mirror of https://github.com/istio/istio.io.git
1874 lines
49 KiB
HTML
1874 lines
49 KiB
HTML
---
|
|
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
|
|
source_repo: https://github.com/istio/api
|
|
title: Global Mesh Options
|
|
description: Configuration affecting the service mesh as a whole.
|
|
location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
|
|
layout: protoc-gen-docs
|
|
generator: protoc-gen-docs
|
|
weight: 20
|
|
number_of_entries: 25
|
|
---
|
|
<p>Configuration affecting the service mesh as a whole.</p>
|
|
|
|
<h2 id="Tracing">Tracing</h2>
|
|
<section>
|
|
<p>Tracing defines configuration for the tracing performed by Envoy instances.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Tracing-zipkin" class="oneof oneof-start">
|
|
<td><code>zipkin</code></td>
|
|
<td><code><a href="#Tracing-Zipkin">Zipkin (oneof)</a></code></td>
|
|
<td>
|
|
<p>Use a Zipkin tracer.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Tracing-lightstep" class="oneof">
|
|
<td><code>lightstep</code></td>
|
|
<td><code><a href="#Tracing-Lightstep">Lightstep (oneof)</a></code></td>
|
|
<td>
|
|
<p>Use a Lightstep tracer.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Tracing-datadog" class="oneof">
|
|
<td><code>datadog</code></td>
|
|
<td><code><a href="#Tracing-Datadog">Datadog (oneof)</a></code></td>
|
|
<td>
|
|
<p>Use a Datadog tracer.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Tracing-stackdriver" class="oneof">
|
|
<td><code>stackdriver</code></td>
|
|
<td><code><a href="#Tracing-Stackdriver">Stackdriver (oneof)</a></code></td>
|
|
<td>
|
|
<p>Use a Stackdriver tracer.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Tracing-tls_settings">
|
|
<td><code>tlsSettings</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
|
|
<td>
|
|
<p>Use the tls_settings to specify the tls mode to use. If the remote tracing service
|
|
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
|
mode as <code>ISTIO_MUTUAL</code>.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="SDS">SDS</h2>
|
|
<section>
|
|
<p>SDS defines secret discovery service(SDS) configuration to be used by the proxy.
|
|
For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
|
|
For pilot/mixer, it’s passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="SDS-enabled">
|
|
<td><code>enabled</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>True if SDS is enabled.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="SDS-k8s_sa_jwt_path">
|
|
<td><code>k8sSaJwtPath</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Path of k8s service account JWT path.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="ProxyConfig">ProxyConfig</h2>
|
|
<section>
|
|
<p>ProxyConfig defines variables for individual Envoy instances.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="ProxyConfig-config_path">
|
|
<td><code>configPath</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Path to the generated configuration file directory.
|
|
Proxy agent generates the actual configuration and stores it in this directory.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-binary_path">
|
|
<td><code>binaryPath</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Path to the proxy binary</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-service_cluster">
|
|
<td><code>serviceCluster</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Service cluster defines the name for the service_cluster that is
|
|
shared by all Envoy instances. This setting corresponds to
|
|
<em>–service-cluster</em> flag in Envoy. In a typical Envoy deployment, the
|
|
<em>service-cluster</em> flag is used to identify the caller, for
|
|
source-based routing scenarios.</p>
|
|
|
|
<p>Since Istio does not assign a local service/service version to each
|
|
Envoy instance, the name is same for all of them. However, the
|
|
source/caller’s identity (e.g., IP address) is encoded in the
|
|
<em>–service-node</em> flag when launching Envoy. When the RDS service
|
|
receives API calls from Envoy, it uses the value of the <em>service-node</em>
|
|
flag to compute routes that are relative to the service instances
|
|
located at that IP address.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-drain_duration">
|
|
<td><code>drainDuration</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>The time in seconds that Envoy will drain connections during a hot
|
|
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-parent_shutdown_duration">
|
|
<td><code>parentShutdownDuration</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>The time in seconds that Envoy will wait before shutting down the
|
|
parent process during a hot restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>).
|
|
MUST BE greater than <em>drain</em>duration_ parameter.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-discovery_address">
|
|
<td><code>discoveryAddress</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the discovery service exposing xDS with mTLS connection.
|
|
The inject configuration may override this value.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-statsd_udp_address">
|
|
<td><code>statsdUdpAddress</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>IP Address and Port of a statsd UDP listener (e.g. <em>10.75.241.127:9125</em>).</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-proxy_admin_port">
|
|
<td><code>proxyAdminPort</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>Port on which Envoy should listen for administrative commands.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-control_plane_auth_policy">
|
|
<td><code>controlPlaneAuthPolicy</code></td>
|
|
<td><code><a href="#AuthenticationPolicy">AuthenticationPolicy</a></code></td>
|
|
<td>
|
|
<p>Authentication policy defines the global switch to control authentication
|
|
for Envoy-to-Envoy communication for istio components Mixer and Pilot.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-custom_config_file">
|
|
<td><code>customConfigFile</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>File path of custom proxy configuration, currently used by proxies
|
|
in front of Mixer and Pilot.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-stat_name_length">
|
|
<td><code>statNameLength</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>Maximum length of name field in Envoy’s metrics. The length of the name field
|
|
is determined by the length of a name field in a service and the set of labels that
|
|
comprise a particular version of the service. The default value is set to 189 characters.
