istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Retire helm documentation as we use a protobuf (#7106) 

* Retire helm documentation as we use a protobuf

The new rendered source of truth is:
https://preliminary.istio.io/docs/reference/config/istio.operator.v1alpha1/

This is rendered from the API repo protobuf which (may) need description fields
set. That protobuf is here:

https://github.com/istio/api/blob/master/operator/v1alpha1/operator.proto

* Follow the flowchart

The flowchart is not quite right and could use some improvement.

* Update content/en/blog/2019/performance-best-practices/index.md

Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
This commit is contained in:
Steven Dake 2020-04-21 07:55:44 -07:00 committed by GitHub
parent f8fd68c04b
commit d6e9f4b92b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 14 additions and 1597 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/blog/2019/performance-best-practices/index.md
View File

@ -33,7 +33,7 @@ Say you run 2,000 Envoy-injected pods, each handling 1,000 requests per second.
It is also important to focus on data plane performance for **latency** reasons. This is because most application requests move through the Istio data plane, not the control plane. There are two exceptions:
1. **Telemetry reporting:** Each proxy sends raw telemetry data to {{<gloss>}}Mixer{{</gloss>}}, which Mixer processes into metrics, traces, and other telemetry. The raw telemetry data is similar to access logs, and therefore comes at a cost. Access log processing consumes CPU and keeps a worker thread from picking up the next unit of work. At higher throughput, it is more likely that the next unit of work is waiting in the queue to be picked up by the worker. This can lead to long-tail (99th percentile) latency for Envoy.
1. **Custom policy checks:** When using [custom Istio policy adapters](/docs/concepts/observability/), policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. **Note:** These policy checks are [disabled by default](/docs/reference/config/installation-options/#global-options), as the most common policy use case ([RBAC](https://archive.istio.io/1.4/docs/reference/config/security/istio.rbac.v1alpha1)) is performed entirely by the Envoy proxies.
1. **Custom policy checks:** When using [custom Istio policy adapters](/docs/concepts/observability/), policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. **Note:** These policy checks are [disabled by default](https://archive.istio.io/v1.4/docs/reference/config/installation-options/), as the most common policy use case ([RBAC](https://archive.istio.io/v1.4/docs/reference/config/security/istio.rbac.v1alpha1)) is performed entirely by the Envoy proxies.
Both of these exceptions will go away in a future Istio release, when [Mixer V2](https://docs.google.com/document/d/1QKmtem5jU_2F3Lh5SqLp0IuPb80_70J7aJEYu4_gS-s) moves all policy and telemetry features directly into the proxies.
@ -110,4 +110,4 @@ Istio's performance depends on your specific setup and traffic load. Because of
Also check out the [Istio Performance and Scalability guide](/docs/ops/deployment/performance-and-scalability) for the most up-to-date performance data.
Thank you for reading, and happy benchmarking!
Thank you for reading, and happy benchmarking!

2
content/en/docs/ops/configuration/mesh/secret-creation/index.md
View File

@ -17,7 +17,7 @@ deployed in a single cluster, and the following targeting rules are applied to e
1. `ca.istio.io/override` namespace label: *boolean valued* label which overrides all other configurations and forces all Citadel instances either to target or ignore a namespace
1. [`enableNamespacesByDefault` security configuration](/docs/reference/config/installation-options/#security-options): default behavior if no labels are found on the `ServiceAccount`'s namespace
1. [`enableNamespacesByDefault` security configuration](https://archive.istio.io/v1.4/docs/reference/config/installation-options/): default behavior if no labels are found on the `ServiceAccount`'s namespace
From these three values, the decision process mirrors that of the [`Sidecar Injection Webhook`](/docs/ops/configuration/mesh/injection-concepts/). The detailed behavior is that:

