Installation Options

To customize Istio install using Helm, use the --set <key>=<value> option in Helm command to override one or more values. The set of supported keys is shown in the table below.

certmanager options

KeyDefault ValueDescription
certmanager.enabledfalse
certmanager.hubquay.io/jetstack
certmanager.tagv0.6.2
certmanager.resources{}

galley options

KeyDefault ValueDescription
galley.enabledtrue
galley.replicaCount1
galley.imagegalley

gateways options

KeyDefault ValueDescription
gateways.enabledtrue
gateways.istio-ingressgateway.enabledtrue
gateways.istio-ingressgateway.sds.enabledfalseIf true, ingress gateway fetches credentials from SDS server to handle TLS connections.
gateways.istio-ingressgateway.sds.imagenode-agent-k8sSDS server that watches kubernetes secrets and provisions credentials to ingress gateway. This server runs in the same pod as ingress gateway.
gateways.istio-ingressgateway.labels.appistio-ingressgateway
gateways.istio-ingressgateway.labels.istioingressgateway
gateways.istio-ingressgateway.autoscaleEnabledtrue
gateways.istio-ingressgateway.autoscaleMin1
gateways.istio-ingressgateway.autoscaleMax5
gateways.istio-ingressgateway.resources{}
gateways.istio-ingressgateway.cpu.targetAverageUtilization80
gateways.istio-ingressgateway.loadBalancerIP""
gateways.istio-ingressgateway.loadBalancerSourceRanges[]
gateways.istio-ingressgateway.externalIPs[]
gateways.istio-ingressgateway.serviceAnnotations{}
gateways.istio-ingressgateway.podAnnotations{}
gateways.istio-ingressgateway.typeLoadBalancerchange to NodePort, ClusterIP or LoadBalancer if need be
gateways.istio-ingressgateway.ports.targetPort80
gateways.istio-ingressgateway.ports.namehttp2
gateways.istio-ingressgateway.ports.nodePort31380
gateways.istio-ingressgateway.ports.namehttps
gateways.istio-ingressgateway.ports.nodePort31390
gateways.istio-ingressgateway.ports.nametcp
gateways.istio-ingressgateway.ports.nodePort31400
gateways.istio-ingressgateway.ports.targetPort15029
gateways.istio-ingressgateway.ports.namehttps-kiali
gateways.istio-ingressgateway.ports.targetPort15030
gateways.istio-ingressgateway.ports.namehttps-prometheus
gateways.istio-ingressgateway.ports.targetPort15031
gateways.istio-ingressgateway.ports.namehttps-grafana
gateways.istio-ingressgateway.ports.targetPort15032
gateways.istio-ingressgateway.ports.namehttps-tracing
gateways.istio-ingressgateway.ports.targetPort15443
gateways.istio-ingressgateway.ports.nametls
gateways.istio-ingressgateway.ports.targetPort15020
gateways.istio-ingressgateway.ports.namestatus-port
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15011
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-pilot-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15004
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-mixer-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort8060
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-citadel-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort853
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-dns-tls