|
|
Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
|
|
Increase the value of this field if you find that the metrics from Envoys are truncated.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-concurrency">
|
|
<td><code>concurrency</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>The number of worker threads to run. Default value is number of cores on the machine.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-proxy_bootstrap_template_path">
|
|
<td><code>proxyBootstrapTemplatePath</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Path to the proxy bootstrap template file</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-interception_mode">
|
|
<td><code>interceptionMode</code></td>
|
|
<td><code><a href="#ProxyConfig-InboundInterceptionMode">InboundInterceptionMode</a></code></td>
|
|
<td>
|
|
<p>The mode used to redirect inbound traffic to Envoy.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-tracing">
|
|
<td><code>tracing</code></td>
|
|
<td><code><a href="#Tracing">Tracing</a></code></td>
|
|
<td>
|
|
<p>Tracing configuration to be used by the proxy.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-sds">
|
|
<td><code>sds</code></td>
|
|
<td><code><a href="#SDS">SDS</a></code></td>
|
|
<td>
|
|
<p>secret discovery service(SDS) configuration to be used by the proxy.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-envoy_access_log_service">
|
|
<td><code>envoyAccessLogService</code></td>
|
|
<td><code><a href="#RemoteService">RemoteService</a></code></td>
|
|
<td>
|
|
<p>Address of the service to which access logs from Envoys should be
|
|
sent. (e.g. accesslog-service:15000). See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto">Access Log
|
|
Service</a>
|
|
for details about Envoy’s gRPC Access Log Service API.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-envoy_metrics_service">
|
|
<td><code>envoyMetricsService</code></td>
|
|
<td><code><a href="#RemoteService">RemoteService</a></code></td>
|
|
<td>
|
|
<p>Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
|
|
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto">Metric Service</a>
|
|
for details about Envoy’s Metrics Service API.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-status_port">
|
|
<td><code>statusPort</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>Port on which the agent should listen for administrative commands such as readiness probe.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-extra_stat_tags">
|
|
<td><code>extraStatTags</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
|
|
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
|
|
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
|
|
and exposed as Prometheus metrics.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-zipkin_address" class="deprecated ">
|
|
<td><code>zipkinAddress</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
|
|
DEPRECATED: Use <a href="#ProxyConfig-tracing">tracing</a> instead.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="RemoteService">RemoteService</h2>
|
|
<section>
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="RemoteService-address">
|
|
<td><code>address</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of a remove service used for various purposes (access log
|
|
receiver, metrics receiver, etc.). Can be IP address or a fully
|
|
qualified DNS name.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="RemoteService-tls_settings">
|
|
<td><code>tlsSettings</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
|
|
<td>
|
|
<p>Use the tls_settings to specify the tls mode to use. If the remote service
|
|
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
|
mode as <code>ISTIO_MUTUAL</code>.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="RemoteService-tcp_keepalive">
|
|
<td><code>tcpKeepalive</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive">TcpKeepalive</a></code></td>
|
|
<td>
|
|
<p>If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Tracing-Zipkin">Tracing.Zipkin</h2>
|
|
<section>
|
|
<p>Zipkin defines configuration for a Zipkin tracer.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Tracing-Zipkin-address">
|
|
<td><code>address</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Tracing-Lightstep">Tracing.Lightstep</h2>
|
|
<section>
|
|
<p>Defines configuration for a Lightstep tracer.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Tracing-Lightstep-address">
|
|
<td><code>address</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the Lightstep Satellite pool.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Tracing-Lightstep-access_token">
|
|
<td><code>accessToken</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The Lightstep access token.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Tracing-Datadog">Tracing.Datadog</h2>
|
|
<section>
|
|
<p>Datadog defines configuration for a Datadog tracer.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Tracing-Datadog-address">
|
|
<td><code>address</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the Datadog Agent.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Tracing-Stackdriver">Tracing.Stackdriver</h2>
|
|
<section>
|
|
<p>Stackdriver defines configuration for a Stackdriver tracer.