596
content/en/docs/reference/config/installation-options/index.md
View File

@ -1,596 +0,0 @@
---
title: Installation Options (Helm)
description: Describes the options available when installing Istio using Helm charts.
weight: 15
keywords: [kubernetes,helm]
force_inline_toc: true
---
{{< warning >}}
Installing Istio with Helm is in the process of deprecation, however, you can use these Helm
configuration options when [installing Istio with {{< istioctl >}}](/docs/setup/install/istioctl/)
by prepending the string "`values.`" to the option name. For example, instead of this `helm` command:
{{< text bash >}}
$ helm template ... --set global.controlPlaneSecurityEnabled=true
{{< /text >}}
You can use this `istioctl` command:
{{< text bash >}}
$ istioctl manifest generate ... --set values.global.controlPlaneSecurityEnabled=true
{{< /text >}}
Refer to [customizing the configuration](/docs/setup/install/istioctl/#customizing-the-configuration) for details.
{{< /warning >}}
{{< warning >}}
This document is unfortunately out of date with the latest changes in the set of supported options.
To get the exact set of supported options, please see the [Install charts]({{< github_tree >}}/manifests).
{{< /warning >}}
<!-- Run python scripts/tablegen.py to generate this table -->
<!-- AUTO-GENERATED-START -->
## `certmanager` options
| Key | Default Value | Description |
| --- | --- | --- |
| `certmanager.enabled` | `false` | |
| `certmanager.replicaCount` | `1` | |
| `certmanager.hub` | `quay.io/jetstack` | |
| `certmanager.image` | `cert-manager-controller` | |
| `certmanager.tag` | `v0.8.1` | |
| `certmanager.resources` | `{}` | |
| `certmanager.nodeSelector` | `{}` | |
| `certmanager.tolerations` | `[]` | |
| `certmanager.podAnnotations` | `{}` | |
| `certmanager.podAntiAffinityLabelSelector` | `[]` | |
| `certmanager.podAntiAffinityTermLabelSelector` | `[]` | |
## `galley` options
| Key | Default Value | Description |
| --- | --- | --- |
| `galley.enabled` | `true` | |
| `galley.replicaCount` | `1` | |
| `galley.rollingMaxSurge` | `100%` | |
| `galley.rollingMaxUnavailable` | `25%` | |
| `galley.image` | `galley` | |
| `galley.nodeSelector` | `{}` | |
| `galley.tolerations` | `[]` | |
| `galley.podAnnotations` | `{}` | |
| `galley.podAntiAffinityLabelSelector` | `[]` | |
| `galley.podAntiAffinityTermLabelSelector` | `[]` | |
| `galley.enableServiceDiscovery` | `false` | `Enable service discovery processing in Galley` |
| `galley.enableAnalysis` | `false` | `Enable analysis and status update in Galley` |
## `gateways` options
| Key | Default Value | Description |
| --- | --- | --- |
| `gateways.enabled` | `true` | |
| `gateways.istio-ingressgateway.enabled` | `true` | |
| `gateways.istio-ingressgateway.sds.enabled` | `false` | `If true, ingress gateway fetches credentials from SDS server to handle TLS connections.` |
| `gateways.istio-ingressgateway.sds.image` | `node-agent-k8s` | `SDS server that watches kubernetes secrets and provisions credentials to ingress gateway. This server runs in the same pod as ingress gateway.` |
| `gateways.istio-ingressgateway.sds.resources.requests.cpu` | `100m` | |
| `gateways.istio-ingressgateway.sds.resources.requests.memory` | `128Mi` | |
| `gateways.istio-ingressgateway.sds.resources.limits.cpu` | `2000m` | |
| `gateways.istio-ingressgateway.sds.resources.limits.memory` | `1024Mi` | |
| `gateways.istio-ingressgateway.labels.app` | `istio-ingressgateway` | |
| `gateways.istio-ingressgateway.labels.istio` | `ingressgateway` | |
| `gateways.istio-ingressgateway.autoscaleEnabled` | `true` | |
| `gateways.istio-ingressgateway.autoscaleMin` | `1` | |
| `gateways.istio-ingressgateway.autoscaleMax` | `5` | |
| `gateways.istio-ingressgateway.rollingMaxSurge` | `100%` | |
| `gateways.istio-ingressgateway.rollingMaxUnavailable` | `25%` | |
| `gateways.istio-ingressgateway.resources.requests.cpu` | `100m` | |
| `gateways.istio-ingressgateway.resources.requests.memory` | `128Mi` | |
| `gateways.istio-ingressgateway.resources.limits.cpu` | `2000m` | |
| `gateways.istio-ingressgateway.resources.limits.memory` | `1024Mi` | |
| `gateways.istio-ingressgateway.cpu.targetAverageUtilization` | `80` | |
| `gateways.istio-ingressgateway.loadBalancerIP` | `""` | |
| `gateways.istio-ingressgateway.loadBalancerSourceRanges` | `[]` | |
| `gateways.istio-ingressgateway.externalIPs` | `[]` | |
| `gateways.istio-ingressgateway.serviceAnnotations` | `{}` | |
| `gateways.istio-ingressgateway.podAnnotations` | `{}` | |
| `gateways.istio-ingressgateway.type` | `LoadBalancer` | `change to NodePort, ClusterIP or LoadBalancer if need be` |
| `gateways.istio-ingressgateway.ports.targetPort` | `15020` | |
| `gateways.istio-ingressgateway.ports.name` | `status-port` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `80` | |
| `gateways.istio-ingressgateway.ports.name` | `http2` | |
| `gateways.istio-ingressgateway.ports.nodePort` | `31380` | |
| `gateways.istio-ingressgateway.ports.name` | `https` | |
| `gateways.istio-ingressgateway.ports.nodePort` | `31390` | |
| `gateways.istio-ingressgateway.ports.name` | `tcp` | |
| `gateways.istio-ingressgateway.ports.nodePort` | `31400` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `15029` | |
| `gateways.istio-ingressgateway.ports.name` | `https-kiali` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `15030` | |
| `gateways.istio-ingressgateway.ports.name` | `https-prometheus` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `15031` | |
| `gateways.istio-ingressgateway.ports.name` | `https-grafana` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `15032` | |
| `gateways.istio-ingressgateway.ports.name` | `https-tracing` | |
| `gateways.istio-ingressgateway.ports.targetPort` | `15443` | |
| `gateways.istio-ingressgateway.ports.name` | `tls` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `15011` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-pilot-grpc-tls` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `15004` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-mixer-grpc-tls` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `8060` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-citadel-grpc-tls` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.targetPort` | `853` | |
| `gateways.istio-ingressgateway.meshExpansionPorts.name` | `tcp-dns-tls` | |
| `gateways.istio-ingressgateway.secretVolumes.secretName` | `istio-ingressgateway-certs` | |
| `gateways.istio-ingressgateway.secretVolumes.mountPath` | `/etc/istio/ingressgateway-certs` | |
| `gateways.istio-ingressgateway.secretVolumes.secretName` | `istio-ingressgateway-ca-certs` | |
| `gateways.istio-ingressgateway.secretVolumes.mountPath` | `/etc/istio/ingressgateway-ca-certs` | |
| `gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE` | `"standard"` | `By default, a gateway is in "standard" mode. If the mode is set to "sni-dnat", pilot generates an additional set of clusters for internal services without Istio mTLS, to enable cross cluster routing. Enable when using multi-cluster routing.` |
| `gateways.istio-ingressgateway.nodeSelector` | `{}` | |
| `gateways.istio-ingressgateway.tolerations` | `[]` | |
| `gateways.istio-ingressgateway.podAntiAffinityLabelSelector` | `[]` | |
| `gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector` | `[]` | |
| `gateways.istio-egressgateway.enabled` | `false` | |
| `gateways.istio-egressgateway.labels.app` | `istio-egressgateway` | |
| `gateways.istio-egressgateway.labels.istio` | `egressgateway` | |
| `gateways.istio-egressgateway.autoscaleEnabled` | `true` | |
| `gateways.istio-egressgateway.autoscaleMin` | `1` | |
| `gateways.istio-egressgateway.autoscaleMax` | `5` | |
| `gateways.istio-egressgateway.rollingMaxSurge` | `100%` | |
| `gateways.istio-egressgateway.rollingMaxUnavailable` | `25%` | |
| `gateways.istio-egressgateway.resources.requests.cpu` | `100m` | |
| `gateways.istio-egressgateway.resources.requests.memory` | `128Mi` | |
| `gateways.istio-egressgateway.resources.limits.cpu` | `2000m` | |
| `gateways.istio-egressgateway.resources.limits.memory` | `1024Mi` | |
| `gateways.istio-egressgateway.cpu.targetAverageUtilization` | `80` | |
| `gateways.istio-egressgateway.serviceAnnotations` | `{}` | |
| `gateways.istio-egressgateway.podAnnotations` | `{}` | |
| `gateways.istio-egressgateway.type` | `ClusterIP` | `change to NodePort or LoadBalancer if need be` |
| `gateways.istio-egressgateway.ports.name` | `http2` | |
| `gateways.istio-egressgateway.ports.name` | `https` | |
| `gateways.istio-egressgateway.ports.targetPort` | `15443` | |
| `gateways.istio-egressgateway.ports.name` | `tls` | |
| `gateways.istio-egressgateway.secretVolumes.secretName` | `istio-egressgateway-certs` | |
| `gateways.istio-egressgateway.secretVolumes.mountPath` | `/etc/istio/egressgateway-certs` | |
| `gateways.istio-egressgateway.secretVolumes.secretName` | `istio-egressgateway-ca-certs` | |
| `gateways.istio-egressgateway.secretVolumes.mountPath` | `/etc/istio/egressgateway-ca-certs` | |
| `gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE` | `"standard"` | |
| `gateways.istio-egressgateway.nodeSelector` | `{}` | |
| `gateways.istio-egressgateway.tolerations` | `[]` | |
| `gateways.istio-egressgateway.podAntiAffinityLabelSelector` | `[]` | |
| `gateways.istio-egressgateway.podAntiAffinityTermLabelSelector` | `[]` | |
| `gateways.istio-ilbgateway.enabled` | `false` | |
| `gateways.istio-ilbgateway.labels.app` | `istio-ilbgateway` | |
| `gateways.istio-ilbgateway.labels.istio` | `ilbgateway` | |
| `gateways.istio-ilbgateway.autoscaleEnabled` | `true` | |
| `gateways.istio-ilbgateway.autoscaleMin` | `1` | |
| `gateways.istio-ilbgateway.autoscaleMax` | `5` | |
| `gateways.istio-ilbgateway.rollingMaxSurge` | `100%` | |
| `gateways.istio-ilbgateway.rollingMaxUnavailable` | `25%` | |
| `gateways.istio-ilbgateway.cpu.targetAverageUtilization` | `80` | |
| `gateways.istio-ilbgateway.resources.requests.cpu` | `800m` | |
| `gateways.istio-ilbgateway.resources.requests.memory` | `512Mi` | |
| `gateways.istio-ilbgateway.loadBalancerIP` | `""` | |
| `gateways.istio-ilbgateway.serviceAnnotations.cloud.google.com/load-balancer-type` | `"internal"` | |
| `gateways.istio-ilbgateway.podAnnotations` | `{}` | |
| `gateways.istio-ilbgateway.type` | `LoadBalancer` | |
| `gateways.istio-ilbgateway.ports.name` | `grpc-pilot-mtls` | |
| `gateways.istio-ilbgateway.ports.name` | `grpc-pilot` | |
| `gateways.istio-ilbgateway.ports.targetPort` | `8060` | |
| `gateways.istio-ilbgateway.ports.name` | `tcp-citadel-grpc-tls` | |
| `gateways.istio-ilbgateway.ports.name` | `tcp-dns` | |
| `gateways.istio-ilbgateway.secretVolumes.secretName` | `istio-ilbgateway-certs` | |
| `gateways.istio-ilbgateway.secretVolumes.mountPath` | `/etc/istio/ilbgateway-certs` | |
| `gateways.istio-ilbgateway.secretVolumes.secretName` | `istio-ilbgateway-ca-certs` | |
| `gateways.istio-ilbgateway.secretVolumes.mountPath` | `/etc/istio/ilbgateway-ca-certs` | |
| `gateways.istio-ilbgateway.nodeSelector` | `{}` | |
| `gateways.istio-ilbgateway.tolerations` | `[]` | |
## `global` options
| Key | Default Value | Description |
| --- | --- | --- |
| `global.hub` | `gcr.io/istio-testing` | `Default hub for Istio images. Releases are published to docker hub under 'istio' project. Dev builds from prow are on gcr.io` |
| `global.tag` | `1.5-dev` | `Default tag for Istio images.` |
| `global.logging.level` | `"default:info"` | |
| `global.monitoringPort` | `15014` | `monitoring port used by mixer, pilot, galley and sidecar injector` |
| `global.k8sIngress.enabled` | `false` | |
| `global.k8sIngress.gatewayName` | `ingressgateway` | `Gateway used for k8s Ingress resources. By default it is using 'istio:ingressgateway' that will be installed by setting 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' flags to true.` |
| `global.k8sIngress.enableHttps` | `false` | `enableHttps will add port 443 on the ingress. It REQUIRES that the certificates are installed in the expected secrets - enabling this option without certificates will result in LDS rejection and the ingress will not work.` |
| `global.proxy.image` | `proxyv2` | `use fully qualified image names for alternate path to proxy.` |
| `global.proxy.clusterDomain` | `"cluster.local"` | `cluster domain. Default value is "cluster.local".` |
| `global.proxy.resources.requests.cpu` | `100m` | |
| `global.proxy.resources.requests.memory` | `128Mi` | |
| `global.proxy.resources.limits.cpu` | `2000m` | |
| `global.proxy.resources.limits.memory` | `1024Mi` | |
| `global.proxy.concurrency` | `2` | `Controls number of Proxy worker threads. If set to 0, then start worker thread for each CPU thread/core.` |
| `global.proxy.accessLogFile` | `""` | |
