Istio 1.1 Helm Changes

Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.

Mar 19, 2019

The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.0 and Istio 1.1. The tables are grouped in to three different categories:

Modified configuration options

Modified servicegraph key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
servicegraph.ingress.hostsservicegraph.localservicegraph.localUsed to create an Ingress record.

Modified tracing key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
tracing.jaeger.tag1.51.9

Modified global key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
global.hubgcr.io/istio-releasegcr.io/istio-releaseDefault hub for Istio images.Releases are published to docker hub under 'istio' project.Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
global.tagrelease-1.0-latest-dailyrelease-1.1-latest-dailyDefault tag for Istio images.
global.proxy.resources.requests.cpu10m100m
global.proxy.accessLogFile"/dev/stdout"""
global.proxy.enableCoreDumpfalsefalseIf set, newly injected sidecars will have core dumps enabled.
global.proxy.autoInjectenabledenabledThis controls the 'policy' in the sidecar injector.
global.proxy.envoyStatsd.enabledtruefalseIf enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
global.proxy.envoyStatsd.hostistio-statsd-prom-bridge``example: statsd-svc.istio-system
global.proxy.envoyStatsd.port9125``example: 9125
global.proxy_init.imageproxy_initproxy_initBase name for the proxy_init container, used to configure iptables.
global.controlPlaneSecurityEnabledfalsefalsecontrolPlaneMtls enabled. Will result in delays starting the pods while secrets arepropagated, not recommended for tests.
global.disablePolicyChecksfalsetruedisablePolicyChecks disables mixer policy checks.if mixer.policy.enabled==true then disablePolicyChecks has affect.Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
global.enableTracingtruetrueEnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
global.mtls.enabledfalsefalseDefault setting for service-to-service mtls. Can be set explicitly usingdestination rules or service annotations.
global.oneNamespacefalsefalseWhether to restrict the applications namespace the controller manages;If not set, controller watches all namespaces
global.configValidationtruetrueWhether to perform server-side validation of configuration.

Modified gateways key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
gateways.istio-ingressgateway.typeLoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need beLoadBalancerchange to NodePort, ClusterIP or LoadBalancer if need be
gateways.istio-egressgateway.enabledtruefalse
gateways.istio-egressgateway.typeClusterIP #change to NodePort or LoadBalancer if need beClusterIPchange to NodePort or LoadBalancer if need be

Modified certmanager key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
certmanager.tagv0.3.1v0.6.2

Modified kiali key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
kiali.tagistio-release-1.0v0.14

Modified security key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
security.selfSignedtrue # indicate if self-signed CA is used.trueindicate if self-signed CA is used.

Modified pilot key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
pilot.autoscaleMax15
pilot.traceSampling100.01.0

New configuration options

New istio_cni key/value pairs

KeyDefault ValueDescription
istio_cni.enabledfalse

New servicegraph key/value pairs

KeyDefault ValueDescription
servicegraph.nodeSelector{}

New tracing key/value pairs

KeyDefault ValueDescription
tracing.nodeSelector{}
tracing.zipkin.hubdocker.io/openzipkin
tracing.zipkin.tag2
tracing.zipkin.probeStartupDelay200
tracing.zipkin.queryPort9411
tracing.zipkin.resources.limits.cpu300m
tracing.zipkin.resources.limits.memory900Mi
tracing.zipkin.resources.requests.cpu150m
tracing.zipkin.resources.requests.memory900Mi
tracing.zipkin.javaOptsHeap700
tracing.zipkin.maxSpans500000
tracing.zipkin.node.cpus2

New sidecarInjectorWebhook key/value pairs

KeyDefault ValueDescription
sidecarInjectorWebhook.nodeSelector{}
sidecarInjectorWebhook.rewriteAppHTTPProbefalseIf true, webhook or istioctl injector will rewrite PodSpec for livenesshealth check to redirect request to sidecar. This makes liveness check workeven when mTLS is enabled.

