Last active
February 5, 2019 14:23
-
-
Save Turil/47e7c578e83a6405198f722f5a8a0e7f to your computer and use it in GitHub Desktop.
Revisions
-
Turil revised this gist
Feb 5, 2019 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -241,7 +241,6 @@ gateways: loadBalancerIP: "" serviceAnnotations: service.beta.kubernetes.io/azure-load-balancer-internal: '"true"' type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be # Uncomment the following line to preserve client source ip. # externalTrafficPolicy: Local -
Feb 5, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,615 @@ # Common settings. global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly hub: docker.io/istio # Default tag for Istio images. tag: 1.0.5 # Gateway used for legacy k8s Ingress resources. By default it is # using 'istio:ingress', to match 0.8 config. It requires that # ingress.enabled is set to true. You can also set it # to ingressgateway, or any other gateway you define in the 'gateway' # section. k8sIngressSelector: ingress # k8sIngressHttps will add port 443 on the ingress and ingressgateway. # It REQUIRES that the certificates are installed in the # expected secrets - enabling this option without certificates # will result in LDS rejection and the ingress will not work. k8sIngressHttps: false proxy: image: proxyv2 # Resources for the sidecar. resources: requests: cpu: 10m # memory: 128Mi # limits: # cpu: 100m # memory: 128Mi # Controls number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 0 # Configures the access log for each sidecar. Setting it to an empty string will # disable access log for sidecar. accessLogFile: "/dev/stdout" #If set to true, istio-proxy container will have privileged securityContext privileged: false # If set, newly injected sidecars will have core dumps enabled. Core dumps will always be written to the same # file to prevent storage filling up indefinitely. Add a timestamp option to core_pattern to keep all cores: # e.g. sysctl -w kernel.core_pattern=/var/lib/istio/core.%e.%p.%t enableCoreDump: false # Default port for Pilot agent health checks. A value of 0 will disable health checking. # statusPort: 15020 statusPort: 0 # The initial delay for readiness probes in seconds. readinessInitialDelaySeconds: 1 # The period between readiness probes. readinessPeriodSeconds: 2 # The number of successive failed probes before indicating readiness failure. readinessFailureThreshold: 30 # istio egress capture whitelist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" # would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar includeIPRanges: "" excludeIPRanges: "" # istio ingress capture whitelist # examples: # Redirect no inbound traffic to Envoy: --includeInboundPorts="" # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" # Redirect only selected ports: --includeInboundPorts="80,8080" includeInboundPorts: "*" excludeInboundPorts: "" # This controls the 'policy' in the sidecar injector. autoInject: enabled # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument # would be <host>:<port>). # Disabled by default. # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. envoyStatsd: # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. enabled: false host: # example: statsd-svc port: # example: 9125 # This controls the stats collection for proxies. To disable stats # collection, set the prometheusPort to 0. stats: prometheusPort: 15090 proxy_init: # Base name for the proxy_init container, used to configure iptables. image: proxy_init # imagePullPolicy is applied to istio control plane components. # local tests require IfNotPresent, to avoid uploading to dockerhub. # TODO: Switch to Always as default, and override in the local tests. imagePullPolicy: IfNotPresent # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are # propagated, not recommended for tests. controlPlaneSecurityEnabled: false # disablePolicyChecks disables mixer policy checks. # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. disablePolicyChecks: false # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: false # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. enableTracing: true # Default mtls policy. If true, mtls between services will be enabled by default. mtls: # Default setting for service-to-service mtls. Can be set explicitly using # destination rules or service annotations. enabled: false # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. # Must be set for any clustser configured with privte docker registry. imagePullSecrets: # - private-registry-key # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: # 0 - Never scheduled # 1 - Least preferred # 2 - No preference # 3 - Most preferred arch: amd64: 2 s390x: 2 ppc64le: 2 # Whether to restrict the applications namespace the controller manages; # If not set, controller watches all namespaces oneNamespace: