istio-controlplane values.yaml📜
profile📜
Type: string
"default"
Description: The istio profile to use
hub📜
Type: string
"registry1.dso.mil/ironbank/opensource/istio"
Description: The hub to use for all images, images are built as “.Values.hub/COMPONENT_NAME:.Values.tag”
tag📜
Type: string
"1.23.3"
Description: The tag to use for all images
enterprise📜
Type: bool
false
Description: Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - https://www.tetrate.io/tetrate-istio-subscription
tidHub📜
Type: string
"registry1.dso.mil/ironbank/tetrate/istio"
tidTag📜
Type: string
"1.23.3-tetratefips-v0"
domain📜
Type: string
"dev.bigbang.mil"
Description: The domain to use for the default gateway
mtls.mode📜
Type: string
"STRICT"
Description: STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic
revision📜
Type: string
""
Description: Revision of the Istio control plane
openshift📜
Type: bool
false
Description: Openshift feature switch toggle
imagePullSecrets📜
Type: list
[]
Description: Pull secrets for images
monitoring📜
Type: object
enabled: false
Description: Big Bang Monitoring interaction controls
monitoring.enabled📜
Type: bool
false
Description: Toggle monitoring on/off (controls networkPolicies)
kiali📜
Type: object
enabled: false
Description: Big Bang Kiali interaction controls
kiali.enabled📜
Type: bool
false
Description: Toggle kiali on/off (controls networkPolicies)
authservice📜
Type: object
enabled: false
Description: If authservice is enabled, it will be added to extension providers as an external authorization system. https://istio.io/latest/docs/tasks/security/authorization/authz-custom/
ingressGateways📜
Type: object
istio-ingressgateway:
enabled: true
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Ingress gateways, The following items are automatically set for every ingress gateway: - label: “app: {name of ingress gateway}”
ingressGateways.istio-ingressgateway📜
Type: object
enabled: true
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: This key becomes the name of the ingressGateway
ingressGateways.istio-ingressgateway.extraLabels📜
Type: object
{}
Description: Labels to use for selecting the ingress gateway from the service Automatic labels: ‘app: {ingress gateway name}’ and istio: ingressgateway
ingressGateways.istio-ingressgateway.k8s📜
Type: object
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
ingressGateways.istio-ingressgateway.k8s.service.type📜
Type: string
"LoadBalancer"
Description: “LoadBalancer” or “NodePort”
ingressGateways.istio-ingressgateway.k8s.podAnnotations📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
ingressGateways.istio-ingressgateway.k8s.serviceAnnotations📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
ingressGateways.istio-ingressgateway.k8s.nodeSelector📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
ingressGateways.istio-ingressgateway.k8s.affinity📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
ingressGateways.istio-ingressgateway.k8s.tolerations📜
Type: list
[]
Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
egressGateways📜
Type: object
istio-egressgateway:
enabled: false
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Egress gateways, The following items are automatically set for every egress gateway: - label: “app: {name of egress gateway}”
egressGateways.istio-egressgateway📜
Type: object
enabled: false
extraLabels: {}
k8s:
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: This key becomes the name of the egressGateway
egressGateways.istio-egressgateway.extraLabels📜
Type: object
{}
Description: Labels to use for selecting the egress gateway from the service Automatic labels: ‘app: {egress gateway name}’ and istio: egressgateway
egressGateways.istio-egressgateway.k8s📜
Type: object
affinity: {}
nodeSelector: {}
podAnnotations: {}
resources: {}
service:
type: LoadBalancer
serviceAnnotations: {}
tolerations: []
Description: Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
egressGateways.istio-egressgateway.k8s.service.type📜
Type: string
"LoadBalancer"
Description: “LoadBalancer” or “NodePort”
egressGateways.istio-egressgateway.k8s.podAnnotations📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
egressGateways.istio-egressgateway.k8s.serviceAnnotations📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
egressGateways.istio-egressgateway.k8s.nodeSelector📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
egressGateways.istio-egressgateway.k8s.affinity📜
Type: object
{}
Description: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
egressGateways.istio-egressgateway.k8s.tolerations📜
Type: list
[]
Description: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
gateways📜
Type: object
main:
autoHttpRedirect:
enabled: true
selector:
app: istio-ingressgateway
servers:
- hosts:
- '*.{{ .Values.domain }}'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: wildcard-cert
mode: SIMPLE
Description: See https://istio.io/latest/docs/reference/config/networking/gateway/#Gateway for spec
gateways.main📜
Type: object
autoHttpRedirect:
enabled: true
selector:
app: istio-ingressgateway
servers:
- hosts:
- '*.{{ .Values.domain }}'
port:
name: https
number: 8443
protocol: HTTPS
tls:
credentialName: wildcard-cert
mode: SIMPLE
Description: This key becomes the name of the gateway
gateways.main.autoHttpRedirect📜
Type: object
enabled: true
Description: Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. Must add in HTTP server config if disabling.