|
|
See <a href="https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto">Opencensus trace config</a> for details.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig">MeshConfig</h2>
|
|
<section>
|
|
<p>MeshConfig defines mesh-wide variables shared by all Envoy instances in the
|
|
Istio service mesh.</p>
|
|
|
|
<p>NOTE: This configuration type should be used for the low-level global
|
|
configuration, such as component addresses and port numbers. It should not
|
|
be used for the features of the mesh that can be scoped by service or by
|
|
namespace. Some of the fields in the mesh config are going to be deprecated
|
|
and replaced with several individual configuration types (for example,
|
|
tracing configuration).</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-mixer_check_server">
|
|
<td><code>mixerCheckServer</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the server that will be used by the proxies for policy
|
|
check calls. By using different names for mixerCheckServer and
|
|
mixerReportServer, it is possible to have one set of Mixer servers handle
|
|
policy check calls while another set of Mixer servers handle telemetry
|
|
calls.</p>
|
|
|
|
<p>NOTE: Omitting mixerCheckServer while specifying mixerReportServer is
|
|
equivalent to setting disablePolicyChecks to true.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-mixer_report_server">
|
|
<td><code>mixerReportServer</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the server that will be used by the proxies for policy report
|
|
calls.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-disable_policy_checks">
|
|
<td><code>disablePolicyChecks</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Disable policy checks by the Mixer service. Default
|
|
is false, i.e. Mixer policy check is enabled by default.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-policy_check_fail_open">
|
|
<td><code>policyCheckFailOpen</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Allow all traffic in cases when the Mixer policy service cannot be reached.
|
|
Default is false which means the traffic is denied when the client is unable
|
|
to connect to Mixer.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-sidecar_to_telemetry_session_affinity">
|
|
<td><code>sidecarToTelemetrySessionAffinity</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Enable session affinity for Envoy Mixer reports so that calls from a proxy will
|
|
always target the same Mixer instance.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-proxy_listen_port">
|
|
<td><code>proxyListenPort</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>Port on which Envoy should listen for incoming connections from
|
|
other services.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-proxy_http_port">
|
|
<td><code>proxyHttpPort</code></td>
|
|
<td><code>int32</code></td>
|
|
<td>
|
|
<p>Port on which Envoy should listen for HTTP PROXY requests if set.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-connect_timeout">
|
|
<td><code>connectTimeout</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>Connection timeout used by Envoy. (MUST BE >=1ms)</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-protocol_detection_timeout">
|
|
<td><code>protocolDetectionTimeout</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>Automatic protocol detection uses a set of heuristics to
|
|
determine whether the connection is using TLS or not (on the
|
|
server side), as well as the application protocol being used
|
|
(e.g., http vs tcp). These heuristics rely on the client sending
|
|
the first bits of data. For server first protocols like MySQL,
|
|
MongoDB, etc., Envoy will timeout on the protocol detection after
|
|
the specified period, defaulting to non mTLS plain TCP
|
|
traffic. Set this field to tweak the period that Envoy will wait
|
|
for the client to send the first bits of data. (MUST BE >=1ms or
|
|
0s to disable)</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-tcp_keepalive">
|
|
<td><code>tcpKeepalive</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive">TcpKeepalive</a></code></td>
|
|
<td>
|
|
<p>If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-ingress_class">
|
|
<td><code>ingressClass</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Class of ingress resources to be processed by Istio ingress
|
|
controller. This corresponds to the value of
|
|
“kubernetes.io/ingress.class” annotation.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-ingress_service">
|
|
<td><code>ingressService</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Name of theKubernetes service used for the istio ingress controller.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-ingress_controller_mode">
|
|
<td><code>ingressControllerMode</code></td>
|
|
<td><code><a href="#MeshConfig-IngressControllerMode">IngressControllerMode</a></code></td>
|
|
<td>
|
|
<p>Defines whether to use Istio ingress controller for annotated or all ingress resources.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-enable_tracing">
|
|
<td><code>enableTracing</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Flag to control generation of trace spans and request IDs.
|
|
Requires a trace span collector defined in the proxy configuration.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-access_log_file">
|
|
<td><code>accessLogFile</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>File address for the proxy access log (e.g. /dev/stdout).
|
|
Empty value disables access logging.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-access_log_format">
|
|
<td><code>accessLogFormat</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Format for the proxy access log
|
|
Empty value results in proxy’s default access log format</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-access_log_encoding">
|
|
<td><code>accessLogEncoding</code></td>
|
|
<td><code><a href="#MeshConfig-AccessLogEncoding">AccessLogEncoding</a></code></td>
|
|
<td>
|
|
<p>Encoding for the proxy access log (text or json).
|
|
Default value is text.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-enable_envoy_access_log_service">
|
|
<td><code>enableEnvoyAccessLogService</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>This flag enables Envoy’s gRPC Access Log Service.
