安装选项的变更

 阅读大约需要 8 分钟

用 Helm 进行 Istio 的定制安装过程中,release-1.1 和 release-1.0 的部分选项是有差异的,下表描述了这些差异。表格内容分了三类:

  • 在原版本中已经包含了这一安装选项,但在新版本中其取值或描述发生了变化。
  • 新版本中加入了新的安装选项。
  • 新版本中移除了原有安装选项。

发生变更的配置项

servicegraph 键值对的变更

原缺省值新缺省值原描述新描述
servicegraph.ingress.hostsservicegraph.localservicegraph.localUsed to create an Ingress record.

tracing 键值对的变更

原缺省值新缺省值原描述新描述
tracing.jaeger.tag1.51.9

global 键值对的变更

原缺省值新缺省值原描述新描述
global.hubgcr.io/istio-releasegcr.io/istio-releaseDefault hub for Istio images.Releases are published to docker hub under 'istio' project.Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
global.tagrelease-1.0-latest-dailyrelease-1.1-latest-dailyDefault tag for Istio images.
global.proxy.resources.requests.cpu10m100m
global.proxy.accessLogFile"/dev/stdout"""
global.proxy.enableCoreDumpfalsefalseIf set, newly injected sidecars will have core dumps enabled.
global.proxy.autoInjectenabledenabledThis controls the 'policy' in the sidecar injector.
global.proxy.envoyStatsd.enabledtruefalseIf enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
global.proxy.envoyStatsd.hostistio-statsd-prom-bridge``example: statsd-svc.istio-system
global.proxy.envoyStatsd.port9125``example: 9125
global.proxy_init.imageproxy_initproxy_initBase name for the proxy_init container, used to configure iptables.
global.controlPlaneSecurityEnabledfalsefalsecontrolPlaneMtls enabled. Will result in delays starting the pods while secrets arepropagated, not recommended for tests.
global.disablePolicyChecksfalsetruedisablePolicyChecks disables mixer policy checks.if mixer.policy.enabled==true then disablePolicyChecks has affect.Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
global.enableTracingtruetrueEnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
global.mtls.enabledfalsefalseDefault setting for service-to-service mtls. Can be set explicitly usingdestination rules or service annotations.
global.oneNamespacefalsefalseWhether to restrict the applications namespace the controller manages;If not set, controller watches all namespaces
global.configValidationtruetrueWhether to perform server-side validation of configuration.

gateways 键值对的变更

原缺省值新缺省值原描述新描述
gateways.istio-ingressgateway.typeLoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need beLoadBalancerchange to NodePort, ClusterIP or LoadBalancer if need be
gateways.istio-egressgateway.enabledtruefalse
gateways.istio-egressgateway.typeClusterIP #change to NodePort or LoadBalancer if need beClusterIPchange to NodePort or LoadBalancer if need be

certmanager 键值对的变更

原缺省值新缺省值原描述新描述
certmanager.tagv0.3.1v0.6.2

kiali 键值对的变更

原缺省值新缺省值原描述新描述
kiali.tagistio-release-1.0v0.14

security 键值对的变更

原缺省值新缺省值原描述新描述
security.selfSignedtrue # indicate if self-signed CA is used.trueindicate if self-signed CA is used.

pilot 键值对的变更

原缺省值新缺省值原描述新描述
pilot.autoscaleMax15
pilot.traceSampling100.01.0

新建的配置项

新建 istio_cni 键值对

缺省值描述
istio_cni.enabledfalse

新建 servicegraph 键值对

缺省值描述
servicegraph.nodeSelector{}

新建 tracing 键值对

缺省值描述
tracing.nodeSelector{}
tracing.zipkin.hubdocker.io/openzipkin
tracing.zipkin.tag2
tracing.zipkin.probeStartupDelay200
tracing.zipkin.queryPort9411
tracing.zipkin.resources.limits.cpu300m
tracing.zipkin.resources.limits.memory900Mi
tracing.zipkin.resources.requests.cpu150m
tracing.zipkin.resources.requests.memory900Mi
tracing.zipkin.javaOptsHeap700
tracing.zipkin.maxSpans500000
tracing.zipkin.node.cpus2