New global key/value pairs

KeyDefault ValueDescription
global.monitoringPort15014monitoring port used by mixer, pilot, galley
global.k8sIngress.enabledfalse
global.k8sIngress.gatewayNameingressgatewayGateway used for k8s Ingress resources. By default it isusing 'istio:ingressgateway' that will be installed by setting'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'flags to true.
global.k8sIngress.enableHttpsfalseenableHttps will add port 443 on the ingress.It REQUIRES that the certificates are installed in theexpected secrets - enabling this option without certificateswill result in LDS rejection and the ingress will not work.
global.proxy.clusterDomain"cluster.local"cluster domain. Default value is "cluster.local".
global.proxy.resources.requests.memory128Mi
global.proxy.resources.limits.cpu2000m
global.proxy.resources.limits.memory128Mi
global.proxy.concurrency2Controls number of Proxy worker threads.If set to 0 (default), then start worker thread for each CPU thread/core.
global.proxy.accessLogFormat""Configure how and what fields are displayed in sidecar access log. Setting toempty string will result in default log format
global.proxy.accessLogEncodingTEXTConfigure the access log for sidecar to JSON or TEXT.
global.proxy.dnsRefreshRate5sConfigure the DNS refresh rate for Envoy cluster of type STRICT_DNS5 seconds is the default refresh rate used by Envoy
global.proxy.privilegedfalseIf set to true, istio-proxy container will have privileged securityContext
global.proxy.statusPort15020Default port for Pilot agent health checks. A value of 0 will disable health checking.
global.proxy.readinessInitialDelaySeconds1The initial delay for readiness probes in seconds.
global.proxy.readinessPeriodSeconds2The period between readiness probes.
global.proxy.readinessFailureThreshold30The number of successive failed probes before indicating readiness failure.
global.proxy.kubevirtInterfaces""pod internal interfaces
global.proxy.envoyMetricsService.enabledfalse
global.proxy.envoyMetricsService.host``example: metrics-service.istio-system
global.proxy.envoyMetricsService.port``example: 15000
global.proxy.tracer"zipkin"Specify which tracer to use. One of: lightstep, zipkin
global.policyCheckFailOpenfalsepolicyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.Default is false which means the traffic is denied when the client is unable to connect to Mixer.
global.tracer.lightstep.address""example: lightstep-satellite:443
global.tracer.lightstep.accessToken""example: abcdefg1234567
global.tracer.lightstep.securetrueexample: true|false
global.tracer.lightstep.cacertPath""example: /etc/lightstep/cacert.pem
global.tracer.zipkin.address""
global.defaultNodeSelector{}Default node selector to be applied to all deployments so that all pods can beconstrained to run a particular nodes. Each component can overwrite these defaultvalues by adding its node selector block in the relevant section below and settingthe desired values.
global.meshExpansion.enabledfalse
global.meshExpansion.useILBfalseIf set to true, the pilot and citadel mtls and the plain text pilot portswill be exposed on an internal gateway
global.multiCluster.enabledfalseSet to true to connect two kubernetes clusters via their respectiveingressgateway services when pods in each cluster cannot directlytalk to one another. All clusters should be using Istio mTLS and musthave a shared root CA for this model to work.
global.defaultPodDisruptionBudget.enabledtrue
global.useMCPtrueUse the Mesh Control Protocol (MCP) for configuring Mixer andPilot. Requires galley (--set galley.enabled=true).
global.trustDomain""
global.outboundTrafficPolicy.modeALLOW_ANY
global.sds.enabledfalseSDS enabled. IF set to true, mTLS certificates for the sidecars will bedistributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
global.sds.udsPath""
global.sds.useTrustworthyJwtfalse
global.sds.useNormalJwtfalse
global.meshNetworks{}
global.enableHelmTestfalseSpecifies whether helm test is enabled or not.This field is set to false by default, so 'helm template ...'will ignore the helm test yaml files when generating the template

New mixer key/value pairs

KeyDefault ValueDescription
mixer.env.GODEBUGgctrace=1
mixer.env.GOMAXPROCS"6"max procs should be ceil(cpu limit + 1)
mixer.policy.enabledfalseif policy is enabled, global.disablePolicyChecks has affect.
mixer.policy.replicaCount1
mixer.policy.autoscaleEnabledtrue
mixer.policy.autoscaleMin1
mixer.policy.autoscaleMax5
mixer.policy.cpu.targetAverageUtilization80
mixer.telemetry.enabledtrue
mixer.telemetry.replicaCount1
mixer.telemetry.autoscaleEnabledtrue
mixer.telemetry.autoscaleMin1
mixer.telemetry.autoscaleMax5
mixer.telemetry.cpu.targetAverageUtilization80
mixer.telemetry.sessionAffinityEnabledfalse
mixer.telemetry.loadshedding.modeenforcedisabled, logonly or enforce
mixer.telemetry.loadshedding.latencyThreshold100msbased on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
mixer.telemetry.resources.requests.cpu1000m
mixer.telemetry.resources.requests.memory1G
mixer.telemetry.resources.limits.cpu4800mIt is best to do horizontal scaling of mixer using moderate cpu allocation.We have experimentally found that these values work well.
mixer.telemetry.resources.limits.memory4G
mixer.podAnnotations{}
mixer.nodeSelector{}
mixer.adapters.kubernetesenv.enabledtrue
mixer.adapters.stdio.enabledfalse
mixer.adapters.stdio.outputAsJsontrue
mixer.adapters.prometheus.enabledtrue
mixer.adapters.prometheus.metricsExpiryDuration10m
mixer.adapters.useAdapterCRDstrueSetting this to false sets the useAdapterCRDs mixer startup argument to false