| `global.proxy.accessLogFormat` | `""` | `Configure how and what fields are displayed in sidecar access log. Setting to empty string will result in default log format` |
| `global.proxy.accessLogEncoding` | `TEXT` | `Configure the access log for sidecar to JSON or TEXT.` |
| `global.proxy.envoyAccessLogService.enabled` | `false` | |
| `global.proxy.envoyAccessLogService.host` | `` | `example: accesslog-service.istio-system` |
| `global.proxy.envoyAccessLogService.port` | `` | `example: 15000` |
| `global.proxy.envoyAccessLogService.tlsSettings.mode` | `DISABLE` | `DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL` |
| `global.proxy.envoyAccessLogService.tlsSettings.clientCertificate` | `` | `example: /etc/istio/als/cert-chain.pem` |
| `global.proxy.envoyAccessLogService.tlsSettings.privateKey` | `` | `example: /etc/istio/als/key.pem` |
| `global.proxy.envoyAccessLogService.tlsSettings.caCertificates` | `` | `example: /etc/istio/als/root-cert.pem` |
| `global.proxy.envoyAccessLogService.tlsSettings.sni` | `` | `example: als.somedomain` |
| `global.proxy.envoyAccessLogService.tlsSettings.subjectAltNames` | `[]` | |
| `global.proxy.envoyAccessLogService.tcpKeepalive.probes` | `3` | |
| `global.proxy.envoyAccessLogService.tcpKeepalive.time` | `10s` | |
| `global.proxy.envoyAccessLogService.tcpKeepalive.interval` | `10s` | |
| `global.proxy.logLevel` | `""` | `Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace\|debug\|info\|warning\|error\|critical\|off` |
| `global.proxy.componentLogLevel` | `""` | `Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.` |
| `global.proxy.dnsRefreshRate` | `300s` | `Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS This must be given it terms of seconds. For example, 300s is valid but 5m is invalid.` |
| `global.proxy.outlierLogPath` | `# example: /dev/stdout` | `Specifies the path to the outlier event log. example: /dev/stdout` |
| `global.proxy.protocolDetectionTimeout` | `100ms` | `Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc., Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE >=1ms)` |
| `global.proxy.privileged` | `false` | `If set to true, istio-proxy container will have privileged securityContext` |
| `global.proxy.enableCoreDump` | `false` | `If set, newly injected sidecars will have core dumps enabled.` |
| `global.proxy.enableCoreDumpImage` | `ubuntu:xenial` | `Image used to enable core dumps. This is only used, when "enableCoreDump" is set to true.` |
| `global.proxy.statusPort` | `15020` | `Default port for Pilot agent health checks. A value of 0 will disable health checking.` |
| `global.proxy.readinessInitialDelaySeconds` | `1` | `The initial delay for readiness probes in seconds.` |
| `global.proxy.readinessPeriodSeconds` | `2` | `The period between readiness probes.` |
| `global.proxy.readinessFailureThreshold` | `30` | `The number of successive failed probes before indicating readiness failure.` |
| `global.proxy.includeIPRanges` | `"*"` | |
| `global.proxy.excludeIPRanges` | `""` | |
| `global.proxy.excludeOutboundPorts` | `""` | |
| `global.proxy.kubevirtInterfaces` | `""` | `pod internal interfaces` |
| `global.proxy.includeInboundPorts` | `"*"` | |
| `global.proxy.excludeInboundPorts` | `""` | |
| `global.proxy.autoInject` | `enabled` | `This controls the 'policy' in the sidecar injector.` |
| `global.proxy.envoyStatsd.enabled` | `false` | `If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.` |
| `global.proxy.envoyStatsd.host` | `` | `example: statsd-svc.istio-system` |
| `global.proxy.envoyStatsd.port` | `` | `example: 9125` |
| `global.proxy.envoyMetricsService.enabled` | `false` | |
| `global.proxy.envoyMetricsService.host` | `` | `example: metrics-service.istio-system` |
| `global.proxy.envoyMetricsService.port` | `` | `example: 15000` |
| `global.proxy.envoyMetricsService.tlsSettings.mode` | `DISABLE` | `DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL` |
| `global.proxy.envoyMetricsService.tlsSettings.clientCertificate` | `` | `example: /etc/istio/ms/cert-chain.pem` |
| `global.proxy.envoyMetricsService.tlsSettings.privateKey` | `` | `example: /etc/istio/ms/key.pem` |
| `global.proxy.envoyMetricsService.tlsSettings.caCertificates` | `` | `example: /etc/istio/ms/root-cert.pem` |
| `global.proxy.envoyMetricsService.tlsSettings.sni` | `` | `example: ms.somedomain` |
| `global.proxy.envoyMetricsService.tlsSettings.subjectAltNames` | `[]` | |
| `global.proxy.envoyMetricsService.tcpKeepalive.probes` | `3` | |
| `global.proxy.envoyMetricsService.tcpKeepalive.time` | `10s` | |
| `global.proxy.envoyMetricsService.tcpKeepalive.interval` | `10s` | |
| `global.proxy.tracer` | `"zipkin"` | `Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.` |
| `global.proxy_init.image` | `proxyv2` | `Base name for the istio-init container, used to configure iptables.` |
| `global.proxy_init.resources.limits.cpu` | `100m` | |
| `global.proxy_init.resources.limits.memory` | `50Mi` | |
| `global.proxy_init.resources.requests.cpu` | `10m` | |
| `global.proxy_init.resources.requests.memory` | `10Mi` | |
| `global.imagePullPolicy` | `IfNotPresent` | |
| `global.controlPlaneSecurityEnabled` | `false` | `controlPlaneSecurityEnabled enabled. Will result in delays starting the pods while secrets are propagated, not recommended for tests.` |
| `global.disablePolicyChecks` | `true` | `disablePolicyChecks disables mixer policy checks. if mixer.policy.enabled==true then disablePolicyChecks has affect. Will set the value with same name in istio config map - pilot needs to be restarted to take effect.` |
| `global.policyCheckFailOpen` | `false` | `policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. Default is false which means the traffic is denied when the client is unable to connect to Mixer.` |
| `global.enableTracing` | `true` | `EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.` |
| `global.tracer.lightstep.address` | `""` | `example: lightstep-satellite:443` |
| `global.tracer.lightstep.accessToken` | `""` | `example: abcdefg1234567` |
| `global.tracer.lightstep.secure` | `true` | `example: true\|false` |
| `global.tracer.lightstep.cacertPath` | `""` | `example: /etc/lightstep/cacert.pem` |
| `global.tracer.zipkin.address` | `""` | |
| `global.tracer.datadog.address` | `"$(HOST_IP):8126"` | |
| `global.tracer.stackdriver.debug` | `false` | `enables trace output to stdout.` |
| `global.tracer.stackdriver.maxNumberOfAttributes` | `200` | `The global default max number of attributes per span.` |
| `global.tracer.stackdriver.maxNumberOfAnnotations` | `200` | `The global default max number of annotation events per span.` |
| `global.tracer.stackdriver.maxNumberOfMessageEvents` | `200` | `The global default max number of message events per span.` |
| `global.mtls.enabled` | `false` | `Default setting for service-to-service mtls. Can be set explicitly using destination rules or service annotations.` |
| `global.mtls.auto` | `true` | `If set to true, and a given service does not have a corresponding DestinationRule configured, or its DestinationRule does not have TLSSettings specified, Istio configures client side TLS configuration automatically, based on the server side mTLS authentication policy and the availibity of sidecars.` |
| `global.imagePullSecrets` | `[]` | `Lists the secrets you need to use to pull Istio images from a private registry.` |
| `global.arch.amd64` | `2` | |
| `global.arch.s390x` | `2` | |
| `global.arch.ppc64le` | `2` | |
| `global.oneNamespace` | `false` | `Whether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces` |
| `global.defaultNodeSelector` | `{}` | `Default node selector to be applied to all deployments so that all pods can be constrained to run a particular nodes. Each component can overwrite these default values by adding its node selector block in the relevant section below and setting the desired values.` |
| `global.defaultTolerations` | `[]` | `Default node tolerations to be applied to all deployments so that all pods can be scheduled to a particular nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints.` |
| `global.configValidation` | `true` | `Whether to perform server-side validation of configuration.` |
| `global.meshExpansion.enabled` | `false` | |
| `global.meshExpansion.useILB` | `false` | `If set to true, the pilot and citadel mtls and the plaintext pilot ports will be exposed on an internal gateway` |
| `global.multiCluster.enabled` | `false` | `Set to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work.` |
| `global.multiCluster.clusterName` | `""` | `Should be set to the name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies` |
| `global.defaultResources.requests.cpu` | `10m` | |
| `global.defaultPodDisruptionBudget.enabled` | `true` | |
| `global.priorityClassName` | `""` | |
| `global.useMCP` | `true` | `Use the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires galley (--set galley.enabled=true).` |
| `global.trustDomain` | `""` | |
| `global.trustDomainAliases` | `[]` | |
| `global.meshID` | `""` | `Mesh ID means Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs: - Meshes will have their telemetry aggregated in one place - Meshes will be federated together - Policy will be written referencing one mesh from the other If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned. Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install. If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.` |
| `global.outboundTrafficPolicy.mode` | `ALLOW_ANY` | |
| `global.sds.enabled` | `false` | `SDS enabled. IF set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.` |
| `global.sds.udsPath` | `""` | |
| `global.sds.token.aud` | `istio-ca` | |
| `global.meshNetworks` | `{}` | |
| `global.network` | `""` | `Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks.` |
| `global.localityLbSetting.enabled` | `true` | |
| `global.enableHelmTest` | `false` | `Specifies whether helm test is enabled or not. This field is set to false by default, so 'helm template ...' will ignore the helm test yaml files when generating the template` |
| `global.certificates` | `[]` | |
| `global.operatorManageWebhooks` | `false` | `Configure whether Operator manages webhook configurations. The current behavior of Galley and Sidecar Injector is that they manage their own webhook configurations. When this option is set as true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations.` |
## `grafana` options
| Key | Default Value | Description |
| --- | --- | --- |
| `grafana.enabled` | `false` | |
| `grafana.replicaCount` | `1` | |
| `grafana.image.repository` | `grafana/grafana` | |
| `grafana.image.tag` | `6.4.3` | |
| `grafana.ingress.enabled` | `false` | |
| `grafana.ingress.hosts` | `grafana.local` | `Used to create an Ingress record.` |
| `grafana.ingress.annotations` | `{}` | |
| `grafana.ingress.tls` | `[]` | |
| `grafana.persist` | `false` | |
| `grafana.storageClassName` | `""` | |
| `grafana.accessMode` | `ReadWriteMany` | |
| `grafana.security.enabled` | `false` | |
| `grafana.security.secretName` | `grafana` | |
| `grafana.security.usernameKey` | `username` | |
| `grafana.security.passphraseKey` | `passphrase` | |
| `grafana.nodeSelector` | `{}` | |
| `grafana.tolerations` | `[]` | |
| `grafana.env` | `{}` | |
| `grafana.envSecrets` | `{}` | |
| `grafana.podAntiAffinityLabelSelector` | `[]` | |
| `grafana.podAntiAffinityTermLabelSelector` | `[]` | |
| `grafana.contextPath` | `/grafana` | |
| `grafana.service.annotations` | `{}` | |
| `grafana.service.name` | `http` | |
| `grafana.service.type` | `ClusterIP` | |
| `grafana.service.externalPort` | `3000` | |
| `grafana.service.loadBalancerSourceRanges` | `[]` | |
| `grafana.datasources.datasources.apiVersion` | `1` | |
| `grafana.datasources.datasources.datasources.type` | `prometheus` | |
| `grafana.datasources.datasources.datasources.type.orgId` | `1` | |
| `grafana.datasources.datasources.datasources.type.url` | `http://prometheus:9090` | |
| `grafana.datasources.datasources.datasources.type.access` | `proxy` | |
| `grafana.datasources.datasources.datasources.type.isDefault` | `true` | |
| `grafana.datasources.datasources.datasources.type.jsonData.timeInterval` | `5s` | |
| `grafana.datasources.datasources.datasources.type.editable` | `true` | |
| `grafana.dashboardProviders.dashboardproviders.apiVersion` | `1` | |
| `grafana.dashboardProviders.dashboardproviders.providers.orgId` | `1` | |
| `grafana.dashboardProviders.dashboardproviders.providers.orgId.folder` | `'istio'` | |
| `grafana.dashboardProviders.dashboardproviders.providers.orgId.type` | `file` | |
| `grafana.dashboardProviders.dashboardproviders.providers.orgId.disableDeletion` | `false` | |
| `grafana.dashboardProviders.dashboardproviders.providers.orgId.options.path` | `/var/lib/grafana/dashboards/istio` | |