false # Whether to perform server-side validation of configuration. configValidation: true # If set to true, the pilot and citadel mtls will be exposed on the # ingress gateway meshExpansion: false # If set to true, the pilot and citadel mtls and the plain text pilot ports # will be exposed on an internal gateway meshExpansionILB: false # A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). # Each component can overwrite these default values by adding its own resources # block in the relevant section below and setting the desired resources values. defaultResources: requests: cpu: 10m # memory: 128Mi # limits: # cpu: 100m # memory: 128Mi # Not recommended for user to configure this. Hyperkube image to use when creating custom resources hyperkube: hub: quay.io/coreos tag: v1.7.6_coreos.0 # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low prioroty class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass # for more detail. priorityClassName: "" # Include the crd definition when generating the template. # For 'helm template' and helm install > 2.10 it should be true. # For helm < 2.9, crds must be installed ahead of time with # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml # and this options must be set off. crds: true # # ingress configuration # ingress: enabled: false replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 service: annotations: {} loadBalancerIP: "" type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be # Uncomment the following line to preserve client source ip. # externalTrafficPolicy: Local ports: - port: 80 name: http nodePort: 32000 - port: 443 name: https selector: istio: ingress # # Gateways Configuration # By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. # You can add more gateways in addition to the defaults but make sure those are uniquely named # and that NodePorts are not conflicting. # Disable specifc gateway by setting the `enabled` to false. # gateways: enabled: true internal-gateway: enabled: true labels: app: internal-gateway istio: internal-ingressgateway replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 resources: {} # limits: # cpu: 100m # memory: 128Mi #requests: # cpu: 1800m # memory: 256Mi cpu: targetAverageUtilization: 80 loadBalancerIP: "" serviceAnnotations: service.beta.kubernetes.io/azure-load-balancer-internal: '"true"' #service.beta.kubernetes.io/azure-load-balancer-internal-subnet: '"wse-aks02-d"' type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be # Uncomment the following line to preserve client source ip. # externalTrafficPolicy: Local # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect # to pilot/citadel if global.meshExpansion settings are enabled. ports: - port: 15011 targetPort: 15011 name: tcp-pilot-grpc-tls - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls - port: 853 targetPort: 853 name: tcp-dns-tls - port: 15030 targetPort: 15030 name: http2-prometheus - port: 15031 targetPort: 15031 name: http2-grafana secretVolumes: - name: ingressgateway-certs secretName: istio-ingressgateway-certs mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-ca-certs secretName: istio-ingressgateway-ca-certs mountPath: /etc/istio/ingressgateway-ca-certs istio-ingressgateway: enabled: true labels: app: istio-ingressgateway istio: ingressgateway replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 resources: {} # limits: # cpu: 100m # memory: 128Mi #requests: # cpu: 1800m # memory: 256Mi cpu: targetAverageUtilization: 80 loadBalancerIP: "" serviceAnnotations: {} type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be # Uncomment the following line to preserve client source ip. # externalTrafficPolicy: Local ports: ## You can add custom gateway ports - port: 80 targetPort: 80 name: http2 nodePort: 31380 - port: 443 name: https nodePort: 31390 - port: 31400 name: tcp nodePort: 31400 secretVolumes: - name: ingressgateway-certs secretName: istio-ingressgateway-certs mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-ca-certs secretName: istio-ingressgateway-ca-certs mountPath: /etc/istio/ingressgateway-ca-certs istio-egressgateway: enabled: true labels: app: istio-egressgateway istio: egressgateway replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 cpu: targetAverageUtilization: 80 serviceAnnotations: {} type: ClusterIP #change to NodePort or LoadBalancer if need be ports: - port: 80 name: http2 - port: 443 name: https secretVolumes: - name: egressgateway-certs secretName: istio-egressgateway-certs mountPath: /etc/istio/egressgateway-certs - name: egressgateway-ca-certs secretName: istio-egressgateway-ca-certs mountPath: /etc/istio/egressgateway-ca-certs # Mesh ILB gateway creates a gateway of type InternalLoadBalancer, # for mesh expansion. It exposes the mtls ports for Pilot,CA as well # as non-mtls ports to support upgrades and gradual