Istio 1.3 Helm Changes

Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.

Sep 12, 2019

The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.2 and Istio 1.3. The tables are grouped in to three different categories:

Modified configuration options

Modified kiali key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
kiali.tagv0.20v1.1.0

Modified global key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
global.tag1.2.0-rc.3release-1.3-latest-dailyDefault tag for Istio images.Default tag for Istio images.

Modified gateways key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
gateways.istio-egressgateway.resources.limits.memory256Mi1024Mi

Modified tracing key/value pairs

KeyOld Default ValueNew Default ValueOld DescriptionNew Description
tracing.jaeger.tag1.91.12
tracing.zipkin.tag22.14.2

New configuration options

New tracing key/value pairs

KeyDefault ValueDescription
tracing.tolerations[]
tracing.jaeger.imageall-in-one
tracing.jaeger.spanStorageTypebadgerspanStorageType value can be "memory" and "badger" for all-in-one image
tracing.jaeger.persistfalse
tracing.jaeger.storageClassName""
tracing.jaeger.accessModeReadWriteMany
tracing.zipkin.imagezipkin

New sidecarInjectorWebhook key/value pairs

KeyDefault ValueDescription
sidecarInjectorWebhook.rollingMaxSurge100%
sidecarInjectorWebhook.rollingMaxUnavailable25%
sidecarInjectorWebhook.tolerations[]

New global key/value pairs

KeyDefault ValueDescription
global.proxy.init.resources.limits.cpu100m
global.proxy.init.resources.limits.memory50Mi
global.proxy.init.resources.requests.cpu10m
global.proxy.init.resources.requests.memory10Mi
global.proxy.envoyAccessLogService.enabledfalse
global.proxy.envoyAccessLogService.host``example: accesslog-service.istio-system
global.proxy.envoyAccessLogService.port``example: 15000
global.proxy.envoyAccessLogService.tlsSettings.modeDISABLEDISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
global.proxy.envoyAccessLogService.tlsSettings.clientCertificate``example: /etc/istio/als/cert-chain.pem
global.proxy.envoyAccessLogService.tlsSettings.privateKey``example: /etc/istio/als/key.pem
global.proxy.envoyAccessLogService.tlsSettings.caCertificates``example: /etc/istio/als/root-cert.pem
global.proxy.envoyAccessLogService.tlsSettings.sni``example: als.somedomain
global.proxy.envoyAccessLogService.tlsSettings.subjectAltNames[]
global.proxy.envoyAccessLogService.tcpKeepalive.probes3
global.proxy.envoyAccessLogService.tcpKeepalive.time10s
global.proxy.envoyAccessLogService.tcpKeepalive.interval10s
global.proxy.protocolDetectionTimeout10msAutomatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc., Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE >=1ms)
global.proxy.enableCoreDumpImageubuntu:xenialImage used to enable core dumps. This is only used, when "enableCoreDump" is set to true.
global.defaultTolerations[]Default node tolerations to be applied to all deployments so that all pods can be scheduled to a particular nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints.
global.meshID""Mesh ID means Mesh Identifier. It should be unique within the scope where meshes will interact with each other, but it is not required to be globally/universally unique. For example, if any of the following are true, then two meshes must have different Mesh IDs: - Meshes will have their telemetry aggregated in one place - Meshes will be federated together - Policy will be written referencing one mesh from the other If an administrator expects that any of these conditions may become true in the future, they should ensure their meshes have different Mesh IDs assigned. Within a multicluster mesh, each cluster must be (manually or auto) configured to have the same Mesh ID value. If an existing cluster 'joins' a multicluster mesh, it will need to be migrated to the new mesh ID. Details of migration TBD, and it may be a disruptive operation to change the Mesh ID post-install. If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value.
global.localityLbSetting.enabledtrue

New galley key/value pairs

KeyDefault ValueDescription
galley.rollingMaxSurge100%
galley.rollingMaxUnavailable25%

New mixer key/value pairs

KeyDefault ValueDescription
mixer.policy.rollingMaxSurge100%
mixer.policy.rollingMaxUnavailable25%
mixer.telemetry.rollingMaxSurge100%
mixer.telemetry.rollingMaxUnavailable25%
mixer.telemetry.reportBatchMaxEntries100Set reportBatchMaxEntries to 0 to use the default batching behavior (i.e., every 100 requests). A positive value indicates the number of requests that are batched before telemetry data is sent to the mixer server
mixer.telemetry.reportBatchMaxTime1sSet reportBatchMaxTime to 0 to use the default batching behavior (i.e., every 1 second). A positive time value indicates the maximum wait time since the last request will telemetry data be batched before being sent to the mixer server