## `istio_cni` options
| Key | Default Value | Description |
| --- | --- | --- |
| `istio_cni.enabled` | `false` | |
## `istiocoredns` options
| Key | Default Value | Description |
| --- | --- | --- |
| `istiocoredns.enabled` | `false` | |
| `istiocoredns.replicaCount` | `1` | |
| `istiocoredns.rollingMaxSurge` | `100%` | |
| `istiocoredns.rollingMaxUnavailable` | `25%` | |
| `istiocoredns.coreDNSImage` | `coredns/coredns` | |
| `istiocoredns.coreDNSTag` | `1.6.2` | |
| `istiocoredns.coreDNSPluginImage` | `istio/coredns-plugin:0.2-istio-1.1` | |
| `istiocoredns.nodeSelector` | `{}` | |
| `istiocoredns.tolerations` | `[]` | |
| `istiocoredns.podAnnotations` | `{}` | |
| `istiocoredns.podAntiAffinityLabelSelector` | `[]` | |
| `istiocoredns.podAntiAffinityTermLabelSelector` | `[]` | |
## `kiali` options
| Key | Default Value | Description |
| --- | --- | --- |
| `kiali.enabled` | `false` | `Note that if using the demo or demo-auth yaml when installing via Helm, this default will be true.` |
| `kiali.replicaCount` | `1` | |
| `kiali.hub` | `quay.io/kiali` | |
| `kiali.image` | `kiali` | |
| `kiali.tag` | `v1.9` | |
| `kiali.contextPath` | `/kiali` | `The root context path to access the Kiali UI.` |
| `kiali.nodeSelector` | `{}` | |
| `kiali.tolerations` | `[]` | |
| `kiali.podAnnotations` | `{}` | |
| `kiali.podAntiAffinityLabelSelector` | `[]` | |
| `kiali.podAntiAffinityTermLabelSelector` | `[]` | |
| `kiali.ingress.enabled` | `false` | |
| `kiali.ingress.hosts` | `kiali.local` | `Used to create an Ingress record.` |
| `kiali.ingress.annotations` | `{}` | |
| `kiali.dashboard.auth.strategy` | `login` | `Can be anonymous, login, openshift, or ldap` |
| `kiali.dashboard.secretName` | `kiali` | `You must create a secret with this name - one is not provided out-of-box.` |
| `kiali.dashboard.viewOnlyMode` | `false` | `Bind the service account to a role with only read access` |
| `kiali.dashboard.grafanaURL` | `` | `If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.` |
| `kiali.dashboard.grafanaInClusterURL` | `"http://grafana:3000"` | `In Kubernetes cluster with ELB in front this option is needed, since public IP of ELB is not reachable from inside the cluster` |
| `kiali.dashboard.jaegerURL` | `` | `If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.` |
| `kiali.dashboard.jaegerInClusterURL` | `"http://tracing/jaeger"` | `If you have Jaeger installed and accessible from Kiali pod (typically in cluster), then set this property to enable more tracing charts within Kiali.` |
| `kiali.prometheusAddr` | `http://prometheus:9090` | |
| `kiali.createDemoSecret` | `false` | `When true, a secret will be created with a default username and password. Useful for demos.` |
| `kiali.security.enabled` | `false` | |
| `kiali.security.cert_file` | `/kiali-cert/cert-chain.pem` | |
| `kiali.security.private_key_file` | `/kiali-cert/key.pem` | |
## `mixer` options
| Key | Default Value | Description |
| --- | --- | --- |
| `mixer.image` | `mixer` | |
| `mixer.env.GOMAXPROCS` | `"6"` | `max procs should be ceil(cpu limit + 1)` |
| `mixer.policy.enabled` | `false` | `if policy is enabled, global.disablePolicyChecks has affect.` |
| `mixer.policy.replicaCount` | `1` | |
| `mixer.policy.autoscaleEnabled` | `true` | |
| `mixer.policy.autoscaleMin` | `1` | |
| `mixer.policy.autoscaleMax` | `5` | |
| `mixer.policy.cpu.targetAverageUtilization` | `80` | |
| `mixer.policy.rollingMaxSurge` | `100%` | |
| `mixer.policy.rollingMaxUnavailable` | `25%` | |
| `mixer.telemetry.enabled` | `true` | |
| `mixer.telemetry.replicaCount` | `1` | |
| `mixer.telemetry.autoscaleEnabled` | `true` | |
| `mixer.telemetry.autoscaleMin` | `1` | |
| `mixer.telemetry.autoscaleMax` | `5` | |
| `mixer.telemetry.cpu.targetAverageUtilization` | `80` | |
| `mixer.telemetry.rollingMaxSurge` | `100%` | |
| `mixer.telemetry.rollingMaxUnavailable` | `25%` | |
| `mixer.telemetry.sessionAffinityEnabled` | `false` | |
| `mixer.telemetry.loadshedding.mode` | `enforce` | `disabled, logonly or enforce` |
| `mixer.telemetry.loadshedding.latencyThreshold` | `100ms` | `based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.` |
| `mixer.telemetry.resources.requests.cpu` | `1000m` | |
| `mixer.telemetry.resources.requests.memory` | `1G` | |
| `mixer.telemetry.resources.limits.cpu` | `4800m` | `It is best to do horizontal scaling of mixer using moderate cpu allocation. We have experimentally found that these values work well.` |
| `mixer.telemetry.resources.limits.memory` | `4G` | |
| `mixer.telemetry.reportBatchMaxEntries` | `100` | `Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests). A positive value indicates the number of requests that are batched before telemetry data is sent to the mixer server` |
| `mixer.telemetry.reportBatchMaxTime` | `1s` | `Set reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second). A positive time value indicates the maximum wait time since the last request will telemetry data be batched before being sent to the mixer server` |
| `mixer.podAnnotations` | `{}` | |
| `mixer.nodeSelector` | `{}` | |
| `mixer.tolerations` | `[]` | |
| `mixer.podAntiAffinityLabelSelector` | `[]` | |
| `mixer.podAntiAffinityTermLabelSelector` | `[]` | |
| `mixer.adapters.kubernetesenv.enabled` | `true` | |
| `mixer.adapters.stdio.enabled` | `false` | |
| `mixer.adapters.stdio.outputAsJson` | `true` | |
| `mixer.adapters.prometheus.enabled` | `true` | |
| `mixer.adapters.prometheus.metricsExpiryDuration` | `10m` | |
| `mixer.adapters.useAdapterCRDs` | `false` | `Setting this to false sets the useAdapterCRDs mixer startup argument to false` |
## `nodeagent` options
| Key | Default Value | Description |
| --- | --- | --- |
| `nodeagent.enabled` | `false` | |
| `nodeagent.image` | `node-agent-k8s` | |
| `nodeagent.env.CA_PROVIDER` | `"Citadel"` | `name of authentication provider.` |
| `nodeagent.env.CA_ADDR` | `"istio-citadel:8060"` | `CA endpoint.` |
| `nodeagent.env.PLUGINS` | `""` | `names of authentication provider's plugins.` |
| `nodeagent.env.VALID_TOKEN` | `true` | |
| `nodeagent.nodeSelector` | `{}` | |
| `nodeagent.tolerations` | `[]` | |
| `nodeagent.podAntiAffinityLabelSelector` | `[]` | |
| `nodeagent.podAntiAffinityTermLabelSelector` | `[]` | |
## `pilot` options
| Key | Default Value | Description |
| --- | --- | --- |
| `pilot.enabled` | `true` | |
| `pilot.autoscaleEnabled` | `true` | |
| `pilot.autoscaleMin` | `1` | |
| `pilot.autoscaleMax` | `5` | |
| `pilot.rollingMaxSurge` | `100%` | |
| `pilot.rollingMaxUnavailable` | `25%` | |
| `pilot.image` | `pilot` | |
| `pilot.sidecar` | `true` | |
| `pilot.traceSampling` | `1.0` | |
| `pilot.enableProtocolSniffingForOutbound` | `true` | `if protocol sniffing is enabled for outbound` |
| `pilot.enableProtocolSniffingForInbound` | `false` | `if protocol sniffing is enabled for inbound` |
| `pilot.resources.requests.cpu` | `500m` | |
| `pilot.resources.requests.memory` | `2048Mi` | |
| `pilot.env.PILOT_PUSH_THROTTLE` | `100` | |
| `pilot.cpu.targetAverageUtilization` | `80` | |
| `pilot.nodeSelector` | `{}` | |
| `pilot.tolerations` | `[]` | |
| `pilot.podAnnotations` | `{}` | |
| `pilot.podAntiAffinityLabelSelector` | `[]` | |
| `pilot.podAntiAffinityTermLabelSelector` | `[]` | |
| `pilot.keepaliveMaxServerConnectionAge` | `30m` | `The following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn.` |
## `prometheus` options
| Key | Default Value | Description |
| --- | --- | --- |
| `prometheus.enabled` | `true` | |
| `prometheus.replicaCount` | `1` | |
| `prometheus.hub` | `docker.io/prom` | |
| `prometheus.image` | `prometheus` | |
| `prometheus.tag` | `v2.12.0` | |
| `prometheus.retention` | `6h` | |
| `prometheus.nodeSelector` | `{}` | |
| `prometheus.tolerations` | `[]` | |
| `prometheus.podAntiAffinityLabelSelector` | `[]` | |
| `prometheus.podAntiAffinityTermLabelSelector` | `[]` | |
| `prometheus.scrapeInterval` | `15s` | `Controls the frequency of prometheus scraping` |
| `prometheus.contextPath` | `/prometheus` | |
| `prometheus.ingress.enabled` | `false` | |
| `prometheus.ingress.hosts` | `prometheus.local` | `Used to create an Ingress record.` |
| `prometheus.service.annotations` | `{}` | |
| `prometheus.service.nodePort.enabled` | `false` | |
| `prometheus.service.nodePort.port` | `32090` | |
| `prometheus.security.enabled` | `true` | |
## `security` options
| Key | Default Value | Description |
| --- | --- | --- |
| `security.enabled` | `true` | |
| `security.replicaCount` | `1` | |
| `security.rollingMaxSurge` | `100%` | |
| `security.rollingMaxUnavailable` | `25%` | |
| `security.image` | `citadel` | |
| `security.selfSigned` | `true` | `indicate if self-signed CA is used.` |
| `security.createMeshPolicy` | `true` | |
| `security.nodeSelector` | `{}` | |
| `security.tolerations` | `[]` | |
| `security.podAnnotations` | `{}` | |
| `security.citadelHealthCheck` | `false` | |
| `security.workloadCertTtl` | `2160h` | `90*24hour = 2160h` |
| `security.env` | `{}` | `Environment variables that configure Citadel.` |
| `security.enableNamespacesByDefault` | `true` | `Determines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override labels are not found on a given namespace. For example: consider a namespace called "target", which has neither the "ca.istio.io/env" nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets for service accounts created in this "target" namespace, Citadel will defer to this option. If the value of this option is "true" in this case, secrets will be generated for the "target" namespace. If the value of this option is "false" Citadel will not generate secrets upon service account creation.` |
| `security.podAntiAffinityLabelSelector` | `[]` | |
| `security.podAntiAffinityTermLabelSelector` | `[]` | |
## `sidecarInjectorWebhook` options
| Key | Default Value | Description |
| --- | --- | --- |
| `sidecarInjectorWebhook.enabled` | `true` | |
| `sidecarInjectorWebhook.replicaCount` | `1` | |
| `sidecarInjectorWebhook.rollingMaxSurge` | `100%` | |
| `sidecarInjectorWebhook.rollingMaxUnavailable` | `25%` | |
| `sidecarInjectorWebhook.image` | `sidecar_injector` | |
| `sidecarInjectorWebhook.enableNamespacesByDefault` | `false` | |
| `sidecarInjectorWebhook.nodeSelector` | `{}` | |
| `sidecarInjectorWebhook.tolerations` | `[]` | |
| `sidecarInjectorWebhook.podAnnotations` | `{}` | |
| `sidecarInjectorWebhook.podAntiAffinityLabelSelector` | `[]` | |
| `sidecarInjectorWebhook.podAntiAffinityTermLabelSelector` | `[]` | |
| `sidecarInjectorWebhook.rewriteAppHTTPProbe` | `false` | `If true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.` |
| `sidecarInjectorWebhook.neverInjectSelector` | `[]` | `You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or always skip the injection on pods that match that label selector, regardless of the global policy. See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/more-control-adding-exceptions` |
| `sidecarInjectorWebhook.alwaysInjectSelector` | `[]` | |
| `sidecarInjectorWebhook.injectedAnnotations` | `{}` | |
## `tracing` options
| Key | Default Value | Description |
| --- | --- | --- |
| `tracing.enabled` | `false` | |
| `tracing.provider` | `jaeger` | |
| `tracing.nodeSelector` | `{}` | |
| `tracing.tolerations` | `[]` | |
| `tracing.podAntiAffinityLabelSelector` | `[]` | |
| `tracing.podAntiAffinityTermLabelSelector` | `[]` | |
| `tracing.jaeger.hub` | `docker.io/jaegertracing` | |
| `tracing.jaeger.image` | `all-in-one` | |
| `tracing.jaeger.tag` | `1.16` | |
| `tracing.jaeger.podAnnotations` | `{}` | |
| `tracing.jaeger.memory.max_traces` | `50000` | |
| `tracing.jaeger.spanStorageType` | `badger` | `spanStorageType value can be "memory" and "badger" for all-in-one image` |
| `tracing.jaeger.persist` | `false` | |
| `tracing.jaeger.storageClassName` | `""` | |
| `tracing.jaeger.accessMode` | `ReadWriteMany` | |
| `tracing.zipkin.hub` | `docker.io/openzipkin` | |
| `tracing.zipkin.image` | `zipkin` | |
| `tracing.zipkin.tag` | `2.14.2` | |
| `tracing.zipkin.podAnnotations` | `{}` | |
| `tracing.zipkin.probeStartupDelay` | `200` | |
| `tracing.zipkin.queryPort` | `9411` | |
| `tracing.zipkin.resources.limits.cpu` | `300m` | |
| `tracing.zipkin.resources.limits.memory` | `900Mi` | |
| `tracing.zipkin.resources.requests.cpu` | `150m` | |
| `tracing.zipkin.resources.requests.memory` | `900Mi` | |
| `tracing.zipkin.javaOptsHeap` | `700` | |
| `tracing.zipkin.maxSpans` | `500000` | |
| `tracing.zipkin.node.cpus` | `2` | |
| `tracing.service.annotations` | `{}` | |
| `tracing.service.name` | `http` | |
| `tracing.service.type` | `ClusterIP` | |
| `tracing.service.externalPort` | `80` | |
| `tracing.ingress.enabled` | `false` | |
<!-- AUTO-GENERATED-END -->