新建 sidecarInjectorWebhook 键值对

缺省值描述
sidecarInjectorWebhook.nodeSelector{}
sidecarInjectorWebhook.rewriteAppHTTPProbefalseIf true, webhook or istioctl injector will rewrite PodSpec for livenesshealth check to redirect request to sidecar. This makes liveness check workeven when mTLS is enabled.

新建 global 键值对

缺省值描述
global.monitoringPort15014monitoring port used by mixer, pilot, galley
global.k8sIngress.enabledfalse
global.k8sIngress.gatewayNameingressgatewayGateway used for k8s Ingress resources. By default it isusing 'istio:ingressgateway' that will be installed by setting'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'flags to true.
global.k8sIngress.enableHttpsfalseenableHttps will add port 443 on the ingress.It REQUIRES that the certificates are installed in theexpected secrets - enabling this option without certificateswill result in LDS rejection and the ingress will not work.
global.proxy.clusterDomain"cluster.local"cluster domain. Default value is "cluster.local".
global.proxy.resources.requests.memory128Mi
global.proxy.resources.limits.cpu2000m
global.proxy.resources.limits.memory128Mi
global.proxy.concurrency2Controls number of Proxy worker threads.If set to 0 (default), then start worker thread for each CPU thread/core.
global.proxy.accessLogFormat""Configure how and what fields are displayed in sidecar access log. Setting toempty string will result in default log format
global.proxy.accessLogEncodingTEXTConfigure the access log for sidecar to JSON or TEXT.
global.proxy.dnsRefreshRate5sConfigure the DNS refresh rate for Envoy cluster of type STRICT_DNS5 seconds is the default refresh rate used by Envoy
global.proxy.privilegedfalseIf set to true, istio-proxy container will have privileged securityContext
global.proxy.statusPort15020Default port for Pilot agent health checks. A value of 0 will disable health checking.
global.proxy.readinessInitialDelaySeconds1The initial delay for readiness probes in seconds.
global.proxy.readinessPeriodSeconds2The period between readiness probes.
global.proxy.readinessFailureThreshold30The number of successive failed probes before indicating readiness failure.
global.proxy.kubevirtInterfaces""pod internal interfaces
global.proxy.envoyMetricsService.enabledfalse
global.proxy.envoyMetricsService.host``example: metrics-service.istio-system
global.proxy.envoyMetricsService.port``example: 15000
global.proxy.tracer"zipkin"Specify which tracer to use. One of: lightstep, zipkin
global.policyCheckFailOpenfalsepolicyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.Default is false which means the traffic is denied when the client is unable to connect to Mixer.
global.tracer.lightstep.address""example: lightstep-satellite:443
global.tracer.lightstep.accessToken""example: abcdefg1234567
global.tracer.lightstep.securetrueexample: true\|false
global.tracer.lightstep.cacertPath""example: /etc/lightstep/cacert.pem
global.tracer.zipkin.address""
global.defaultNodeSelector{}Default node selector to be applied to all deployments so that all pods can beconstrained to run a particular nodes. Each component can overwrite these defaultvalues by adding its node selector block in the relevant section below and settingthe desired values.
global.meshExpansion.enabledfalse
global.meshExpansion.useILBfalseIf set to true, the pilot and citadel mtls and the plain text pilot portswill be exposed on an internal gateway
global.multiCluster.enabledfalseSet to true to connect two kubernetes clusters via their respectiveingressgateway services when pods in each cluster cannot directlytalk to one another. All clusters should be using Istio mTLS and musthave a shared root CA for this model to work.
global.defaultPodDisruptionBudget.enabledtrue
global.useMCPtrueUse the Mesh Control Protocol (MCP) for configuring Mixer andPilot. Requires galley (--set galley.enabled=true).
global.trustDomain""
global.outboundTrafficPolicy.modeALLOW_ANY
global.sds.enabledfalseSDS enabled. IF set to true, mTLS certificates for the sidecars will bedistributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
global.sds.udsPath""
global.sds.useTrustworthyJwtfalse
global.sds.useNormalJwtfalse
global.meshNetworks{}
global.enableHelmTestfalseSpecifies whether helm test is enabled or not.This field is set to false by default, so 'helm template ...'will ignore the helm test yaml files when generating the template