gateways.istio-ingressgateway.secretVolumes.secretNameistio-ingressgateway-certs
gateways.istio-ingressgateway.secretVolumes.mountPath/etc/istio/ingressgateway-certs
gateways.istio-ingressgateway.secretVolumes.secretNameistio-ingressgateway-ca-certs
gateways.istio-ingressgateway.secretVolumes.mountPath/etc/istio/ingressgateway-ca-certs
gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"A gateway with this mode ensures that pilot generates an additional set of clusters for internal services but without Istio mTLS, to enable cross cluster routing.
gateways.istio-ingressgateway.nodeSelector{}
gateways.istio-egressgateway.enabledfalse
gateways.istio-egressgateway.labels.appistio-egressgateway
gateways.istio-egressgateway.labels.istioegressgateway
gateways.istio-egressgateway.autoscaleEnabledtrue
gateways.istio-egressgateway.autoscaleMin1
gateways.istio-egressgateway.autoscaleMax5
gateways.istio-egressgateway.cpu.targetAverageUtilization80
gateways.istio-egressgateway.serviceAnnotations{}
gateways.istio-egressgateway.podAnnotations{}
gateways.istio-egressgateway.typeClusterIPchange to NodePort or LoadBalancer if need be
gateways.istio-egressgateway.ports.namehttp2
gateways.istio-egressgateway.ports.namehttps
gateways.istio-egressgateway.ports.targetPort15443
gateways.istio-egressgateway.ports.nametls
gateways.istio-egressgateway.secretVolumes.secretNameistio-egressgateway-certs
gateways.istio-egressgateway.secretVolumes.mountPath/etc/istio/egressgateway-certs
gateways.istio-egressgateway.secretVolumes.secretNameistio-egressgateway-ca-certs
gateways.istio-egressgateway.secretVolumes.mountPath/etc/istio/egressgateway-ca-certs
gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"
gateways.istio-egressgateway.nodeSelector{}
gateways.istio-ilbgateway.enabledfalse
gateways.istio-ilbgateway.labels.appistio-ilbgateway
gateways.istio-ilbgateway.labels.istioilbgateway
gateways.istio-ilbgateway.autoscaleEnabledtrue
gateways.istio-ilbgateway.autoscaleMin1
gateways.istio-ilbgateway.autoscaleMax5
gateways.istio-ilbgateway.cpu.targetAverageUtilization80
gateways.istio-ilbgateway.resources.requests.cpu800m
gateways.istio-ilbgateway.resources.requests.memory512Mi
gateways.istio-ilbgateway.loadBalancerIP""
gateways.istio-ilbgateway.serviceAnnotations.cloud.google.com/load-balancer-type"internal"
gateways.istio-ilbgateway.podAnnotations{}
gateways.istio-ilbgateway.typeLoadBalancer
gateways.istio-ilbgateway.ports.namegrpc-pilot-mtls
gateways.istio-ilbgateway.ports.namegrpc-pilot
gateways.istio-ilbgateway.ports.targetPort8060
gateways.istio-ilbgateway.ports.nametcp-citadel-grpc-tls
gateways.istio-ilbgateway.ports.nametcp-dns
gateways.istio-ilbgateway.secretVolumes.secretNameistio-ilbgateway-certs
gateways.istio-ilbgateway.secretVolumes.mountPath/etc/istio/ilbgateway-certs
gateways.istio-ilbgateway.secretVolumes.secretNameistio-ilbgateway-ca-certs
gateways.istio-ilbgateway.secretVolumes.mountPath/etc/istio/ilbgateway-ca-certs
gateways.istio-ilbgateway.nodeSelector{}