|
|
See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto">Access Log Service</a>
|
|
for details about Envoy’s gRPC Access Log Service API.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-default_config">
|
|
<td><code>defaultConfig</code></td>
|
|
<td><code><a href="#ProxyConfig">ProxyConfig</a></code></td>
|
|
<td>
|
|
<p>Default proxy config used by the proxy injection mechanism operating in the mesh
|
|
(e.g. Kubernetes admission controller)
|
|
In case of Kubernetes, the proxy config is applied once during the injection process,
|
|
and remain constant for the duration of the pod. The rest of the mesh config can be changed
|
|
at runtime and config gets distributed dynamically.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-outbound_traffic_policy">
|
|
<td><code>outboundTrafficPolicy</code></td>
|
|
<td><code><a href="#MeshConfig-OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
|
|
<td>
|
|
<p>Set the default behavior of the sidecar for handling outbound
|
|
traffic from the application. If your application uses one or
|
|
more external services that are not known apriori, setting the
|
|
policy to ALLOW<em>ANY will cause the sidecars to route any unknown
|
|
traffic originating from the application to its requested
|
|
destination. Users are strongly encouraged to use ServiceEntries
|
|
to explicitly declare any external dependencies, instead of using
|
|
allow</em>any, so that traffic to these services can be
|
|
monitored. Can be overridden at a Sidecar level by setting the
|
|
OutboundTrafficPolicy in the <a href="/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy">Sidecar
|
|
API</a>.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-enable_client_side_policy_check">
|
|
<td><code>enableClientSidePolicyCheck</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Enables client side policy checks.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-config_sources">
|
|
<td><code>configSources</code></td>
|
|
<td><code><a href="#ConfigSource">ConfigSource[]</a></code></td>
|
|
<td>
|
|
<p>ConfigSource describes a source of configuration data for networking
|
|
rules, and other Istio configuration artifacts. Multiple data sources
|
|
can be configured for a single control plane.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-enable_auto_mtls">
|
|
<td><code>enableAutoMtls</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
|
|
<td>
|
|
<p>This flag is used to enable mutual TLS automatically for service to service communication
|
|
within the mesh, default false.
|
|
If set to true, and a given service does not have a corresponding DestinationRule configured,
|
|
or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
|
|
TLS configuration appropriately. More specifically,
|
|
If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
|
|
for mutual TLS to connect to upstream.
|
|
If upstream service is in plain text mode, use plain text.
|
|
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
|
|
mutual TLS when server sides are capable of accepting mutual TLS traffic.
|
|
If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-trust_domain">
|
|
<td><code>trustDomain</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The trust domain corresponds to the trust root of a system.
|
|
Refer to <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain">SPIFFE-ID</a></p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-trust_domain_aliases">
|
|
<td><code>trustDomainAliases</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>The trust domain aliases represent the aliases of <code>trust_domain</code>.
|
|
For example, if we have</p>
|
|
|
|
<pre><code class="language-yaml">trustDomain: td1
|
|
trustDomainAliases: ["td2", "td3"]
|
|
</code></pre>
|
|
|
|
<p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
|
|
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-default_service_export_to">
|
|
<td><code>defaultServiceExportTo</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>The default value for the ServiceEntry.export_to field and services
|
|
imported through container registry integrations, e.g. this applies to
|
|
Kubernetes Service resources. The value is a list of namespace names and
|
|
reserved namespace aliases. The allowed namespace aliases are:</p>
|
|
|
|
<ul>
|
|
<li>- All Namespaces
|
|
. - Current Namespace
|
|
~ - No Namespace</li>
|
|
</ul>
|
|
|
|
<p>If not set the system will use “*” as the default value which implies that
|
|
services are exported to all namespaces.</p>
|
|
|
|
<p>‘All namespaces’ is a reasonable default for implementations that don’t
|
|
need to restrict access or visibility of services across namespace
|
|
boundaries. If that requirement is present it is generally good practice to
|
|
make the default ‘Current namespace’ so that services are only visible
|
|
within their own namespaces by default. Operators can then expand the
|
|
visibility of services to other namespaces as needed. Use of ‘No Namespace’
|
|
is expected to be rare but can have utility for deployments where
|
|
dependency management needs to be precise even within the scope of a single
|
|
namespace.</p>
|
|
|
|
<p>For further discussion see the reference documentation for ServiceEntry,
|
|
Sidecar, and Gateway.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-default_virtual_service_export_to">
|
|
<td><code>defaultVirtualServiceExportTo</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>The default value for the VirtualService.export<em>to field. Has the same
|
|
syntax as ‘default</em>service<em>export</em>to’.</p>
|
|
|
|
<p>If not set the system will use “*” as the default value which implies that
|
|
virtual services are exported to all namespaces</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-default_destination_rule_export_to">
|
|
<td><code>defaultDestinationRuleExportTo</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>The default value for the DestinationRule.export<em>to field. Has the same
|
|
syntax as ‘default</em>service<em>export</em>to’.</p>
|
|
|
|
<p>If not set the system will use “*” as the default value which implies that
|
|
destination rules are exported to all namespaces</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-root_namespace">
|
|