istiod📜
Type: object
affinity: {}
env: []
hpaSpec:
maxReplicas: 3
metrics:
- resource:
name: cpu
target:
averageUtilization: 60
type: Utilization
type: Resource
minReplicas: 1
nodeSelector: {}
podAnnotations: {}
replicaCount: 1
resources:
limits:
cpu: 500m
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
serviceAnnotations: {}
strategy: {}
tolerations: []
Description: istiod / pilot configuration
istiod.podAnnotations📜
Type: object
{}
Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
istiod.serviceAnnotations📜
Type: object
{}
Description: k8s service annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
istiod.nodeSelector📜
Type: object
{}
Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
istiod.affinity📜
Type: object
{}
Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
istiod.tolerations📜
Type: list
[]
Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tracing.enabled📜
Type: bool
false
tracing.address📜
Type: string
"jaeger-collector.jaeger.svc"
tracing.port📜
Type: int
9411
tracing.sampling📜
Type: int
10
Description: percent of traces to send to jaeger
cni.image.hub📜
Type: string
"registry1.dso.mil/ironbank/opensource/istio"
cni.image.name📜
Type: string
"install-cni"
cni.image.tag📜
Type: string
"1.23.3"
cni.podAnnotations📜
Type: object
{}
Description: k8s pod annotations. https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
cni.nodeSelector📜
Type: object
{}
Description: k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
cni.affinity📜
Type: object
{}
Description: k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
cni.tolerations📜
Type: list
[]
Description: k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
meshConfig📜
Type: object
meshMTLS:
minProtocolVersion: TLSV1_2
Description: Global mesh-wide settings https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig
defaultConfig📜
Type: object
{}
Description: Default Proxy Config for the entire mesh (inserts under meshConfig in IstioOperator resource)
values.global📜
Type: object
proxy:
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
proxy_init:
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
Description: Global IstioOperator values
values.defaultRevision📜
Type: string
"default"
Description: Set defaultRevision name, must be non-empty to deploy validating webhook
values.pilot📜
Type: object
env:
ENABLE_NATIVE_SIDECARS: true
Description: Istio pilot values. https://github.com/istio/istio/blob/master/manifests/charts/istio-control/istio-discovery/values.yaml
envoyFilters📜
Type: list
[]
Description: Custom EnvoyFilters. https://istio.io/latest/docs/reference/config/networking/envoy-filter/
networkPolicies📜
Type: object
additionalPolicies: []
controlPlaneCidr: 0.0.0.0/0
enabled: false
Description: Big Bang NetworkPolicy controls
networkPolicies.enabled📜
Type: bool
false
Description: Toggle ALL NetworkPolicies on/off
networkPolicies.controlPlaneCidr📜
Type: string
"0.0.0.0/0"
Description: See kubectl cluster-info and then resolve to IP
postInstallHook.image📜
Type: string
"registry1.dso.mil/ironbank/big-bang/base"
Description: Image used to run readiness check, requires kubectl
postInstallHook.tag📜
Type: string
"2.1.0"
postInstallHook.securityContext📜
Type: object
fsGroup: 1001
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
Description: Pod security context for readiness check
postInstallHook.containerSecurityContext📜
Type: object
capabilities:
drop:
- ALL
Description: Container security context for readiness check
postInstallHook.containerResources.resources.requests.cpu📜
Type: string
"100m"
postInstallHook.containerResources.resources.requests.memory📜
Type: string
"256Mi"
postInstallHook.containerResources.resources.limits.cpu📜
Type: string
"100m"
postInstallHook.containerResources.resources.limits.memory📜
Type: string
"256Mi"
hardened.enabled📜
Type: bool
false
hardened.customAuthorizationPolicies📜
Type: list
[]
hardened.ingressGateway.authzRules[0]📜
Type: object
{}
waitJob.enabled📜
Type: bool
true
waitJob.scripts.image📜
Type: string
"registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.30.6"
waitJob.permissions.resources[0]📜
Type: string
"istio-controlplane"
defaultSecurityHeaders.enabled📜
Type: bool
true