2
content/en/docs/reference/config/policy-and-telemetry/mixer-overview/index.md
View File

@ -43,7 +43,7 @@ At a high level, Mixer provides:
Policy enforcement and telemetry collection are entirely driven from configuration.
Policy check is disabled by default, avoiding the need to go through the Mixer policy component.
Refer to [Installation Options](/docs/reference/config/installation-options/) for more information.
Refer to [Installation Options](https://archive.istio.io/v1.4/docs/reference/config/installation-options/) for more information.
## Adapters

4
content/en/docs/setup/install/istioctl/index.md
View File

@ -274,7 +274,7 @@ $ istioctl manifest apply -f samples/operator/pilot-k8s.yaml
{{< /text >}}
{{< tip >}}
For backwards compatibility, the previous [Helm installation options](/docs/reference/config/installation-options/), with the exception of Kubernetes resource settings,
For backwards compatibility, the previous [Helm installation options](https://archive.istio.io/v1.4/docs/reference/config/installation-options/), with the exception of Kubernetes resource settings,
are also fully supported. To set them on the command line, prepend the option name with "`values.`".
For example, the following command overrides the `pilot.traceSampling` Helm configuration option:
@ -505,7 +505,7 @@ $ istioctl manifest apply -f samples/operator/pilot-k8s.yaml
### Customize Istio settings using the Helm API
The `IstioOperator` API includes a pass-through interface to the [Helm API](/docs/reference/config/installation-options/)
The `IstioOperator` API includes a pass-through interface to the [Helm API](https://archive.istio.io/v1.4/docs/reference/config/installation-options/)
using the `values` field.
The following YAML file configures global and Pilot settings through the Helm API:

2
content/en/docs/tasks/observability/logs/access-log/index.md
View File

@ -48,7 +48,7 @@ You may also want to customize the
[format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log#format-rules) of the access log by editing `accessLogFormat`.
{{< tip >}}
All three of these parameters may also be configured via [install options](/docs/reference/config/installation-options/):
All three of these parameters may also be configured via [install options](https://archive.istio.io/v1.4/docs/reference/config/installation-options/):
{{< /tip >}}
* `values.global.proxy.accessLogFile`

2
content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md
View File

@ -17,7 +17,7 @@ the example application throughout this task.
## Before you begin
* [Install Istio](/docs/setup) in your cluster. If not enabled in your chosen configuration profile, enable the Grafana addon `--set values.grafana.enabled=true` [option](/docs/reference/config/installation-options/).
* [Install Istio](/docs/setup) in your cluster. If not enabled in your chosen configuration profile, enable the Grafana addon `--set values.grafana.enabled=true` [option](https://archive.istio.io/v1.4/docs/reference/config/installation-options/).
* Deploy [Bookinfo](/docs/examples/bookinfo/) application.
## Viewing the Istio dashboard

4
content/en/docs/tasks/traffic-management/egress/egress-control/index.md
View File

@ -51,7 +51,7 @@ This task shows you how to access external services in three different ways:
## Envoy passthrough to external services
Istio has an [installation option](/docs/reference/config/installation-options/),
Istio has an [installation option](https://archive.istio.io/v1.4/docs/reference/config/installation-options/),
`global.outboundTrafficPolicy.mode`, that configures the sidecar handling
of external services, that is, those services that are not defined in Istio's internal service registry.
If this option is set to `ALLOW_ANY`, the Istio proxy lets calls to unknown services pass through.
@ -294,7 +294,7 @@ If you want to completely bypass Istio for a specific IP range,
you can configure the Envoy sidecars to prevent them from
[intercepting](/docs/concepts/traffic-management/)
external requests. To set up the bypass, change either the `global.proxy.includeIPRanges`
or the `global.proxy.excludeIPRanges` [configuration option](/docs/reference/config/installation-options/) and
or the `global.proxy.excludeIPRanges` [configuration option](https://archive.istio.io/v1.4/docs/reference/config/installation-options/) and
update the `istio-sidecar-injector` configuration map using the `kubectl apply` command. This can also
be configured on a pod by setting corresponding [annotations](/docs/reference/config/annotations/) such as
`traffic.sidecar.istio.io/includeOutboundIPRanges`.

6
content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
View File

@ -14,10 +14,10 @@ aliases:
## Traffic management
- **Improved** [locality based routing](/docs/ops/configuration/traffic-management/locality-load-balancing/) in multicluster environments.
- **Improved** outbound traffic policy in [`ALLOW_ANY` mode](/docs/reference/config/installation-options/#global-options). Traffic for unknown HTTP/HTTPS hosts on an existing port will be [forwarded as is](/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services). Unknown traffic will be logged in Envoy access logs.
- **Improved** outbound traffic policy in [`ALLOW_ANY` mode](https://archive.istio.io/v1.2/docs/reference/config/installation-options/#global-options). Traffic for unknown HTTP/HTTPS hosts on an existing port will be [forwarded as is](/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services). Unknown traffic will be logged in Envoy access logs.
- **Added** support for setting HTTP idle timeouts to upstream services.
- **Improved** Sidecar support for [NONE mode](/docs/reference/config/networking/sidecar/#CaptureMode) (without iptables) .
- **Added** ability to configure the [DNS refresh rate](/docs/reference/config/installation-options/#global-options) for sidecar Envoys, to reduce the load on the DNS servers.
- **Added** ability to configure the [DNS refresh rate](https://archive.istio.io/v1.2/docs/reference/config/installation-options/#global-options) for sidecar Envoys, to reduce the load on the DNS servers.
- **Graduated** [Sidecar API](/docs/reference/config/networking/sidecar/) from Alpha to Alpha API and Beta runtime.
## Security
@ -55,7 +55,7 @@ aliases:
- **Added** pod [anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) and [toleration](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) support to all of our control plane components.
- **Added** `sidecarInjectorWebhook.neverInjectSelector` and `sidecarInjectorWebhook.alwaysInjectSelector` to allow users to further refine whether workloads should have sidecar automatically injected or not, based on label selectors.
- **Added** `global.logging.level` and `global.proxy.logLevel` to allow users to easily configure logs for control plane and data plane components globally.
- **Added** support to configure the Datadog location via [`global.tracer.datadog.address`](/docs/reference/config/installation-options/#global-options).
- **Added** support to configure the Datadog location via [`global.tracer.datadog.address`](https://archive.istio.io/v1.2/docs/reference/config/installation-options/#global-options).
- **Removed** Previously [deprecated]( https://discuss.istio.io/t/deprecation-notice-custom-mixer-adapter-crds/2055) Adapter and Template CRDs are disabled by default. Use `mixer.templates.useTemplateCRDs=true` and `mixer.adapters.useAdapterCRDs=true` install options to re-enable them.
Refer to the [installation option change page](/news/releases/1.2.x/announcing-1.2/helm-changes/) to view the complete list of changes.