global options

KeyDefault ValueDescription
global.hubgcr.io/istio-releaseDefault hub for Istio images. Releases are published to docker hub under 'istio' project. Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
global.tagrelease-1.1-latest-dailyDefault tag for Istio images.
global.monitoringPort15014monitoring port used by mixer, pilot, galley
global.k8sIngress.enabledfalse
global.k8sIngress.gatewayNameingressgatewayGateway used for k8s Ingress resources. By default it is using 'istio:ingressgateway' that will be installed by setting 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled' flags to true.
global.k8sIngress.enableHttpsfalseenableHttps will add port 443 on the ingress. It REQUIRES that the certificates are installed in the expected secrets - enabling this option without certificates will result in LDS rejection and the ingress will not work.
global.proxy.imageproxyv2
global.proxy.clusterDomain"cluster.local"cluster domain. Default value is "cluster.local".
global.proxy.resources.requests.cpu100m
global.proxy.resources.requests.memory128Mi
global.proxy.resources.limits.cpu2000m
global.proxy.resources.limits.memory128Mi
global.proxy.concurrency2Controls number of Proxy worker threads. If set to 0 (default), then start worker thread for each CPU thread/core.
global.proxy.accessLogFile""
global.proxy.accessLogFormat""Configure how and what fields are displayed in sidecar access log. Setting to empty string will result in default log format
global.proxy.accessLogEncodingTEXTConfigure the access log for sidecar to JSON or TEXT.
global.proxy.dnsRefreshRate5sConfigure the DNS refresh rate for Envoy cluster of type STRICT_DNS 5 seconds is the default refresh rate used by Envoy
global.proxy.privilegedfalseIf set to true, istio-proxy container will have privileged securityContext
global.proxy.enableCoreDumpfalseIf set, newly injected sidecars will have core dumps enabled.
global.proxy.statusPort15020Default port for Pilot agent health checks. A value of 0 will disable health checking.
global.proxy.readinessInitialDelaySeconds1The initial delay for readiness probes in seconds.
global.proxy.readinessPeriodSeconds2The period between readiness probes.
global.proxy.readinessFailureThreshold30The number of successive failed probes before indicating readiness failure.
global.proxy.includeIPRanges"*"
global.proxy.excludeIPRanges""
global.proxy.kubevirtInterfaces""pod internal interfaces
global.proxy.includeInboundPorts"*"
global.proxy.excludeInboundPorts""
global.proxy.autoInjectenabledThis controls the 'policy' in the sidecar injector.
global.proxy.envoyStatsd.enabledfalseIf enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
global.proxy.envoyStatsd.host``example: statsd-svc.istio-system
global.proxy.envoyStatsd.port``example: 9125
global.proxy.envoyMetricsService.enabledfalse
global.proxy.envoyMetricsService.host``example: metrics-service.istio-system
global.proxy.envoyMetricsService.port``example: 15000
global.proxy.tracer"zipkin"Specify which tracer to use. One of: lightstep, zipkin
global.proxy_init.imageproxy_initBase name for the proxy_init container, used to configure iptables.
global.imagePullPolicyIfNotPresent
global.controlPlaneSecurityEnabledfalsecontrolPlaneMtls enabled. Will result in delays starting the pods while secrets are propagated, not recommended for tests.
global.disablePolicyCheckstruedisablePolicyChecks disables mixer policy checks. if mixer.policy.enabled==true then disablePolicyChecks has affect. Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
global.policyCheckFailOpenfalsepolicyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. Default is false which means the traffic is denied when the client is unable to connect to Mixer.
global.enableTracingtrueEnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
global.tracer.lightstep.address""example: lightstep-satellite:443
global.tracer.lightstep.accessToken""example: abcdefg1234567
global.tracer.lightstep.securetrueexample: true\|false
global.tracer.lightstep.cacertPath""example: /etc/lightstep/cacert.pem
global.tracer.zipkin.address""
global.mtls.enabledfalseDefault setting for service-to-service mtls. Can be set explicitly using destination rules or service annotations.
global.arch.amd642
global.arch.s390x2
global.arch.ppc64le2
global.oneNamespacefalseWhether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces
global.defaultNodeSelector{}Default node selector to be applied to all deployments so that all pods can be constrained to run a particular nodes. Each component can overwrite these default values by adding its node selector block in the relevant section below and setting the desired values.
global.configValidationtrueWhether to perform server-side validation of configuration.
global.meshExpansion.enabledfalse
global.meshExpansion.useILBfalseIf set to true, the pilot and citadel mtls and the plain text pilot ports will be exposed on an internal gateway
global.multiCluster.enabledfalseSet to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work.
global.defaultResources.requests.cpu10m
global.defaultPodDisruptionBudget.enabledtrue
global.priorityClassName""
global.useMCPtrueUse the Mesh Control Protocol (MCP) for configuring Mixer and Pilot. Requires galley (--set galley.enabled=true).
global.trustDomain""
global.outboundTrafficPolicy.modeALLOW_ANY
global.sds.enabledfalseSDS enabled. IF set to true, mTLS certificates for the sidecars will be distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
global.sds.udsPath""
global.sds.useTrustworthyJwtfalse
global.sds.useNormalJwtfalse
global.meshNetworks{}
global.enableHelmTestfalseSpecifies whether helm test is enabled or not. This field is set to false by default, so 'helm template ...' will ignore the helm test yaml files when generating the template