New grafana key/value pairs

KeyDefault ValueDescription
grafana.image.repositorygrafana/grafana
grafana.image.tag5.4.0
grafana.ingress.enabledfalse
grafana.ingress.hostsgrafana.localUsed to create an Ingress record.
grafana.persistfalse
grafana.storageClassName""
grafana.accessModeReadWriteMany
grafana.security.secretNamegrafana
grafana.security.usernameKeyusername
grafana.security.passphraseKeypassphrase
grafana.nodeSelector{}
grafana.contextPath/grafana
grafana.datasources.datasources.apiVersion1
grafana.datasources.datasources.datasources.typeprometheus
grafana.datasources.datasources.datasources.orgId1
grafana.datasources.datasources.datasources.urlhttp://prometheus:9090
grafana.datasources.datasources.datasources.accessproxy
grafana.datasources.datasources.datasources.isDefaulttrue
grafana.datasources.datasources.datasources.jsonData.timeInterval5s
grafana.datasources.datasources.datasources.editabletrue
grafana.dashboardProviders.dashboardproviders.apiVersion1
grafana.dashboardProviders.dashboardproviders.providers.orgId1
grafana.dashboardProviders.dashboardproviders.providers.folder'istio'
grafana.dashboardProviders.dashboardproviders.providers.typefile
grafana.dashboardProviders.dashboardproviders.providers.disableDeletionfalse
grafana.dashboardProviders.dashboardproviders.providers.options.path/var/lib/grafana/dashboards/istio

New prometheus key/value pairs

KeyDefault ValueDescription
prometheus.retention6h
prometheus.nodeSelector{}
prometheus.scrapeInterval15sControls the frequency of prometheus scraping
prometheus.contextPath/prometheus
prometheus.ingress.enabledfalse
prometheus.ingress.hostsprometheus.localUsed to create an Ingress record.
prometheus.security.enabledtrue

New gateways key/value pairs

KeyDefault ValueDescription
gateways.istio-ingressgateway.sds.enabledfalseIf true, ingress gateway fetches credentials from SDS server to handle TLS connections.
gateways.istio-ingressgateway.sds.imagenode-agent-k8sSDS server that watches kubernetes secrets and provisions credentials to ingress gateway.This server runs in the same pod as ingress gateway.
gateways.istio-ingressgateway.autoscaleEnabledtrue
gateways.istio-ingressgateway.cpu.targetAverageUtilization80
gateways.istio-ingressgateway.loadBalancerSourceRanges[]
gateways.istio-ingressgateway.externalIPs[]
gateways.istio-ingressgateway.podAnnotations{}
gateways.istio-ingressgateway.ports.targetPort15029
gateways.istio-ingressgateway.ports.namehttps-kiali
gateways.istio-ingressgateway.ports.namehttps-prometheus
gateways.istio-ingressgateway.ports.namehttps-grafana
gateways.istio-ingressgateway.ports.targetPort15032
gateways.istio-ingressgateway.ports.namehttps-tracing
gateways.istio-ingressgateway.ports.targetPort15443
gateways.istio-ingressgateway.ports.nametls
gateways.istio-ingressgateway.ports.targetPort15020
gateways.istio-ingressgateway.ports.namestatus-port
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15011
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-pilot-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort15004
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-mixer-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort8060
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-citadel-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort853
gateways.istio-ingressgateway.meshExpansionPorts.nametcp-dns-tls
gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"A gateway with this mode ensures that pilot generates an additionalset of clusters for internal services but without Istio mTLS, toenable cross cluster routing.
gateways.istio-ingressgateway.nodeSelector{}
gateways.istio-egressgateway.autoscaleEnabledtrue
gateways.istio-egressgateway.cpu.targetAverageUtilization80
gateways.istio-egressgateway.podAnnotations{}
gateways.istio-egressgateway.ports.targetPort15443
gateways.istio-egressgateway.ports.nametls
gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE"sni-dnat"
gateways.istio-egressgateway.nodeSelector{}
gateways.istio-ilbgateway.autoscaleEnabledtrue
gateways.istio-ilbgateway.cpu.targetAverageUtilization80
gateways.istio-ilbgateway.podAnnotations{}
gateways.istio-ilbgateway.nodeSelector{}

New kiali key/value pairs

KeyDefault ValueDescription
kiali.contextPath/kiali
kiali.nodeSelector{}
kiali.ingress.hostskiali.localUsed to create an Ingress record.
kiali.dashboard.secretNamekiali
kiali.dashboard.usernameKeyusername
kiali.dashboard.passphraseKeypassphrase
kiali.prometheusAddrhttp://prometheus:9090
kiali.createDemoSecretfalseWhen true, a secret will be created with a default username and password. Useful for demos.