2
content/en/news/security/istio-security-2019-006/index.md
View File

@ -25,7 +25,7 @@ Both Istio gateways and sidecars are vulnerable to this issue. If you are runnin
## Mitigation
* Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in [installation options](/docs/reference/config/installation-options/#pilot-options) ), using Helm to override the following options:
* Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in [installation options](https://archive.istio.io/v1.3/docs/reference/config/installation-options/#pilot-options) ), using Helm to override the following options:
{{< text plain >}}
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s

372
scripts/tablegen.py
View File

@ -1,372 +0,0 @@
#!/usr/bin/python
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import collections
import linecache
import requests
import string
import sys
import os
import re
from ruamel import yaml
#
# This script generates the installation options from the helm charts
# for the current release (by parsing the values.yaml files under the
# charts and subcharts directory).
#
#
# Reads a documented Helm values.yaml file and produces a
# MD formatted table. pip install ruamel to obtain the proper
# YAML decoder. ruamel maintains ordering and comments. The
# comments are needed in order to decode the commented helm
# values.yaml file
#
ISTIO_CONFIG_DIR = "install/kubernetes/helm/istio"
YAML_CONFIG_DIR = ISTIO_CONFIG_DIR + "/charts"
VALUES_YAML = "values.yaml"
CONFIG_INDEX_DIR = "content/en/docs/reference/config/installation-options/index.md"
ISTIO_REPO = "https://github.com/istio/istio.git@master"
ISTIO_LOCAL_REPO = "istio-repo"
def downloadIstioRepo():
repoInfo = ISTIO_REPO.split('@')
repo_url = repoInfo[0]
repo_release = repoInfo[1]
curl_command = "git clone --depth=1 -q -b %s %s %s"
status = os.system(curl_command % (repo_release, repo_url, ISTIO_LOCAL_REPO))
if status != 0:
print("An error occured trying to clone Istio repo for release: %s." % releaseName)
exit()
def deleteIstioRepo():
os.system("rm -rf %s" % ISTIO_LOCAL_REPO)
def endOfTheList(context, lineNum, lastLineNum, totalNum):
flag = 0
valueList = []
nextLineNum = lineNum + 1
currentLine = context[lastLineNum]
whitespaces = (len(currentLine) - len(currentLine.lstrip())) / 2
if lineNum != lastLineNum:
return False, valueList
for nextLineNum in range(lineNum + 1, totalNum):
nextLine = context[nextLineNum]
if len(nextLine.lstrip()) != 0 and '#' != nextLine.lstrip()[0] and ':' in nextLine:
if whitespaces >= (len(nextLine) - len(nextLine.lstrip())) / 2:
if flag == 0:
valueList.append(currentLine.split(':', 1)[1].strip())
return True, valueList
else:
return True, valueList
elif len(nextLine.lstrip()) != 0 and '#' != nextLine.lstrip()[0] and ':' not in nextLine and len(nextLine.strip()) != 0:
value = nextLine.replace(' ', '')
valueList.append(value.lstrip('-').strip())
flag += 1
nextLineNum += 1
if lastLineNum == totalNum - 1 and len(currentLine.lstrip()) != 0 and '#' != currentLine.lstrip()[0]:
valueList.append(currentLine.split(':', 1)[1].strip())
return True, valueList
prdict = collections.defaultdict(list)
def decode_helm_yaml(s):
ret_val = ''
#
# Iterate through all the directories under /istio/install/kubernetes/helm/subcharts
# and process the configuration options from the respective values.yaml. The
# configuration option name is the name of the directory that contains values.yaml.
# This name will be passed in to the the function process_helm_yaml
#
subchart_dir = os.path.join(ISTIO_LOCAL_REPO, YAML_CONFIG_DIR)
for cfile in os.listdir(subchart_dir):
values_yaml_dir = os.path.join(subchart_dir, cfile)
values_yaml_file = os.path.join(values_yaml_dir, VALUES_YAML)
process_helm_yaml(values_yaml_file, cfile)
#
# Process configuration options in values.yaml under istio/install/kubernetes/helm/istio.
# The configuration option names are present in the values.yaml, hence we do not need to
# pass it to process_helm_yaml.
#
istio_yaml_config_dir = os.path.join(ISTIO_LOCAL_REPO, ISTIO_CONFIG_DIR)
values_yaml_file = os.path.join(istio_yaml_config_dir, VALUES_YAML)
process_helm_yaml(values_yaml_file, '')
return ret_val
def process_helm_yaml(values_yaml, option):
ret_val = ''
storekey = ''
desc = ''
newkey = ''
whitespaces = 0
flag = 0
lineNum = 0
newConfigList = []
loaded = None
context = linecache.getlines(values_yaml)
totalNum = len(context)
lastLineNum = 0
key = option
count = 0
with open(values_yaml, 'r') as f_v:
d_v = f_v.read()
loaded = yaml.round_trip_load(d_v)
for lineNum in range(0, totalNum):
if context[lineNum].strip().startswith('- '):
pass
elif '#' in context[lineNum] and '#' == context[lineNum].lstrip()[0]:
if "Description: " in context[lineNum]:
desc = context[lineNum].strip()
elif ':' in context[lineNum] and '#' != context[lineNum].lstrip()[0]:
lastLineNum = lineNum
if flag == 1:
whitespaces = (len(context[lineNum]) - len(context[lineNum].lstrip())) / 2
periods = key.count('.')
if (option == ''):
while (whitespaces <= periods):
key = key.rstrip(string.ascii_letters[::-1] + string.digits + '_' + '-' + '/').rstrip('.')
whitespaces += 1
else:
while (whitespaces < periods):
key = key.rstrip(string.ascii_letters[::-1] + string.digits + '_' + '-' + '/').rstrip('.')
whitespaces += 1
flag = 0
key = key + '.' + context[lineNum].split(':', 1)[0].strip()
isEnd, ValueList = endOfTheList(context, lineNum, lastLineNum, totalNum)
if isEnd:
flag = 1
storekey = key
sk = storekey.split('.', 2)
if len(sk) > 1:
storekey = '.'.join(sk[:1]).lstrip('.')
else:
storekey = '.'.join(sk[:0]).lstrip('.')
#
# If we are processing the configurations options within the values.yaml under istio,
# if the options have already been processed (from the subcharts directory), then we
# do not want to process it again. If the configuration option has not been processed
# before, then it is a new configuration option which needs to be processed (for e.g,
# global, istiocoredns)
#
# option == '' - This condition means that we are looking at the values.yaml under the
# istio directory. Hence, the configuration option names will be inside
# the values.yaml file. (On the other hand, for the values.yaml file under
# the subcharts directory, we get the name of the configuration option
# from the name of the directories under the subcharts directory.)
# newConfigList - This list is used to track configuration options in istio/values.yaml
# that haven't been processed before (or that does not have a corresponding
# directory under subcharts directory with values.yaml. E.g: global,
# istiocoredns)
#
# This first condition checks that if this is the values.yaml file under istio directory,
# and the configuration option to process (storekey) has not already been processed (this
# conditions: "prdict.get(storekey) != None and (storekey in newConfigList)" together
# makes sure that the condition where some parameters for a new configuration option like
# 'global' has been processed and entered into the dictionary 'prdict' is still processed
# because it is in the newConfigList. If a configuration option was processed from
# the values.yaml under the subcharts directory, it will not be in the newConfigList.
# subcharts directory), then go ahead and process the parameters for this option.
#
if option == '' and prdict.get(storekey) is not None and (storekey in newConfigList):
pass
#
# This second condition checks if this is the values.yaml file under istio directory, and
# the configuration option to process (storekey) has not been processed (this could
# happen the first time we read a configuration option from the istio/values.yaml file),
# then add this configuration option to the newConfigList to mark it as an option that
# needs to be processed.
#
elif option == '' and prdict.get(storekey) is None:
newConfigList.append(storekey)
#
# This third condition checks if this is the values.yaml file under istio directory,
# and the configuration option to process (storekey) has already been processed and if
# this is not a new configuration option, (this could happen if we have already
# processed the corresponding values.yaml under the subcharts directory), then ignore
# this configuration option and do not process the values in this file.
#
elif option == '' and prdict.get(storekey) is not None:
continue
if len(context[lastLineNum].lstrip()) != 0 and '#' != context[lastLineNum].lstrip()[0]:
isEnd, ValueList = endOfTheList(context, lineNum, lastLineNum, totalNum)
if (isEnd):
flag = 1
keysplit = key.split('.')
for kv in keysplit:
if kv != '':
newkey = newkey + '.' + kv
newkey = newkey.lstrip('.')
# Filling Description Fields
if ("." in newkey):
plist = newkey.split('.')
da = None
for item in plist:
desc = ''
# If this is the same as the configuration option name, then
# continue to the next key in the list
if item.rstrip() == option.rstrip():
continue
if da is None:
if loaded.ca.items:
if item in loaded.ca.items:
desc = processComments(loaded.ca.items[item])
da = loaded[item]
elif isinstance(da, dict):
if item in da.keys()[0]:
commentTokens = da.ca.comment
if commentTokens is not None:
desc = processComments(commentTokens)
if da.ca.items:
if item in da.ca.items:
desc = desc + processComments(da.ca.items[item])
da = da[item]
else:
if item in da.keys():
da = da.get(item)
else:
da = da.values()[0]
ValueStr = (' ').join(ValueList)
if ValueStr:
if (desc in ValueStr):
ValueStr = ValueStr.replace("#" + desc, "")
desc = desc.replace('`', '')
desc = sanitizeValueStr(desc)
if desc.strip():
desc = '`' + desc.strip() + '`'
prdict[storekey].append("| `%s` | `%s` | %s |" % (newkey, ValueStr.rstrip(), desc))
desc = ''
key = newkey
newkey = ''
lineNum += 1
return ret_val
def processComments(comments):
description = ''
for c in comments:
if c is None:
pass
elif isinstance(c, list):
for comment in c:
if (comment is None):
pass
else:
# We want to avoid including commented out key: value pairs in the values.yaml as
# part of the description/comments. For example:
# # minAvailable: 1
# # maxUnavailable: 1
# # - secretName: grafana-tls
# sessionAffinityEnabled: false
# We do not want the commented out key-value pairs (minAvailable,maxUnavailable, secretName)
# to be included as part of the description for 'sessionAffinityEnabled'
#
pattern = re.compile(r"#\s[-\s]*[\S]+:(?:\s(?!\S+:)\S+)*")
groups = pattern.match(comment.value)
if groups:
description = ''
break
if comment.value.endswith('\n\n'):
description = ''
else:
if comment.value.rstrip() == '#':
continue
else:
description = description + comment.value.replace('`', '').replace("#", '').rstrip()
elif isinstance(c, yaml.Token):
description = description + c.value.rstrip().replace("#", '')
return description
def sanitizeValueStr(value):
# We can include more special characters later if they need to
# be escaped. For now just including the 'pipe' symbol appearing
# in the value of a configuration option.
# e.g: | `global.tracer.lightstep.secure` | `true # example: true\|false` | |
#
# Without escaping the 'pipe' character, it was interpreting it as the end/start
# of table column. Using the example above, without escaping the pipe symbol, it
# was interpreting it as:
# | `global.tracer.lightstep.secure` | `true # example: true |false` | |
#
regex = re.compile(r"\|")
if value is not None and regex.search(value) is not None:
value = value.replace("|", r"\|")
return value
downloadIstioRepo()
# transform values.yaml into a encoded string dictionary
pyaml = yaml.YAML()
pyaml.explicit_start = True
pyaml.dump('', sys.stdout, transform=decode_helm_yaml)
# Order the encoded string dictionary
od = collections.OrderedDict(sorted(prdict.items(), key=lambda t: t[0]))
indexFile = open(CONFIG_INDEX_DIR, 'r+')
meta = ""
for d in indexFile:
meta = meta + d
if "<!-- AUTO-GENERATED-START -->" in d:
break
indexFile.seek(0)
indexFile.write(meta)
# Print encoded string dictionary
for k, v in od.items():
indexFile.write("## `%s` options\n" % k)
indexFile.write('\n| Key | Default Value | Description |\n')
indexFile.write('| --- | --- | --- |\n')
for value in v:
indexFile.write('%s\n' % (value))
indexFile.write('\n')
indexFile.write("\n<!-- AUTO-GENERATED-END -->\n")
indexFile.truncate()
indexFile.close()
deleteIstioRepo()