新建 mixer 键值对

缺省值描述
mixer.env.GODEBUGgctrace=1
mixer.env.GOMAXPROCS"6"max procs should be ceil(cpu limit + 1)
mixer.policy.enabledfalseif policy is enabled, global.disablePolicyChecks has affect.
mixer.policy.replicaCount1
mixer.policy.autoscaleEnabledtrue
mixer.policy.autoscaleMin1
mixer.policy.autoscaleMax5
mixer.policy.cpu.targetAverageUtilization80
mixer.telemetry.enabledtrue
mixer.telemetry.replicaCount1
mixer.telemetry.autoscaleEnabledtrue
mixer.telemetry.autoscaleMin1
mixer.telemetry.autoscaleMax5
mixer.telemetry.cpu.targetAverageUtilization80
mixer.telemetry.sessionAffinityEnabledfalse
mixer.telemetry.loadshedding.modeenforcedisabled, logonly or enforce
mixer.telemetry.loadshedding.latencyThreshold100msbased on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
mixer.telemetry.resources.requests.cpu1000m
mixer.telemetry.resources.requests.memory1G
mixer.telemetry.resources.limits.cpu4800mIt is best to do horizontal scaling of mixer using moderate cpu allocation.We have experimentally found that these values work well.
mixer.telemetry.resources.limits.memory4G
mixer.podAnnotations{}
mixer.nodeSelector{}
mixer.adapters.kubernetesenv.enabledtrue
mixer.adapters.stdio.enabledfalse
mixer.adapters.stdio.outputAsJsontrue
mixer.adapters.prometheus.enabledtrue
mixer.adapters.prometheus.metricsExpiryDuration10m
mixer.adapters.useAdapterCRDstrueSetting this to false sets the useAdapterCRDs mixer startup argument to false

新建 grafana 键值对

缺省值描述
grafana.image.repositorygrafana/grafana
grafana.image.tag5.4.0
grafana.ingress.enabledfalse
grafana.ingress.hostsgrafana.localUsed to create an Ingress record.
grafana.persistfalse
grafana.storageClassName""
grafana.accessModeReadWriteMany
grafana.security.secretNamegrafana
grafana.security.usernameKeyusername
grafana.security.passphraseKeypassphrase
grafana.nodeSelector{}
grafana.contextPath/grafana
grafana.datasources.datasources.apiVersion1
grafana.datasources.datasources.datasources.typeprometheus
grafana.datasources.datasources.datasources.orgId1
grafana.datasources.datasources.datasources.urlhttp://prometheus:9090
grafana.datasources.datasources.datasources.accessproxy
grafana.datasources.datasources.datasources.isDefaulttrue
grafana.datasources.datasources.datasources.jsonData.timeInterval5s
grafana.datasources.datasources.datasources.editabletrue
grafana.dashboardProviders.dashboardproviders.apiVersion1
grafana.dashboardProviders.dashboardproviders.providers.orgId1
grafana.dashboardProviders.dashboardproviders.providers.folder'istio'
grafana.dashboardProviders.dashboardproviders.providers.typefile
grafana.dashboardProviders.dashboardproviders.providers.disableDeletionfalse
grafana.dashboardProviders.dashboardproviders.providers.options.path/var/lib/grafana/dashboards/istio