<td><code>rootNamespace</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The namespace to treat as the administrative root namespace for
|
|
Istio configuration. When processing a leaf namespace Istio will search for
|
|
declarations in that namespace first and if none are found it will
|
|
search in the root namespace. Any matching declaration found in the root
|
|
namespace is processed as if it were declared in the leaf namespace.</p>
|
|
|
|
<p>The precise semantics of this processing are documented on each resource
|
|
type.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-locality_lb_setting">
|
|
<td><code>localityLbSetting</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting">LocalityLoadBalancerSetting</a></code></td>
|
|
<td>
|
|
<p>Locality based load balancing distribution or failover settings.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-dns_refresh_rate">
|
|
<td><code>dnsRefreshRate</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>Configures DNS refresh rate for Envoy clusters of type STRICT_DNS</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-disable_report_batch">
|
|
<td><code>disableReportBatch</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>The flag to disable report batch.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-report_batch_max_entries">
|
|
<td><code>reportBatchMaxEntries</code></td>
|
|
<td><code>uint32</code></td>
|
|
<td>
|
|
<p>When disable<em>report</em>batch is false, this value specifies the maximum number
|
|
of requests that are batched in report. If left unspecified, the default value
|
|
of report<em>batch</em>max_entries == 0 will use the hardcoded defaults of
|
|
istio::mixerclient::ReportOptions.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-report_batch_max_time">
|
|
<td><code>reportBatchMaxTime</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>When disable<em>report</em>batch is false, this value specifies the maximum elapsed
|
|
time a batched report will be sent after a user request is processed. If left
|
|
unspecified, the default report<em>batch</em>max_time == 0 will use the hardcoded
|
|
defaults of istio::mixerclient::ReportOptions.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-h2_upgrade_policy">
|
|
<td><code>h2UpgradePolicy</code></td>
|
|
<td><code><a href="#MeshConfig-H2UpgradePolicy">H2UpgradePolicy</a></code></td>
|
|
<td>
|
|
<p>Specify if http1.1 connections should be upgraded to http2 by default.
|
|
if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
|
|
If one or more services or namespaces do not have sidecar(s), then this should be set to DO<em>NOT</em>UPGRADE.
|
|
It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-inbound_cluster_stat_name">
|
|
<td><code>inboundClusterStatName</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
|
|
network filters like TCP and Redis.
|
|
By default, Istio emits statistics with the pattern <code>inbound|<port>|<port-name>|<service-FQDN></code>.
|
|
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
|
|
|
|
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
|
|
|
|
<ul>
|
|
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
|
|
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
|
|
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
|
|
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
|
|
</ul>
|
|
|
|
<p>Following are some examples of supported patterns for reviews:</p>
|
|
|
|
<ul>
|
|
<li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li>
|
|
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
|
|
</ul>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-outbound_cluster_stat_name">
|
|
<td><code>outboundClusterStatName</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
|
|
network filters like TCP and Redis.
|
|
By default, Istio emits statistics with the pattern <code>outbound|<port>|<subsetname>|<service-FQDN></code>.
|
|
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p>
|
|
|
|
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p>
|
|
|
|
<ul>
|
|
<li><code>%SERVICE%</code> - Will be substituted with name of the service.</li>
|
|
<li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li>
|
|
<li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li>
|
|
<li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li>
|
|
<li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li>
|
|
</ul>
|
|
|
|
<p>Following are some examples of supported patterns for reviews:</p>
|
|
|
|
<ul>
|
|
<li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li>
|
|
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
|
|
</ul>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-certificates">
|
|
<td><code>certificates</code></td>
|
|
<td><code><a href="#Certificate">Certificate[]</a></code></td>
|
|
<td>
|
|
<p>Configure the provision of certificates.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-thrift_config">
|
|
<td><code>thriftConfig</code></td>
|
|
<td><code><a href="#MeshConfig-ThriftConfig">ThriftConfig</a></code></td>
|
|
<td>
|
|
<p>Set configuration for Thrift protocol</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-enable_prometheus_merge">
|
|
<td><code>enablePrometheusMerge</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
|
|
<td>
|
|
<p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
|
|
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
|
|
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
|
|
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
|
|
<code>prometheus.io/path</code> annotations.
|
|
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
|
|
In this case, it is recommended to disable aggregation on that deployment with the
|
|
<code>prometheus.istio.io/merge-metrics: "false"</code> annotation.
|
|
If not specified, this will be enabled by default.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="ConfigSource">ConfigSource</h2>
|
|
<section>
|
|
<p>ConfigSource describes information about a configuration store inside a
|
|
mesh. A single control plane instance can interact with one or more data
|
|
sources.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="ConfigSource-address">
|
|
<td><code>address</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Address of the server implementing the Istio Mesh Configuration
|
|
protocol (MCP). Can be IP address or a fully qualified DNS name.