New grafana key/value pairs

KeyDefault ValueDescription
grafana.env{}
grafana.envSecrets{}
grafana.datasources.datasources.datasources.type.orgId1
grafana.datasources.datasources.datasources.type.urlhttp://prometheus:9090
grafana.datasources.datasources.datasources.type.accessproxy
grafana.datasources.datasources.datasources.type.isDefaulttrue
grafana.datasources.datasources.datasources.type.jsonData.timeInterval5s
grafana.datasources.datasources.datasources.type.editabletrue
grafana.dashboardProviders.dashboardproviders.providers.orgId.folder'istio'
grafana.dashboardProviders.dashboardproviders.providers.orgId.typefile
grafana.dashboardProviders.dashboardproviders.providers.orgId.disableDeletionfalse
grafana.dashboardProviders.dashboardproviders.providers.orgId.options.path/var/lib/grafana/dashboards/istio

New prometheus key/value pairs

KeyDefault ValueDescription
prometheus.imageprometheus

New gateways key/value pairs

KeyDefault ValueDescription
gateways.istio-ingressgateway.rollingMaxSurge100%
gateways.istio-ingressgateway.rollingMaxUnavailable25%
gateways.istio-egressgateway.rollingMaxSurge100%
gateways.istio-egressgateway.rollingMaxUnavailable25%
gateways.istio-ilbgateway.rollingMaxSurge100%
gateways.istio-ilbgateway.rollingMaxUnavailable25%

New certmanager key/value pairs

KeyDefault ValueDescription
certmanager.imagecert-manager-controller

New kiali key/value pairs

KeyDefault ValueDescription
kiali.imagekiali
kiali.tolerations[]
kiali.dashboard.auth.strategyloginCan be anonymous, login, or openshift
kiali.security.enabledtrue
kiali.security.cert_file/kiali-cert/cert-chain.pem
kiali.security.private_key_file/kiali-cert/key.pem

New istiocoredns key/value pairs

KeyDefault ValueDescription
istiocoredns.rollingMaxSurge100%
istiocoredns.rollingMaxUnavailable25%

New security key/value pairs

KeyDefault ValueDescription
security.replicaCount1
security.rollingMaxSurge100%
security.rollingMaxUnavailable25%
security.workloadCertTtl2160h90*24hour = 2160h
security.enableNamespacesByDefaulttrueDetermines Citadel default behavior if the ca.istio.io/env or ca.istio.io/override labels are not found on a given namespace. For example: consider a namespace called "target", which has neither the "ca.istio.io/env" nor the "ca.istio.io/override" namespace labels. To decide whether or not to generate secrets for service accounts created in this "target" namespace, Citadel will defer to this option. If the value of this option is "true" in this case, secrets will be generated for the "target" namespace. If the value of this option is "false" Citadel will not generate secrets upon service account creation.

New pilot key/value pairs

KeyDefault ValueDescription
pilot.rollingMaxSurge100%
pilot.rollingMaxUnavailable25%
pilot.enableProtocolSniffingfalseif protocol sniffing is enabled. Default to false.

Removed configuration options

Removed global key/value pairs

KeyDefault ValueDescription
global.sds.useTrustworthyJwtfalse
global.sds.useNormalJwtfalse
global.localityLbSetting{}

Removed mixer key/value pairs

KeyDefault ValueDescription
mixer.templates.useTemplateCRDsfalse

Removed grafana key/value pairs

KeyDefault ValueDescription
grafana.dashboardProviders.dashboardproviders.providers.disableDeletionfalse
grafana.dashboardProviders.dashboardproviders.providers.typefile
grafana.dashboardProviders.dashboardproviders.providers.folder'istio'
grafana.datasources.datasources.datasources.isDefaulttrue
grafana.datasources.datasources.datasources.urlhttp://prometheus:9090
grafana.datasources.datasources.datasources.accessproxy
grafana.datasources.datasources.datasources.jsonData.timeInterval5s
grafana.dashboardProviders.dashboardproviders.providers.options.path/var/lib/grafana/dashboards/istio
grafana.datasources.datasources.datasources.editabletrue
grafana.datasources.datasources.datasources.orgId1