新建 prometheus 键值对

缺省值描述
prometheus.retention6h
prometheus.nodeSelector{}
prometheus.scrapeInterval15sControls the frequency of prometheus scraping
prometheus.contextPath/prometheus
prometheus.ingress.enabledfalse
prometheus.ingress.hostsprometheus.localUsed to create an Ingress record.
prometheus.security.enabledtrue

新建 gateways 键值对

缺省值描述
gateways.istio-ingressgateway.sds.enabledfalseIf true, ingress gateway fetches credentials from SDS server to handle TLS connections.
gateways.istio-ingressgateway.sds.imagenode-agent-k8sSDS server that watches kubernetes secrets and provisions credentials to ingress gateway.This server runs in the same pod as ingress gateway.
gateways.istio-ingressgateway.autoscaleEnabledtrue
gateways.istio-ingressgateway.cpu.targetAverageUtilization80
gateways.istio-ingressgateway.loadBalancerSourceRanges[]
gateways.istio-ingressgateway.externalIPs[]
gateways.istio-ingressgateway.podAnnotations{}
gateways.istio-ingressgateway.ports.targetPort15029
gateways.istio-ingressgateway.ports.namehttps-kiali
gateways.istio-ingressgateway.ports.namehttps-prometheus
gateways.istio-ingressgateway.ports.namehttps-grafana
gateways.istio-ingressgateway.ports.targetPort15032
gateways.istio-ingressgateway.ports.namehttps-tracing
gateways.istio-ingressgateway.ports.targetPort15443
gateways.istio-ingressgateway.ports.nametls
gateways.istio-ingressgateway.ports.targetPort15020
gateways.istio-ingressgateway.ports.namestatus-port
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15011
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-pilot-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15004
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-mixer-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort8060
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-citadel-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort853
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-dns-tls
gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"A gateway with this mode ensures that pilot generates an additionalset of clusters for internal services but without Istio mTLS, toenable cross cluster routing.
gateways.istio-ingressgateway.nodeSelector{}
gateways.istio-egressgateway.autoscaleEnabledtrue
gateways.istio-egressgateway.cpu.targetAverageUtilization80
gateways.istio-egressgateway.podAnnotations{}
gateways.istio-egressgateway.ports.targetPort15443
gateways.istio-egressgateway.ports.nametls
gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"
gateways.istio-egressgateway.nodeSelector{}
gateways.istio-ilbgateway.autoscaleEnabledtrue
gateways.istio-ilbgateway.cpu.targetAverageUtilization80
gateways.istio-ilbgateway.podAnnotations{}
gateways.istio-ilbgateway.nodeSelector{}

新建 kiali 键值对

缺省值描述
kiali.contextPath/kiali
kiali.nodeSelector{}
kiali.ingress.hostskiali.localUsed to create an Ingress record.
kiali.dashboard.secretNamekiali
kiali.dashboard.usernameKeyusername
kiali.dashboard.passphraseKeypassphrase
kiali.prometheusAddrhttp://prometheus:9090
kiali.createDemoSecretfalseWhen true, a secret will be created with a default username and password. Useful for demos.

新建 istiocoredns 键值对

缺省值描述
istiocoredns.enabledfalse
istiocoredns.replicaCount1
istiocoredns.coreDNSImagecoredns/coredns:1.1.2
istiocoredns.coreDNSPluginImageistio/coredns-plugin:0.2-istio-1.1
istiocoredns.nodeSelector{}

新建 security 键值对

缺省值描述
security.enabledtrue
security.createMeshPolicytrue
security.nodeSelector{}

新建 nodeagent 键值对

缺省值描述
nodeagent.enabledfalse
nodeagent.imagenode-agent-k8s
nodeagent.env.CA_PROVIDER""name of authentication provider.
nodeagent.env.CA_ADDR""CA endpoint.
nodeagent.env.Plugins""names of authentication provider's plugins.
nodeagent.nodeSelector{}

新建 pilot 键值对

缺省值描述
pilot.autoscaleEnabledtrue
pilot.env.PILOT_PUSH_THROTTLE100
pilot.env.GODEBUGgctrace=1
pilot.cpu.targetAverageUtilization80
pilot.nodeSelector{}
pilot.keepaliveMaxServerConnectionAge30mThe following is used to limit how long a sidecar can be connectedto a pilot. It balances out load across pilot instances at the cost ofincreasing system churn.