|
|
Use fs:/// to specify a file-based backend with absolute path to the directory.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ConfigSource-tls_settings">
|
|
<td><code>tlsSettings</code></td>
|
|
<td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
|
|
<td>
|
|
<p>Use the tls<em>settings to specify the tls mode to use. If the MCP server
|
|
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
|
mode as ISTIO</em>MUTUAL.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="ConfigSource-subscribed_resources">
|
|
<td><code>subscribedResources</code></td>
|
|
<td><code><a href="#Resource">Resource[]</a></code></td>
|
|
<td>
|
|
<p>Describes the source of configuration, if nothing is specified default is MCP</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Certificate">Certificate</h2>
|
|
<section>
|
|
<p>Certificate configures the provision of a certificate and its key.
|
|
Example 1: key and cert stored in a secret
|
|
{ secretName: galley-cert
|
|
secretNamespace: istio-system
|
|
dnsNames:
|
|
- galley.istio-system.svc
|
|
- galley.mydomain.com
|
|
}
|
|
Example 2: key and cert stored in a directory
|
|
{ dnsNames:
|
|
- pilot.istio-system
|
|
- pilot.istio-system.svc
|
|
- pilot.mydomain.com
|
|
}</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Certificate-secret_name">
|
|
<td><code>secretName</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Name of the secret the certificate and its key will be stored into.
|
|
If it is empty, it will not be stored into a secret.
|
|
Instead, the certificate and its key will be stored into a hard-coded directory.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Certificate-dns_names">
|
|
<td><code>dnsNames</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>The DNS names for the certificate. A certificate may contain
|
|
multiple DNS names.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-OutboundTrafficPolicy">MeshConfig.OutboundTrafficPolicy</h2>
|
|
<section>
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-OutboundTrafficPolicy-mode">
|
|
<td><code>mode</code></td>
|
|
<td><code><a href="#MeshConfig-OutboundTrafficPolicy-Mode">Mode</a></code></td>
|
|
<td>
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-ThriftConfig">MeshConfig.ThriftConfig</h2>
|
|
<section>
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-ThriftConfig-rate_limit_url">
|
|
<td><code>rateLimitUrl</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
|
|
this will enable the rate limit service for destinations that have matching rate
|
|
limit configurations.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-ThriftConfig-rate_limit_timeout">
|
|
<td><code>rateLimitTimeout</code></td>
|
|
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
|
|
<td>
|
|
<p>Specify thrift rate limit service timeout, in milliseconds. Default is 50ms</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-ServiceSettings-Settings">MeshConfig.ServiceSettings.Settings</h2>
|
|
<section>
|
|
<p>Settings for the selected services.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-ServiceSettings-Settings-cluster_local">
|
|
<td><code>clusterLocal</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>If true, specifies that the client and service endpoints must reside in the same cluster.
|
|
By default, in multi-cluster deployments, the Istio control plane assumes all service
|
|
endpoints to be reachable from any client in any of the clusters which are part of the
|
|
mesh. This configuration option limits the set of service endpoints visible to a client
|
|
to be cluster scoped.</p>
|
|
|
|
<p>There are some common scenarios when this can be useful:</p>
|
|
|
|
<ul>
|
|
<li>A service (or group of services) is inherently local to the cluster and has local storage
|
|
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li>
|
|
<li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
|
|
having services cluster-local and then slowly transition them to mesh-wide. They could do
|
|
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
|
|
(e.g. *.myns.svc.cluster.local).</li>
|
|
</ul>
|
|
|
|
<p>By default, Istio will consider all services in the kube-system namespace to be cluster-local,
|
|
unless explicitly overridden here.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Network">Network</h2>
|
|
<section>
|
|
<p>Network provides information about the endpoints in a routable L3
|
|
network. A single routable L3 network can have one or more service
|
|
registries. Note that the network has no relation to the locality of the
|
|
endpoint. The endpoint locality will be obtained from the service
|
|
registry.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Network-endpoints">
|
|
<td><code>endpoints</code></td>
|
|
<td><code><a href="#Network-NetworkEndpoints">NetworkEndpoints[]</a></code></td>
|
|
<td>
|
|
<p>The list of endpoints in the network (obtained through the
|
|
constituent service registries or from CIDR ranges). All endpoints in
|
|
the network are directly accessible to one another.</p>
|
|
|
|
</td>
|
|
<td>
|
|
Yes
|
|
</td>
|
|
</tr>
|
|