transition. istio-ilbgateway: enabled: false labels: app: istio-ilbgateway istio: ilbgateway replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 resources: requests: cpu: 800m memory: 512Mi #limits: # cpu: 1800m # memory: 256Mi cpu: targetAverageUtilization: 80 loadBalancerIP: "" serviceAnnotations: cloud.google.com/load-balancer-type: "internal" type: LoadBalancer ports: ## You can add custom gateway ports - google ILB default quota is 5 ports, - port: 15011 name: grpc-pilot-mtls # Insecure port - only for migration from 0.8. Will be removed in 1.1 - port: 15010 name: grpc-pilot - port: 8060 targetPort: 8060 name: tcp-citadel-grpc-tls # Port 853 is reserved for the kube-dns gateway - port: 853 name: tcp-dns secretVolumes: - name: ilbgateway-certs secretName: istio-ilbgateway-certs mountPath: /etc/istio/ilbgateway-certs - name: ilbgateway-ca-certs secretName: istio-ilbgateway-ca-certs mountPath: /etc/istio/ilbgateway-ca-certs # # sidecar-injector webhook configuration # sidecarInjectorWebhook: enabled: true replicaCount: 1 image: sidecar_injector enableNamespacesByDefault: true # # galley configuration # galley: enabled: true replicaCount: 1 image: galley # # mixer configuration # mixer: enabled: true replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 image: mixer env: GODEBUG: gctrace=2 istio-policy: autoscaleEnabled: true autoscaleMin: 1 autoscaleMax: 5 cpu: targetAverageUtilization: 80 istio-telemetry: autoscaleEnabled: true autoscaleMin: 1 autoscaleMax: 5 cpu: targetAverageUtilization: 80 prometheusStatsdExporter: hub: docker.io/prom tag: v0.6.0 # # pilot configuration # pilot: enabled: true replicaCount: 1 autoscaleMin: 1 autoscaleMax: 5 image: pilot sidecar: true traceSampling: 1.0 # Resources for a small pilot install resources: requests: cpu: 500m memory: 2048Mi env: PILOT_PUSH_THROTTLE_COUNT: 100 GODEBUG: gctrace=2 cpu: targetAverageUtilization: 80 # # security configuration # security: replicaCount: 1 image: citadel selfSigned: true # indicate if self-signed CA is used. # # addons configuration # telemetry-gateway: gatewayName: ingressgateway grafanaEnabled: false prometheusEnabled: false grafana: enabled: true replicaCount: 1 image: repository: grafana/grafana tag: 5.2.3 persist: false storageClassName: "" accessMode: ReadWriteMany security: enabled: false adminUser: admin adminPassword: admin service: annotations: {} name: http type: ClusterIP externalPort: 3000 internalPort: 3000 prometheus: enabled: true replicaCount: 1 hub: docker.io/prom tag: v2.3.1 service: annotations: {} nodePort: enabled: false port: 32090 servicegraph: enabled: false replicaCount: 1 image: servicegraph service: annotations: {} name: http type: ClusterIP externalPort: 8088 internalPort: 8088 ingress: enabled: false # Used to create an Ingress record. hosts: - servicegraph.local annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" tls: # Secrets must be manually created in the namespace. # - secretName: servicegraph-tls # hosts: # - servicegraph.local # prometheus addres prometheusAddr: http://prometheus:9090 tracing: enabled: true provider: jaeger jaeger: hub: docker.io/jaegertracing tag: 1.5 memory: max_traces: 50000 ui: port: 16686 ingress: enabled: false # Used to create an Ingress record. hosts: - jaeger.local annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" tls: # Secrets must be manually created in the namespace. # - secretName: jaeger-tls # hosts: # - jaeger.local replicaCount: 1 service: annotations: {} name: http type: ClusterIP externalPort: 9411 internalPort: 9411 ingress: enabled: false # Used to create an Ingress record. hosts: - tracing.local annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" tls: # Secrets must be manually created in the namespace. # - secretName: tracing-tls # hosts: # - tracing.local kiali: enabled: true replicaCount: 1 hub: docker.io/kiali tag: v0.10 ingress: enabled: false ## Used to create an Ingress record. # hosts: # - kiali.local annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" tls: # Secrets must be manually created in the namespace. # - secretName: kiali-tls # hosts: # - kiali.local dashboard: username: admin # Default admin passphrase for kiali. Must be set during setup, and # changed by overriding the secret passphrase: admin # Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs # grafanaURL: # Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs # jaegerURL: # Certmanager uses ACME to sign certificates. Since Istio gateways are # mounting the TLS secrets the Certificate CRDs must be created in the # istio-system namespace. Once the certificate has been created, the # gateway must be updated by adding 'secretVolumes'. After the gateway # restart, DestinationRules can be created using the ACME-signed certificates. certmanager: enabled: false hub: quay.io/jetstack tag: v0.3.1 resources: {}