New istiocoredns key/value pairs

KeyDefault ValueDescription
istiocoredns.enabledfalse
istiocoredns.replicaCount1
istiocoredns.coreDNSImagecoredns/coredns:1.1.2
istiocoredns.coreDNSPluginImageistio/coredns-plugin:0.2-istio-1.1
istiocoredns.nodeSelector{}

New security key/value pairs

KeyDefault ValueDescription
security.enabledtrue
security.createMeshPolicytrue
security.nodeSelector{}

New nodeagent key/value pairs

KeyDefault ValueDescription
nodeagent.enabledfalse
nodeagent.imagenode-agent-k8s
nodeagent.env.CA_PROVIDER""name of authentication provider.
nodeagent.env.CA_ADDR""CA endpoint.
nodeagent.env.Plugins""names of authentication provider's plugins.
nodeagent.nodeSelector{}

New pilot key/value pairs

KeyDefault ValueDescription
pilot.autoscaleEnabledtrue
pilot.env.PILOT_PUSH_THROTTLE100
pilot.env.GODEBUGgctrace=1
pilot.cpu.targetAverageUtilization80
pilot.nodeSelector{}
pilot.keepaliveMaxServerConnectionAge30mThe following is used to limit how long a sidecar can be connectedto a pilot. It balances out load across pilot instances at the cost ofincreasing system churn.

Removed configuration options

Removed ingress key/value pairs

KeyDefault ValueDescription
ingress.service.ports.nodePort32000
ingress.service.selector.istioingress
ingress.autoscaleMin1
ingress.service.loadBalancerIP""
ingress.enabledfalse
ingress.service.annotations{}
ingress.service.ports.namehttp
ingress.service.ports.namehttps
ingress.autoscaleMax5
ingress.replicaCount1
ingress.service.typeLoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be

Removed servicegraph key/value pairs

KeyDefault ValueDescription
servicegraphservicegraph.local
servicegraph.ingressservicegraph.local
servicegraph.service.internalPort8088

Removed telemetry-gateway key/value pairs

KeyDefault ValueDescription
telemetry-gateway.prometheusEnabledfalse
telemetry-gateway.gatewayNameingressgateway
telemetry-gateway.grafanaEnabledfalse

Removed global key/value pairs

KeyDefault ValueDescription
global.hyperkube.tagv1.7.6_coreos.0
global.k8sIngressHttpsfalse
global.crdstrue
global.hyperkube.hubquay.io/coreos
global.meshExpansionfalse
global.k8sIngressSelectoringress
global.meshExpansionILBfalse

Removed mixer key/value pairs

KeyDefault ValueDescription
mixer.autoscaleMin1
mixer.istio-policy.cpu.targetAverageUtilization80
mixer.autoscaleMax5
mixer.istio-telemetry.autoscaleMin1
mixer.prometheusStatsdExporter.tagv0.6.0
mixer.istio-telemetry.autoscaleMax5
mixer.istio-telemetry.cpu.targetAverageUtilization80
mixer.istio-policy.autoscaleEnabledtrue
mixer.istio-telemetry.autoscaleEnabledtrue
mixer.replicaCount1
mixer.prometheusStatsdExporter.hubdocker.io/prom
mixer.istio-policy.autoscaleMin1
mixer.istio-policy.autoscaleMax5

Removed grafana key/value pairs

KeyDefault ValueDescription
grafana.imagegrafana
grafana.service.internalPort3000
grafana.security.adminPasswordadmin
grafana.security.adminUseradmin

Removed gateways key/value pairs

KeyDefault ValueDescription
gateways.istio-ilbgateway.replicaCount1
gateways.istio-egressgateway.replicaCount1
gateways.istio-ingressgateway.replicaCount1
gateways.istio-ingressgateway.ports.nametcp-pilot-grpc-tls
gateways.istio-ingressgateway.ports.nametcp-citadel-grpc-tls
gateways.istio-ingressgateway.ports.namehttp2-prometheus
gateways.istio-ingressgateway.ports.namehttp2-grafana
gateways.istio-ingressgateway.ports.targetPort15011
gateways.istio-ingressgateway.ports.targetPort8060

Removed tracing key/value pairs

KeyDefault ValueDescription
tracing.service.internalPort9411
tracing.replicaCount1
tracing.jaeger.ingressjaeger.local
tracing.ingresstracing.local
tracing.jaegerjaeger.local
tracingjaeger.local tracing.local
tracing.jaeger.ingress.hostsjaeger.local
tracing.jaeger.ingress.enabledfalse
tracing.ingress.hoststracing.local
tracing.jaeger.ui.port16686

Removed kiali key/value pairs

KeyDefault ValueDescription
kiali.dashboard.usernameadmin
kiali.dashboard.passphraseadmin

Removed pilot key/value pairs

KeyDefault ValueDescription
pilot.replicaCount1