<tr id="Network-gateways">
|
|
<td><code>gateways</code></td>
|
|
<td><code><a href="#Network-IstioNetworkGateway">IstioNetworkGateway[]</a></code></td>
|
|
<td>
|
|
<p>Set of gateways associated with the network.</p>
|
|
|
|
</td>
|
|
<td>
|
|
Yes
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshNetworks">MeshNetworks</h2>
|
|
<section>
|
|
<p>MeshNetworks (config map) provides information about the set of networks
|
|
inside a mesh and how to route to endpoints in each network. For example</p>
|
|
|
|
<p>MeshNetworks(file/config map):</p>
|
|
|
|
<pre><code class="language-yaml">networks:
|
|
network1:
|
|
- endpoints:
|
|
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
|
|
- fromCidr: 192.168.100.0/22 #a VM network for example
|
|
gateways:
|
|
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
|
port: 15443
|
|
locality: us-east-1a
|
|
- address: 192.168.100.1
|
|
port: 15443
|
|
locality: us-east-1a
|
|
</code></pre>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshNetworks-networks">
|
|
<td><code>networks</code></td>
|
|
<td><code>map<string, <a href="#Network">Network</a>></code></td>
|
|
<td>
|
|
<p>The set of networks inside this mesh. Each network should
|
|
have a unique name and information about how to infer the endpoints in
|
|
the network as well as the gateways associated with the network.</p>
|
|
|
|
</td>
|
|
<td>
|
|
Yes
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Network-NetworkEndpoints">Network.NetworkEndpoints</h2>
|
|
<section>
|
|
<p>NetworkEndpoints describes how the network associated with an endpoint
|
|
should be inferred. An endpoint will be assigned to a network based on
|
|
the following rules:</p>
|
|
|
|
<ol>
|
|
<li><p>Implicitly: If the registry explicitly provides information about
|
|
the network to which the endpoint belongs to. In some cases, its
|
|
possible to indicate the network associated with the endpoint by
|
|
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li>
|
|
|
|
<li><p>Explicitly:</p></li>
|
|
</ol>
|
|
|
|
<p>a. By matching the registry name with one of the “fromRegistry”
|
|
in the mesh config. A “from_registry” can only be assigned to a
|
|
single network.</p>
|
|
|
|
<p>b. By matching the IP against one of the CIDR ranges in a mesh
|
|
config network. The CIDR ranges must not overlap and be assigned to
|
|
a single network.</p>
|
|
|
|
<p>(2) will override (1) if both are present.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Network-NetworkEndpoints-from_cidr" class="oneof oneof-start">
|
|
<td><code>fromCidr</code></td>
|
|
<td><code>string (oneof)</code></td>
|
|
<td>
|
|
<p>A CIDR range for the set of endpoints in this network. The CIDR
|
|
ranges for endpoints from different networks must not overlap.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Network-NetworkEndpoints-from_registry" class="oneof">
|
|
<td><code>fromRegistry</code></td>
|
|
<td><code>string (oneof)</code></td>
|
|
<td>
|
|
<p>Add all endpoints from the specified registry into this network.
|
|
The names of the registries should correspond to the kubeconfig file name
|
|
inside the secret that was used to configure the registry (Kubernetes
|
|
multicluster) or supplied by MCP server.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Network-IstioNetworkGateway">Network.IstioNetworkGateway</h2>
|
|
<section>
|
|
<p>The gateway associated with this network. Traffic from remote networks
|
|
will arrive at the specified gateway:port. All incoming traffic must
|
|
use mTLS.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Network-IstioNetworkGateway-registry_service_name" class="oneof oneof-start">
|
|
<td><code>registryServiceName</code></td>
|
|
<td><code>string (oneof)</code></td>
|
|
<td>
|
|
<p>A fully qualified domain name of the gateway service. Pilot will
|
|
lookup the service from the service registries in the network and
|
|
obtain the endpoint IPs of the gateway from the service
|
|
registry. Note that while the service name is a fully qualified
|
|
domain name, it need not be resolvable outside the orchestration
|
|
platform for the registry. e.g., this could be
|
|
istio-ingressgateway.istio-system.svc.cluster.local.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Network-IstioNetworkGateway-address" class="oneof">
|
|
<td><code>address</code></td>
|
|
<td><code>string (oneof)</code></td>
|
|
<td>
|
|
<p>IP address or externally resolvable DNS address associated with the gateway.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Network-IstioNetworkGateway-port">
|
|
<td><code>port</code></td>
|
|
<td><code>uint32</code></td>
|
|
<td>
|
|
<p>The port associated with the gateway.</p>
|
|
|
|
</td>
|
|
<td>
|
|
Yes
|
|
</td>
|
|
</tr>
|
|
<tr id="Network-IstioNetworkGateway-locality">
|
|
<td><code>locality</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The locality associated with an explicitly specified gateway (i.e. ip)</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="ProxyConfig-InboundInterceptionMode">ProxyConfig.InboundInterceptionMode</h2>
|
|
<section>
|
|
<p>The mode used to redirect inbound traffic to Envoy.