删除的配置项

删除 ingress 键值对

缺省值描述
ingress.service.ports.nodePort32000
ingress.service.selector.istioingress
ingress.autoscaleMin1
ingress.service.loadBalancerIP""
ingress.enabledfalse
ingress.service.annotations{}
ingress.service.ports.namehttp
ingress.service.ports.namehttps
ingress.autoscaleMax5
ingress.replicaCount1
ingress.service.typeLoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be

删除 servicegraph 键值对

缺省值描述
servicegraphservicegraph.local
servicegraph.ingressservicegraph.local
servicegraph.service.internalPort8088

删除 telemetry-gateway 键值对

缺省值描述
telemetry-gateway.prometheusEnabledfalse
telemetry-gateway.gatewayNameingressgateway
telemetry-gateway.grafanaEnabledfalse

删除 global 键值对

缺省值描述
global.hyperkube.tagv1.7.6_coreos.0
global.k8sIngressHttpsfalse
global.crdstrue
global.hyperkube.hubquay.io/coreos
global.meshExpansionfalse
global.k8sIngressSelectoringress
global.meshExpansionILBfalse

删除 mixer 键值对

缺省值描述
mixer.autoscaleMin1
mixer.istio-policy.cpu.targetAverageUtilization80
mixer.autoscaleMax5
mixer.istio-telemetry.autoscaleMin1
mixer.prometheusStatsdExporter.tagv0.6.0
mixer.istio-telemetry.autoscaleMax5
mixer.istio-telemetry.cpu.targetAverageUtilization80
mixer.istio-policy.autoscaleEnabledtrue
mixer.istio-telemetry.autoscaleEnabledtrue
mixer.replicaCount1
mixer.prometheusStatsdExporter.hubdocker.io/prom
mixer.istio-policy.autoscaleMin1
mixer.istio-policy.autoscaleMax5

删除 grafana 键值对

缺省值描述
grafana.imagegrafana
grafana.service.internalPort3000
grafana.security.adminPasswordadmin
grafana.security.adminUseradmin

删除 gateways 键值对

缺省值描述
gateways.istio-ilbgateway.replicaCount1
gateways.istio-egressgateway.replicaCount1
gateways.istio-ingressgateway.replicaCount1
gateways.istio-ingressgateway.ports.nametcp-pilot-grpc-tls
gateways.istio-ingressgateway.ports.nametcp-citadel-grpc-tls
gateways.istio-ingressgateway.ports.namehttp2-prometheus
gateways.istio-ingressgateway.ports.namehttp2-grafana
gateways.istio-ingressgateway.ports.targetPort15011
gateways.istio-ingressgateway.ports.targetPort8060

删除 tracing 键值对

缺省值描述
tracing.service.internalPort9411
tracing.replicaCount1
tracing.jaeger.ingressjaeger.local
tracing.ingresstracing.local
tracing.jaegerjaeger.local
tracingjaeger.local tracing.local
tracing.jaeger.ingress.hostsjaeger.local
tracing.jaeger.ingress.enabledfalse
tracing.ingress.hoststracing.local
tracing.jaeger.ui.port16686

删除 kiali 键值对

缺省值描述
kiali.dashboard.usernameadmin
kiali.dashboard.passphraseadmin

删除 pilot 键值对

缺省值描述
pilot.replicaCount1