Configurable Deployment of Istio Custom Resources Wrapped Inside a Helm Chart.
- Kubernetes Cluster deployed
- Kubernetes config installed in
- Helm installed
Kubernetes: >=1.28.0-0
Install Helm
- Clone down the repository
- cd into directory
helm install istio chart/
Key | Type | Default | Description |
profile | string | "default" |
The istio profile to use |
hub | string | "" |
The hub to use for all images, images are built as ".Values.hub/COMPONENT_NAME:.Values.tag" |
tag | string | "1.23.4" |
The tag to use for all images |
enterprise | bool | false |
Tetrate Istio Distribution - Tetrate provides FIPs verified Istio and Envoy software and support, validated through the FIPs Boring Crypto module. Find out more from Tetrate - |
tidHub | string | "" |
tidTag | string | "1.23.4-tetratefips-v0" |
domain | string | "" |
The domain to use for the default gateway |
mtls.mode | string | "STRICT" |
STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
revision | string | "" |
Revision of the Istio control plane |
openshift | bool | false |
Openshift feature switch toggle |
imagePullSecrets | list | [] |
Pull secrets for images |
monitoring | object | {"enabled":false} |
Big Bang Monitoring interaction controls |
monitoring.enabled | bool | false |
Toggle monitoring on/off (controls networkPolicies) |
kiali | object | {"enabled":false} |
Big Bang Kiali interaction controls |
kiali.enabled | bool | false |
Toggle kiali on/off (controls networkPolicies) |
authservice | object | {"enabled":false} |
If authservice is enabled, it will be added to extension providers as an external authorization system. |
ingressGateways | object | {"istio-ingressgateway":{"enabled":true,"extraLabels":{},"k8s":{"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]}}} |
Ingress gateways, The following items are automatically set for every ingress gateway: - label: "app: {name of ingress gateway}" |
ingressGateways.istio-ingressgateway | object | {"enabled":true,"extraLabels":{},"k8s":{"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]}} |
This key becomes the name of the ingressGateway |
ingressGateways.istio-ingressgateway.extraLabels | object | {} |
Labels to use for selecting the ingress gateway from the service Automatic labels: 'app: {ingress gateway name}' and istio: ingressgateway |
ingressGateways.istio-ingressgateway.k8s | object | {"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]} |
Set any value from |
ingressGateways.istio-ingressgateway.k8s.service.type | string | "LoadBalancer" |
"LoadBalancer" or "NodePort" |
ingressGateways.istio-ingressgateway.k8s.podAnnotations | object | {} | |
ingressGateways.istio-ingressgateway.k8s.serviceAnnotations | object | {} | |
ingressGateways.istio-ingressgateway.k8s.nodeSelector | object | {} | |
ingressGateways.istio-ingressgateway.k8s.affinity | object | {} | |
ingressGateways.istio-ingressgateway.k8s.tolerations | list | [] | |
egressGateways | object | {"istio-egressgateway":{"enabled":false,"extraLabels":{},"k8s":{"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]}}} |
Egress gateways, The following items are automatically set for every egress gateway: - label: "app: {name of egress gateway}" |
egressGateways.istio-egressgateway | object | {"enabled":false,"extraLabels":{},"k8s":{"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]}} |
This key becomes the name of the egressGateway |
egressGateways.istio-egressgateway.extraLabels | object | {} |
Labels to use for selecting the egress gateway from the service Automatic labels: 'app: {egress gateway name}' and istio: egressgateway |
egressGateways.istio-egressgateway.k8s | object | {"affinity":{},"nodeSelector":{},"podAnnotations":{},"resources":{},"service":{"type":"LoadBalancer"},"serviceAnnotations":{},"tolerations":[]} |
Set any value from |
egressGateways.istio-egressgateway.k8s.service.type | string | "LoadBalancer" |
"LoadBalancer" or "NodePort" |
egressGateways.istio-egressgateway.k8s.podAnnotations | object | {} | |
egressGateways.istio-egressgateway.k8s.serviceAnnotations | object | {} | |
egressGateways.istio-egressgateway.k8s.nodeSelector | object | {} | |
egressGateways.istio-egressgateway.k8s.affinity | object | {} | |
egressGateways.istio-egressgateway.k8s.tolerations | list | [] | |