|
|
This setting has no effect on outbound traffic: iptables REDIRECT is always used for
|
|
outbound connections.</p>
|
|
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="ProxyConfig-InboundInterceptionMode-REDIRECT">
|
|
<td><code>REDIRECT</code></td>
|
|
<td>
|
|
<p>The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
|
|
source IP addresses during redirection.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="ProxyConfig-InboundInterceptionMode-TPROXY">
|
|
<td><code>TPROXY</code></td>
|
|
<td>
|
|
<p>The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
|
|
source and destination IP addresses and ports, so that they can be used for advanced
|
|
filtering and manipulation. This mode also configures the sidecar to run with the
|
|
CAP<em>NET</em>ADMIN capability, which is required to use TPROXY.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="AuthenticationPolicy">AuthenticationPolicy</h2>
|
|
<section>
|
|
<p>AuthenticationPolicy defines authentication policy. It can be set for
|
|
different scopes (mesh, service …), and the most narrow scope with
|
|
non-INHERIT value will be used.
|
|
Mesh policy cannot be INHERIT.</p>
|
|
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="AuthenticationPolicy-NONE">
|
|
<td><code>NONE</code></td>
|
|
<td>
|
|
<p>Do not encrypt Envoy to Envoy traffic.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="AuthenticationPolicy-MUTUAL_TLS">
|
|
<td><code>MUTUAL_TLS</code></td>
|
|
<td>
|
|
<p>Envoy to Envoy traffic is wrapped into mutual TLS connections.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="AuthenticationPolicy-INHERIT">
|
|
<td><code>INHERIT</code></td>
|
|
<td>
|
|
<p>Use the policy defined by the parent scope. Should not be used for mesh
|
|
policy.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-OutboundTrafficPolicy-Mode">MeshConfig.OutboundTrafficPolicy.Mode</h2>
|
|
<section>
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
|
|
<td><code>REGISTRY_ONLY</code></td>
|
|
<td>
|
|
<p>outbound traffic will be restricted to services defined in the
|
|
service registry as well as those defined through ServiceEntries</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY">
|
|
<td><code>ALLOW_ANY</code></td>
|
|
<td>
|
|
<p>outbound traffic to unknown destinations will be allowed, in case
|
|
there are no services or ServiceEntries for the destination port</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-IngressControllerMode">MeshConfig.IngressControllerMode</h2>
|
|
<section>
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-IngressControllerMode-UNSPECIFIED">
|
|
<td><code>UNSPECIFIED</code></td>
|
|
<td>
|
|
<p>Unspecified Istio ingress controller.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-IngressControllerMode-OFF">
|
|
<td><code>OFF</code></td>
|
|
<td>
|
|
<p>Disables Istio ingress controller.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-IngressControllerMode-DEFAULT">
|
|
<td><code>DEFAULT</code></td>
|
|
<td>
|
|
<p>Istio ingress controller will act on ingress resources that do not
|
|
contain any annotation or whose annotations match the value
|
|
specified in the ingress_class parameter described earlier. Use this
|
|
mode if Istio ingress controller will be the default ingress
|
|
controller for the entireKubernetes cluster.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-IngressControllerMode-STRICT">
|
|
<td><code>STRICT</code></td>
|
|
<td>
|
|
<p>Istio ingress controller will only act on ingress resources whose
|
|
annotations match the value specified in the ingress_class parameter
|
|
described earlier. Use this mode if Istio ingress controller will be
|
|
a secondary ingress controller (e.g., in addition to a
|
|
cloud-provided ingress controller).</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-AccessLogEncoding">MeshConfig.AccessLogEncoding</h2>
|
|
<section>
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-AccessLogEncoding-TEXT">
|
|
<td><code>TEXT</code></td>
|
|
<td>
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-AccessLogEncoding-JSON">
|
|
<td><code>JSON</code></td>
|
|
<td>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="MeshConfig-H2UpgradePolicy">MeshConfig.H2UpgradePolicy</h2>
|
|
<section>
|
|
<p>Default Policy for upgrading http1.1 connections to http2.</p>
|
|
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE">
|
|
<td><code>DO_NOT_UPGRADE</code></td>
|
|
<td>
|
|
<p>Do not upgrade connections to http2.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="MeshConfig-H2UpgradePolicy-UPGRADE">
|
|
<td><code>UPGRADE</code></td>
|
|
<td>
|
|
<p>Upgrade the connections to http2.</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Resource">Resource</h2>
|
|
<section>
|
|
<p>Resource describes the source of configuration</p>
|
|
|
|
<table class="enum-values">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Resource-SERVICE_REGISTRY">
|
|
<td><code>SERVICE_REGISTRY</code></td>
|
|
<td>
|
|
<p>Set to only receive service entries that are generated by the platform.
|
|
These auto generated service entries are combination of services and endpoints
|
|
that are generated by a specific platform e.g. k8</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|