grafana options

KeyDefault ValueDescription
grafana.enabledfalse
grafana.replicaCount1
grafana.image.repositorygrafana/grafana
grafana.image.tag5.4.0
grafana.ingress.enabledfalse
grafana.ingress.hostsgrafana.localUsed to create an Ingress record.
grafana.persistfalse
grafana.storageClassName""
grafana.accessModeReadWriteMany
grafana.security.enabledfalse
grafana.security.secretNamegrafana
grafana.security.usernameKeyusername
grafana.security.passphraseKeypassphrase
grafana.nodeSelector{}
grafana.contextPath/grafana
grafana.service.annotations{}
grafana.service.namehttp
grafana.service.typeClusterIP
grafana.service.externalPort3000
grafana.datasources.datasources.apiVersion1
grafana.datasources.datasources.datasources.typeprometheus
grafana.datasources.datasources.datasources.orgId1
grafana.datasources.datasources.datasources.urlhttp://prometheus:9090
grafana.datasources.datasources.datasources.accessproxy
grafana.datasources.datasources.datasources.isDefaulttrue
grafana.datasources.datasources.datasources.jsonData.timeInterval5s
grafana.datasources.datasources.datasources.editabletrue
grafana.dashboardProviders.dashboardproviders.apiVersion1
grafana.dashboardProviders.dashboardproviders.providers.orgId1
grafana.dashboardProviders.dashboardproviders.providers.folder'istio'
grafana.dashboardProviders.dashboardproviders.providers.typefile
grafana.dashboardProviders.dashboardproviders.providers.disableDeletionfalse
grafana.dashboardProviders.dashboardproviders.providers.options.path/var/lib/grafana/dashboards/istio

istio_cni options

KeyDefault ValueDescription
istio_cni.enabledfalse

istiocoredns options

KeyDefault ValueDescription
istiocoredns.enabledfalse
istiocoredns.replicaCount1
istiocoredns.coreDNSImagecoredns/coredns:1.1.2
istiocoredns.coreDNSPluginImageistio/coredns-plugin:0.2-istio-1.1
istiocoredns.nodeSelector{}

kiali options

KeyDefault ValueDescription
kiali.enabledfalseNote that if using the demo or demo-auth yaml when installing via Helm, this default will be true.
kiali.replicaCount1
kiali.hubdocker.io/kiali
kiali.tagv0.14
kiali.contextPath/kialiThe root context path to access the Kiali UI.
kiali.nodeSelector{}
kiali.ingress.enabledfalse
kiali.ingress.hostskiali.localUsed to create an Ingress record.
kiali.dashboard.secretNamekialiYou must create a secret with this name - one is not provided out-of-box.
kiali.dashboard.usernameKeyusernameThis is the key name within the secret whose value is the actual username.
kiali.dashboard.passphraseKeypassphraseThis is the key name within the secret whose value is the actual passphrase.
kiali.dashboard.grafanaURL``If you have Grafana installed and it is accessible to client browsers, then set this to its external URL. Kiali will redirect users to this URL when Grafana metrics are to be shown.
kiali.dashboard.jaegerURL``If you have Jaeger installed and it is accessible to client browsers, then set this property to its external URL. Kiali will redirect users to this URL when Jaeger tracing is to be shown.
kiali.prometheusAddrhttp://prometheus:9090
kiali.createDemoSecretfalseWhen true, a secret will be created with a default username and password. Useful for demos.

mixer options

KeyDefault ValueDescription
mixer.enabledtrue
mixer.imagemixer
mixer.env.GODEBUGgctrace=1
mixer.env.GOMAXPROCS"6"max procs should be ceil(cpu limit + 1)
mixer.policy.enabledfalseif policy is enabled, global.disablePolicyChecks has affect.
mixer.policy.replicaCount1
mixer.policy.autoscaleEnabledtrue
mixer.policy.autoscaleMin1
mixer.policy.autoscaleMax5
mixer.policy.cpu.targetAverageUtilization80
mixer.telemetry.enabledtrue
mixer.telemetry.replicaCount1
mixer.telemetry.autoscaleEnabledtrue
mixer.telemetry.autoscaleMin1
mixer.telemetry.autoscaleMax5
mixer.telemetry.cpu.targetAverageUtilization80
mixer.telemetry.sessionAffinityEnabledfalse
mixer.telemetry.loadshedding.modeenforcedisabled, logonly or enforce
mixer.telemetry.loadshedding.latencyThreshold100msbased on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
mixer.telemetry.resources.requests.cpu1000m
mixer.telemetry.resources.requests.memory1G
mixer.telemetry.resources.limits.cpu4800mIt is best to do horizontal scaling of mixer using moderate cpu allocation. We have experimentally found that these values work well.
mixer.telemetry.resources.limits.memory4G
mixer.podAnnotations{}
mixer.nodeSelector{}
mixer.adapters.kubernetesenv.enabledtrue
mixer.adapters.stdio.enabledfalse
mixer.adapters.stdio.outputAsJsontrue
mixer.adapters.prometheus.enabledtrue
mixer.adapters.prometheus.metricsExpiryDuration10m
mixer.adapters.useAdapterCRDstrueSetting this to false sets the useAdapterCRDs mixer startup argument to false

