Default value
[]

Description: Custom EnvoyFilters. https://istio.io/latest/docs/reference/config/networking/envoy-filter/

networkPolicies📜

Type: object

Default value
additionalPolicies: []
controlPlaneCidr: 0.0.0.0/0
enabled: false

Description: Big Bang NetworkPolicy controls

networkPolicies.enabled📜

Type: bool

Default value
false

Description: Toggle ALL NetworkPolicies on/off

networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

Description: See kubectl cluster-info and then resolve to IP

postInstallHook.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/big-bang/base"

Description: Image used to run readiness check, requires kubectl

postInstallHook.tag📜

Type: string

Default value
"2.1.0"

postInstallHook.securityContext📜

Type: object

Default value
fsGroup: 1001
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001

Description: Pod security context for readiness check

postInstallHook.containerSecurityContext📜

Type: object

Default value
capabilities:
  drop:
  - ALL

Description: Container security context for readiness check

postInstallHook.containerResources.resources.requests.cpu📜

Type: string

Default value
"100m"

postInstallHook.containerResources.resources.requests.memory📜

Type: string

Default value
"256Mi"

postInstallHook.containerResources.resources.limits.cpu📜

Type: string

Default value
"100m"

postInstallHook.containerResources.resources.limits.memory📜

Type: string

Default value
"256Mi"

hardened.enabled📜

Type: bool

Default value
false

hardened.customAuthorizationPolicies📜

Type: list

Default value
[]

hardened.ingressGateway.authzRules[0]📜

Type: object

Default value
{}

waitJob.enabled📜

Type: bool

Default value
true

waitJob.scripts.image📜

Type: string

Default value
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"

waitJob.permissions.resources[0]📜

Type: string

Default value
"istio-controlplane"

defaultSecurityHeaders.enabled📜

Type: bool

Default value
true