615
scripts/tablegen_diff.py
View File

@ -1,615 +0,0 @@
#!/usr/bin/python
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import collections
import linecache
import string
import sys
import os
import re
import requests
from ruamel import yaml
#
# This script generates the installation option differences between the
# current release and the previous release. It generates the index.md content for
# the current release from the values.yaml files under the charts and subcharts
# directory and compares the configuration options against the index.md from
# the previous release (It gets the previous release version from the github api:
# https://api.github.com/repos/istio/istio/branches).
#
#
# Reads a documented Helm values.yaml file and produces a
# MD formatted table. pip install ruamel to obtain the proper
# YAML decoder. ruamel maintains ordering and comments. The
# comments are needed in order to decode the commented helm
# values.yaml file
#
ISTIO_CONFIG_DIR = "istio/install/kubernetes/helm/istio"
YAML_CONFIG_DIR = ISTIO_CONFIG_DIR + "/charts"
VALUES_YAML = "values.yaml"
ISTIO_IO_DIR = os.path.abspath(__file__ + "/../../")
CONFIG_INDEX_DIR = "content/en/docs/reference/config/installation-options/index.md"
CONFIG_INDEX_DIFF_DIR = "content/en/docs/reference/config/installation-options-changes/index.md"
CONFIG_IGNORE_LIST = ["global.hub"]
def endOfTheList(context, lineNum, lastLineNum, totalNum):
flag = 0
valueList = []
nextLineNum = lineNum + 1
currentLine = context[lastLineNum]
whitespaces = (len(currentLine) - len(currentLine.lstrip())) / 2
if lineNum != lastLineNum:
return False, valueList
for nextLineNum in range(lineNum + 1, totalNum):
nextLine = context[nextLineNum]
if len(nextLine.lstrip()) != 0 and '#' != nextLine.lstrip()[0] and ':' in nextLine:
if whitespaces >= (len(nextLine) - len(nextLine.lstrip())) / 2:
if flag == 0:
valueList.append(currentLine.split(':', 1)[1].strip())
return True, valueList
else:
return True, valueList
elif len(nextLine.lstrip()) != 0 and '#' != nextLine.lstrip()[0] and ':' not in nextLine and len(nextLine.strip()) != 0:
value = nextLine.replace(' ', '')
valueList.append(value.lstrip('-').strip())
flag += 1
nextLineNum += 1
if lastLineNum == totalNum - 1 and len(currentLine.lstrip()) != 0 and '#' != currentLine.lstrip()[0]:
valueList.append(currentLine.split(':', 1)[1].strip())
return True, valueList
# ordered dictionary to store the configuration options for the subcomponents of Istio. This
# will be used to populate a new index.md
prdict = collections.defaultdict(list)
# ordered dictionary to store the differences of configuration options between the new
# index.md and the previous version (i.e, configurations options already listed in the index.md).
od_diff = collections.defaultdict(list)
od_diff_new = collections.defaultdict(list)
od_diff_removed = collections.defaultdict(list)
od_diff_unchanged = collections.defaultdict(list)
def decode_helm_yaml(s):
ret_val = ''
#
# Iterate through all the directories under /istio/install/kubernetes/heml/subcharts
# and process the configuration options from the respective values.yaml. The
# configuration option name is the name of the directory that contains values.yaml.
# This name will be passed in to the the function process_helm_yaml
#
subchart_dir = os.path.join(ISTIO_IO_DIR, YAML_CONFIG_DIR)
for cfile in os.listdir(subchart_dir):
values_yaml_dir = os.path.join(subchart_dir, cfile)
values_yaml_file = os.path.join(values_yaml_dir, VALUES_YAML)
process_helm_yaml(values_yaml_file, cfile)
#
# Process configuration options in values.yaml under istio/install/kubernetes/helm/istio.
# The configuration option names are present in the values.yaml, hence we do not need to
# pass it to process_helm_yaml.
#
istio_yaml_config_dir = os.path.join(ISTIO_IO_DIR, ISTIO_CONFIG_DIR)
values_yaml_file = os.path.join(istio_yaml_config_dir, VALUES_YAML)
process_helm_yaml(values_yaml_file, '')
return ret_val
def process_helm_yaml(values_yaml, option):
ret_val = ''
storekey = ''
desc = ''
newkey = ''
whitespaces = 0
flag = 0
lineNum = 0
newConfigList = []
loaded = None
context = linecache.getlines(values_yaml)
totalNum = len(context)
lastLineNum = 0
key = option
count = 0
with open(values_yaml, 'r') as f_v:
d_v = f_v.read()
loaded = yaml.round_trip_load(d_v)
for lineNum in range(0, totalNum):
if context[lineNum].strip().startswith('- '):
pass
elif '#' in context[lineNum] and '#' == context[lineNum].lstrip()[0]:
if "Description: " in context[lineNum]:
desc = context[lineNum].strip()
elif ':' in context[lineNum] and '#' != context[lineNum].lstrip()[0]:
lastLineNum = lineNum
if flag == 1:
whitespaces = (len(context[lineNum]) - len(context[lineNum].lstrip())) / 2
periods = key.count('.')
if (option == ''):
while (whitespaces <= periods):
key = key.rstrip(string.ascii_letters[::-1] + string.digits + '_' + '-' + '/').rstrip('.')
whitespaces += 1
else:
while (whitespaces < periods):
key = key.rstrip(string.ascii_letters[::-1] + string.digits + '_' + '-' + '/').rstrip('.')
whitespaces += 1
flag = 0
key = key + '.' + context[lineNum].split(':', 1)[0].strip()
isEnd, ValueList = endOfTheList(context, lineNum, lastLineNum, totalNum)
if isEnd:
flag = 1
storekey = key
sk = storekey.split('.', 2)
if len(sk) > 1:
storekey = '.'.join(sk[:1]).lstrip('.')
else:
storekey = '.'.join(sk[:0]).lstrip('.')
#
# If we are processing the configurations options within the values.yaml under istio,
# if the options have already been processed (from the subcharts directory), then we
# do not want to process it again. If the configuration option has not been processed
# before, then it is a new configuration option which needs to be processed (for e.g,
# global, istiocoredns)
#
# option == '' - This condition means that we are looking at the values.yaml under the
# istio directory. Hence, the configuration option names will be inside
# the values.yaml file. (On the other hand, for the values.yaml file under
# the subcharts directory, we get the name of the configuration option
# from the name of the directories under the subcharts directory.)
# newConfigList - This list is used to track configuration options in istio/values.yaml
# that haven't been processed before (or that does not have a corresponding
# directory under subcharts directory with values.yaml. E.g: global,
# istiocoredns)
#
# This first condition checks that if this is the values.yaml file under istio directory,
# and the configuration option to process (storekey) has not already been processed (this
# conditions: "prdict.get(storekey) != None and (storekey in newConfigList)" together
# makes sure that the condition where some parameters for a new configuration option like
# 'global' has been processed and entered into the dictionary 'prdict' is still processed
# because it is in the newConfigList. If a configuration option was processed from
# the values.yaml under the subcharts directory, it will not be in the newConfigList.
# subcharts directory), then go ahead and process the parameters for this option.
#
if option == '' and prdict.get(storekey) is not None and (storekey in newConfigList):
pass
#
# This second condition checks if this is the values.yaml file under istio directory, and
# the configuration option to process (storekey) has not been processed (this could
# happen the first time we read a configuration option from the istio/values.yaml file),
# then add this configuration option to the newConfigList to mark it as an option that
# needs to be processed.
#
elif option == '' and prdict.get(storekey) is None:
newConfigList.append(storekey)
#
# This third condition checks if this is the values.yaml file under istio directory,
# and the configuration option to process (storekey) has already been processed and if
# this is not a new configuration option, (this could happen if we have already
# processed the corresponding values.yaml under the subcharts directory), then ignore
# this configuration option and do not process the values in this file.
#
elif option == '' and prdict.get(storekey) is not None:
continue
if len(context[lastLineNum].lstrip()) != 0 and '#' != context[lastLineNum].lstrip()[0]:
isEnd, ValueList = endOfTheList(context, lineNum, lastLineNum, totalNum)
if (isEnd):
flag = 1
keysplit = key.split('.')
for kv in keysplit:
if kv != '':
newkey = newkey + '.' + kv
newkey = newkey.lstrip('.')
# Filling Description Fields
if ("." in newkey):
plist = newkey.split('.')
da = None
for item in plist:
desc = ''
# If this is the same as the configuration option name, then
# continue to the next key in the list
if item.rstrip() == option.rstrip():
continue
if da is None:
if loaded.ca.items:
if item in loaded.ca.items:
desc = processComments(loaded.ca.items[item])
da = loaded[item]
elif isinstance(da, dict):
if item in da.keys()[0]:
commentTokens = da.ca.comment
if commentTokens is not None:
desc = processComments(commentTokens)
if da.ca.items:
if item in da.ca.items:
desc = desc + processComments(da.ca.items[item])
da = da[item]
else:
if item in da.keys():
da = da.get(item)
else:
da = da.values()[0]
ValueStr = (' ').join(ValueList)
if ValueStr:
if (desc in ValueStr):
ValueStr = ValueStr.replace("#" + desc, "")
desc = desc.replace('`', '')
desc = sanitizeValueStr(desc)
if desc.strip():
desc = '`' + desc.strip() + '`'
prdict[storekey].append("| `%s` | `%s` | %s |" % (newkey, ValueStr.rstrip(), desc))
desc = ''
key = newkey
newkey = ''
lineNum += 1
return ret_val
def processComments(comments):
description = ''
for c in comments:
if c is None:
pass
elif isinstance(c, list):
for comment in c:
if (comment is None):
pass
else:
# We want to avoid including commented out key: value pairs in the values.yaml as
# part of the description/comments. For example:
# # minAvailable: 1
# # maxUnavailable: 1
# # - secretName: grafana-tls
# sessionAffinityEnabled: false
# We do not want the commented out key-value pairs (minAvailable,maxUnavailable, secretName)
# to be included as part of the description for 'sessionAffinityEnabled'
#
pattern = re.compile(r"#\s[-\s]*[\S]+:(?:\s(?!\S+:)\S+)*")
groups = pattern.match(comment.value)
if groups:
description = ''
break
if comment.value.endswith('\n\n'):
description = ''