nodeagent options

KeyDefault ValueDescription
nodeagent.enabledfalse
nodeagent.imagenode-agent-k8s
nodeagent.env.CA_PROVIDER""name of authentication provider.
nodeagent.env.CA_ADDR""CA endpoint.
nodeagent.env.Plugins""names of authentication provider's plugins.
nodeagent.nodeSelector{}

pilot options

KeyDefault ValueDescription
pilot.enabledtrue
pilot.autoscaleEnabledtrue
pilot.autoscaleMin1
pilot.autoscaleMax5
pilot.imagepilot
pilot.sidecartrue
pilot.traceSampling1.0
pilot.resources.requests.cpu500m
pilot.resources.requests.memory2048Mi
pilot.env.PILOT_PUSH_THROTTLE100
pilot.env.GODEBUGgctrace=1
pilot.cpu.targetAverageUtilization80
pilot.nodeSelector{}
pilot.keepaliveMaxServerConnectionAge30mThe following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn.

prometheus options

KeyDefault ValueDescription
prometheus.enabledtrue
prometheus.replicaCount1
prometheus.hubdocker.io/prom
prometheus.tagv2.3.1
prometheus.retention6h
prometheus.nodeSelector{}
prometheus.scrapeInterval15sControls the frequency of prometheus scraping
prometheus.contextPath/prometheus
prometheus.ingress.enabledfalse
prometheus.ingress.hostsprometheus.localUsed to create an Ingress record.
prometheus.service.annotations{}
prometheus.service.nodePort.enabledfalse
prometheus.service.nodePort.port32090
prometheus.security.enabledtrue

security options

KeyDefault ValueDescription
security.enabledtrue
security.replicaCount1
security.imagecitadel
security.selfSignedtrueindicate if self-signed CA is used.
security.createMeshPolicytrue
security.nodeSelector{}

servicegraph options

KeyDefault ValueDescription
servicegraph.enabledfalse
servicegraph.replicaCount1
servicegraph.imageservicegraph
servicegraph.nodeSelector{}
servicegraph.service.annotations{}
servicegraph.service.namehttp
servicegraph.service.typeClusterIP
servicegraph.service.externalPort8088
servicegraph.ingress.enabledfalse
servicegraph.ingress.hostsservicegraph.localUsed to create an Ingress record.
servicegraph.prometheusAddrhttp://prometheus:9090

sidecarInjectorWebhook options

KeyDefault ValueDescription
sidecarInjectorWebhook.enabledtrue
sidecarInjectorWebhook.replicaCount1
sidecarInjectorWebhook.imagesidecar_injector
sidecarInjectorWebhook.enableNamespacesByDefaultfalse
sidecarInjectorWebhook.nodeSelector{}
sidecarInjectorWebhook.rewriteAppHTTPProbefalseIf true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.

tracing options

KeyDefault ValueDescription
tracing.enabledfalse
tracing.providerjaeger
tracing.nodeSelector{}
tracing.jaeger.hubdocker.io/jaegertracing
tracing.jaeger.tag1.9
tracing.jaeger.memory.max_traces50000
tracing.zipkin.hubdocker.io/openzipkin
tracing.zipkin.tag2
tracing.zipkin.probeStartupDelay200
tracing.zipkin.queryPort9411
tracing.zipkin.resources.limits.cpu300m
tracing.zipkin.resources.limits.memory900Mi
tracing.zipkin.resources.requests.cpu150m
tracing.zipkin.resources.requests.memory900Mi
tracing.zipkin.javaOptsHeap700
tracing.zipkin.maxSpans500000
tracing.zipkin.node.cpus2
tracing.service.annotations{}
tracing.service.namehttp
tracing.service.typeClusterIP
tracing.service.externalPort9411
tracing.ingress.enabledfalse