gateways | object | {"main":{"autoHttpRedirect":{"enabled":true},"selector":{"app":"istio-ingressgateway"},"servers":[{"hosts":["*.{{ .Values.domain }}"],"port":{"name":"https","number":8443,"protocol":"HTTPS"},"tls":{"credentialName":"wildcard-cert","mode":"SIMPLE"}}]}} |
See for spec |
gateways.main | object | {"autoHttpRedirect":{"enabled":true},"selector":{"app":"istio-ingressgateway"},"servers":[{"hosts":["*.{{ .Values.domain }}"],"port":{"name":"https","number":8443,"protocol":"HTTPS"},"tls":{"credentialName":"wildcard-cert","mode":"SIMPLE"}}]} |
This key becomes the name of the gateway |
gateways.main.autoHttpRedirect | object | {"enabled":true} |
Controls default HTTP/8080 server entry with HTTP to HTTPS Redirect. Must add in HTTP server config if disabling. |
istiod | object | {"affinity":{},"env":[],"hpaSpec":{"maxReplicas":3,"metrics":[{"resource":{"name":"cpu","target":{"averageUtilization":60,"type":"Utilization"}},"type":"Resource"}],"minReplicas":1},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"2Gi"},"requests":{"cpu":"500m","memory":"2Gi"}},"serviceAnnotations":{},"strategy":{},"tolerations":[]} |
istiod / pilot configuration |
istiod.podAnnotations | object | {} |
k8s pod annotations. |
istiod.serviceAnnotations | object | {} |
k8s service annotations. |
istiod.nodeSelector | object | {} |
k8s nodeSelector. |
istiod.affinity | object | {} |
k8s affinity / anti-affinity. |
istiod.tolerations | list | [] |
k8s toleration |
tracing.enabled | bool | false |
tracing.address | string | "jaeger-collector.jaeger.svc" |
tracing.port | int | 9411 |
tracing.sampling | int | 10 |
percent of traces to send to jaeger |
cni.image.hub | string | "" |
| | string | "install-cni" |
cni.image.tag | string | "1.23.4" |
cni.podAnnotations | object | {} |
k8s pod annotations. |
cni.nodeSelector | object | {} |
k8s nodeSelector. |
cni.affinity | object | {} |
k8s affinity / anti-affinity. |
cni.tolerations | list | [] |
k8s toleration |
meshConfig | object | {"meshMTLS":{"minProtocolVersion":"TLSV1_2"}} |
Global mesh-wide settings |
defaultConfig | object | {} |
Default Proxy Config for the entire mesh (inserts under meshConfig in IstioOperator resource) | | object | {"proxy":{"resources":{"limits":{"memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}},"proxy_init":{"resources":{"limits":{"cpu":"100m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}}} |
Global IstioOperator values |
values.defaultRevision | string | "default" |
Set defaultRevision name, must be non-empty to deploy validating webhook |
values.pilot | object | {"env":{"ENABLE_NATIVE_SIDECARS":true}} |
Istio pilot values. |
envoyFilters | list | [] |
Custom EnvoyFilters. |
networkPolicies | object | {"additionalPolicies":[],"controlPlaneCidr":"","enabled":false} |
Big Bang NetworkPolicy controls |
networkPolicies.enabled | bool | false |
Toggle ALL NetworkPolicies on/off |
networkPolicies.controlPlaneCidr | string | "" |
See kubectl cluster-info and then resolve to IP |
postInstallHook.image | string | "" |
Image used to run readiness check, requires kubectl |
postInstallHook.tag | string | "2.1.0" |
postInstallHook.securityContext | object | {"fsGroup":1001,"runAsGroup":1001,"runAsNonRoot":true,"runAsUser":1001} |
Pod security context for readiness check |
postInstallHook.containerSecurityContext | object | {"capabilities":{"drop":["ALL"]}} |
Container security context for readiness check |
postInstallHook.containerResources.resources.requests.cpu | string | "100m" |
postInstallHook.containerResources.resources.requests.memory | string | "256Mi" |
postInstallHook.containerResources.resources.limits.cpu | string | "100m" |
postInstallHook.containerResources.resources.limits.memory | string | "256Mi" |
hardened.enabled | bool | false |
hardened.customAuthorizationPolicies | list | [] |
hardened.ingressGateway.authzRules[0] | object | {} |
waitJob.enabled | bool | true |
waitJob.scripts.image | string | "" |
waitJob.permissions.resources[0] | string | "istio-controlplane" |
defaultSecurityHeaders.enabled | bool | true |
Please see the contributing guide if you are interested in contributing.
This file is programatically generated using helm-docs
and some BigBang-specific templates. The gluon
repository has instructions for regenerating package READMEs.