else:
if comment.value.rstrip() == '#':
continue
else:
description = description + comment.value.replace('`', '').replace("#", '').rstrip()
elif isinstance(c, yaml.Token):
description = description + c.value.rstrip().replace("#", '')
return description
def sanitizeValueStr(value):
# We can include more special characters later if they need to
# be escaped. For now just including the 'pipe' symbol appearing
# in the value of a configuration option.
# e.g: | `global.tracer.lightstep.secure` | `true # example: true\|false` | |
#
# Without escaping the 'pipe' character, it was interpreting it as the end/start
# of table column. Using the example above, without escaping the pipe symbol, it
# was interpreting it as:
# | `global.tracer.lightstep.secure` | `true # example: true |false` | |
#
regex = re.compile(r"\|")
if value is not None and regex.search(value) is not None:
value = value.replace("|", r"\|")
return value
# Compares the configuration option value from the newly discovered set of values (stored
# in prdict dictionary) and its previous version (stored in index.md). If there is no
# change in the configuration option value between the 2 versions, it will be ignored. If
# there are any differences, we will store the differences (will track differences for key,
# value and description of a configuration option) in the 'od_diff' dictionary. The values
# stored in this dictionary will later be written to CONFIG_INDEX_DIFF_DIR.
#
# The difference between the configuration option values is stored in the CONFIG_INDEX_DIFF_DIR
# in the format:
# | KEY | OLD DEFAULT VALUE | NEW DEFAULT VALUE | OLD DESCRIPTION | NEW DESCRIPTION |
# | ------ | ------------ | ------------ | ------------ | ------------ |
# | Key | oldValue | newValue | oldDesc | newDesc |
#
# If a configuration option is present only in the latest version, then the oldKey, oldValue
# and oldDescription will be represented as 'n/a' (vice-versa applies to newKey, newValue and
# newDescription).
#
# oValue - configuration option from the existing index.md
# nValue - configuration option from the current processing of configuration options to be
# stored in a new version of index.md
# k - istio component name for which these configuration options are being processed. This is
# used to populate the contents of 'od_diff' dictionary.
#
def compareValues(oValue, nValue, k):
# oValue and nVAlue contains configuration option in the format:
# '| `<Key>` | `<Value>` | `<Description>` |
# This needs to be split in order to get the Key, Value and Description values to compare.
oldKey = ''
oldValue = ''
oldDesc = ''
newKey = ''
newValue = ''
newDesc = ''
key = None
if nValue is not None:
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \| (.*) |", nValue.strip())
if groups:
newKey = groups.group(1)
newValue = groups.group(2)
newDesc = groups.group(3)
if oValue is not None and nValue is not None:
if len(oValue) == 1:
item = oValue[0]
if item == nValue:
key = newKey
oValue.remove(item)
od_diff_unchanged[k].append("| `%s` | `%s` | %s |" % (newKey, newValue.rstrip(), newDesc))
else:
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \|\s*(.*)\s*\|", item.strip())
if groups:
oldKey = groups.group(1)
oldValue = groups.group(2)
oldDesc = groups.group(3)
key = oldKey
if oldKey in CONFIG_IGNORE_LIST:
oValue.remove(item)
return key
if oldValue != newValue:
if oldValue is None:
oldValue = 'n/a'
if newValue is None:
newValue = 'n/a'
if oldDesc.strip() != newDesc.strip():
if (newDesc is None or newDesc == '') and (oldDesc is None or oldDesc == ''):
pass
if oldDesc is None:
oldDesc = 'n/a'
if newDesc is None or newDesc == '':
newDesc = 'n/a'
oValue.remove(item)
od_diff[k].append("| `%s` | `%s` | `%s` | %s | %s |" % (newKey, oldValue.rstrip(), newValue.rstrip(), oldDesc, newDesc))
else:
# This is the case where values are the same but descriptions are different. Right now, there is nothing more to do since
# we do not care about displaying values that haven't changed between releases.
oValue.remove(item)
#od_diff_unchanged[k].append("| `%s` | `%s` | %s |" % (newKey, newValue.rstrip(), newDesc))
else:
foundItem = 'false'
for item in oValue:
if item == nValue:
key = newKey
oValue.remove(item)
od_diff_unchanged[k].append("| `%s` | `%s` | %s |" % (newKey, newValue.rstrip(), newDesc))
foundItem = 'true'
break
else:
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \|\s*(.*)\s*\|", item.strip())
if groups:
oldKey = groups.group(1)
oldValue = groups.group(2)
oldDesc = groups.group(3)
if oldKey == newKey:
if oldValue == newValue and oldDesc != newDesc:
key = newKey
od_diff[k].append("| `%s` | `%s` | `%s` | %s | %s |" % (newKey, oldValue.rstrip(), newValue.rstrip(), oldDesc, newDesc))
oValue.remove(item)
foundItem = 'true'
break
if foundItem == 'false':
od_diff_new[k].append("| `%s` | `%s` | %s |" % (newKey, newValue.rstrip(), newDesc))
elif oValue is None:
key = newKey
od_diff_new[k].append("| `%s` | `%s` | %s |" % (newKey, newValue.rstrip(), newDesc))
elif nValue is None:
for item in oValue:
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \|\s*(.*)\s*\|", item.strip())
if groups:
oldKey = groups.group(1)
oldValue = groups.group(2)
oldDesc = groups.group(3)
key = oldKey
od_diff_removed[k].append("| `%s` | `%s` | %s |" % (oldKey, oldValue.rstrip(), oldDesc))
return key
#
# Get the previous release number so that we can retrieve the index.md for that
# release. The release branches are tagged in the following format: release-<number>
#
def getPreviousRelease():
req = requests.get("https://api.github.com/repos/istio/istio/branches")
jsonData = req.json()
previousRelease = 0.0
for x in jsonData:
releaseName = x['name']
if releaseName.startswith('release-'):
releaseNum = releaseName.split('release-')
if releaseNum[1] > previousRelease:
previousRelease = releaseNum[1]
return previousRelease
#
# Get the index.md for the previous release.
#
def getContentFromPreviousRelease(releaseName):
istio_url = 'https://raw.githubusercontent.com/istio/istio.io/release-' + releaseName + '/content/en/docs/reference/config/installation-options/index.md'
req = requests.get(istio_url)
content = req.text
indexMap = collections.defaultdict(list)
# store all the configurations options from the index.md file into the indexMap
# dictionary. This will be used to compare the values with the latest version
# of configuration options.
data = content.split('\n')
for d in data:
if d.rstrip() != '' and d != '| Key | Default Value | Description |' and d != '| --- | --- | --- |' and d[0:1] == '|' and d[-1] == '|':
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \| (.*) |", d.strip())
if groups:
key = groups.group(1)
if key in indexMap:
value = indexMap.get(key)
value.append(d.strip())
else:
indexMap[key].append(d.strip())
return indexMap
def writeVersionDiffs(index_diff_file):
meta = ""
for d in index_diff_file:
meta = meta + d
if "<!-- AUTO-GENERATED-START -->" in d:
break
index_diff_file.seek(0)
index_diff_file.write(meta)
'''
if od_diff_unchanged:
index_diff_file.write('\n## Unmodified configuration options\n')
for k, v in od_diff_unchanged.items():
index_diff_file.write("\n### Unmodified `%s` key/value pairs\n\n" % k)
index_diff_file.write('| Key | Default Value | Description |\n')
index_diff_file.write('| --- | --- | --- |\n')
for value in v:
index_diff_file.write('%s\n' % (value))
'''
if od_diff:
index_diff_file.write('\n## Modified configuration options\n')
for k, v in od_diff.items():
index_diff_file.write("\n### Modified `%s` key/value pairs\n\n" % k)
index_diff_file.write('| Key | Old Default Value | New Default Value | Old Description | New Description |\n')
index_diff_file.write('| --- | --- | --- | --- | --- |\n')
for value in v:
index_diff_file.write('%s\n' % (value))
if od_diff_new:
index_diff_file.write('\n## New configuration options\n')
for k, v in od_diff_new.items():
index_diff_file.write("\n### New `%s` key/value pairs\n\n" % k)
index_diff_file.write('| Key | Default Value | Description |\n')
index_diff_file.write('| --- | --- | --- |\n')
for value in v:
index_diff_file.write('%s\n' % (value))
if od_diff_removed:
index_diff_file.write('\n## Removed configuration options\n')
for k, v in od_diff_removed.items():
index_diff_file.write("\n### Removed `%s` key/value pairs\n\n" % k)
index_diff_file.write('| Key | Default Value | Description |\n')
index_diff_file.write('| --- | --- | --- |\n')
for value in v:
index_diff_file.write('%s\n' % (value))
index_diff_file.write("\n<!-- AUTO-GENERATED-END -->\n")
index_diff_file.truncate()
with open(os.path.join(ISTIO_IO_DIR, CONFIG_INDEX_DIR), 'r') as f:
endReached = False
key = ''
# A list used to track the configuration options that has been compared and processed when going
# through the configurations processed in the latest version
indexList = []
previousRelease = getPreviousRelease()
indexMap = getContentFromPreviousRelease(previousRelease)
# transform values.yaml into a encoded string dictionary
pyaml = yaml.YAML()
pyaml.explicit_start = True
pyaml.dump('', sys.stdout, transform=decode_helm_yaml)
# Order the encoded string dictionary
od = collections.OrderedDict(sorted(prdict.items(), key=lambda t: t[0]))
# Print encoded string dictionary
for k, v in od.items():
for value in v:
# Compare configuration option values from the latest version
# with the older version.
groups = re.search(r"\| \`(.*)\` \| \`(.*)\` \| (.*) |", value.strip())
if groups:
key = groups.group(1)
indexValue = indexMap.get(key)
indexList.append(compareValues(indexValue, value, k))
# We want to include any configuration options that was discovered in
# the older version but not available in the current version
for k in indexMap.keys():
key = k.split('.')[0]
indexList.append(compareValues(indexMap.get(k), None, key))
# This index.md file is used to track the differences of configuration
# option values between the current and previous release. All the
# differences in configuration option values between the current
# and previous release (tracked in the 'od_diff' dictionary) will be
# written to the index.md file
index_diff_file = open(os.path.join(ISTIO_IO_DIR, CONFIG_INDEX_DIFF_DIR), 'r+')
writeVersionDiffs(index_diff_file)
index_diff_file.close()