Helm Changes

The tables below show changes made to the installation options used to customize Istio install using Helm between Istio 1.0 and Istio 1.1. The tables are grouped in to three different categories:

  • The installation options already in the previous release but whose values or descriptions have been modified in the new release.
  • The new installation options added in the new release.
  • The installation options removed from the new release.

Modified configuration options

Modified servicegraph key/value pairs

Key Old Default Value New Default Value Old Description New Description
servicegraph.ingress.hosts servicegraph.local servicegraph.local Used to create an Ingress record.

Modified tracing key/value pairs

Key Old Default Value New Default Value Old Description New Description
tracing.jaeger.tag 1.5 1.9

Modified global key/value pairs

Key Old Default Value New Default Value Old Description New Description
global.hub gcr.io/istio-release gcr.io/istio-release Default hub for Istio images.Releases are published to docker hub under 'istio' project.Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
global.tag release-1.0-latest-daily release-1.1-latest-daily Default tag for Istio images.
global.proxy.resources.requests.cpu 10m 100m
global.proxy.accessLogFile "/dev/stdout" ""
global.proxy.enableCoreDump false false If set, newly injected sidecars will have core dumps enabled.
global.proxy.autoInject enabled enabled This controls the 'policy' in the sidecar injector.
global.proxy.envoyStatsd.enabled true false If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
global.proxy.envoyStatsd.host istio-statsd-prom-bridge `` example: statsd-svc.istio-system
global.proxy.envoyStatsd.port 9125 `` example: 9125
global.proxy_init.image proxy_init proxy_init Base name for the proxy_init container, used to configure iptables.
global.controlPlaneSecurityEnabled false false controlPlaneMtls enabled. Will result in delays starting the pods while secrets arepropagated, not recommended for tests.
global.disablePolicyChecks false true disablePolicyChecks disables mixer policy checks.if mixer.policy.enabled==true then disablePolicyChecks has affect.Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
global.enableTracing true true EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
global.mtls.enabled false false Default setting for service-to-service mtls. Can be set explicitly usingdestination rules or service annotations.
global.oneNamespace false false Whether to restrict the applications namespace the controller manages;If not set, controller watches all namespaces
global.configValidation true true Whether to perform server-side validation of configuration.

Modified gateways key/value pairs

Key Old Default Value New Default Value Old Description New Description
gateways.istio-ingressgateway.type LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be LoadBalancer change to NodePort, ClusterIP or LoadBalancer if need be
gateways.istio-egressgateway.enabled true false
gateways.istio-egressgateway.type ClusterIP #change to NodePort or LoadBalancer if need be ClusterIP change to NodePort or LoadBalancer if need be

Modified certmanager key/value pairs

Key Old Default Value New Default Value Old Description New Description
certmanager.tag v0.3.1 v0.6.2

Modified kiali key/value pairs

Key Old Default Value New Default Value Old Description New Description
kiali.tag istio-release-1.0 v0.14

Modified security key/value pairs

Key Old Default Value New Default Value Old Description New Description
security.selfSigned true # indicate if self-signed CA is used. true indicate if self-signed CA is used.

Modified pilot key/value pairs

Key Old Default Value New Default Value Old Description New Description
pilot.autoscaleMax 1 5
pilot.traceSampling 100.0 1.0

New configuration options

New istio_cni key/value pairs

Key Default Value Description
istio_cni.enabled false

New servicegraph key/value pairs

Key Default Value Description
servicegraph.nodeSelector {}

New tracing key/value pairs

Key Default Value Description
tracing.nodeSelector {}
tracing.zipkin.hub docker.io/openzipkin
tracing.zipkin.tag 2
tracing.zipkin.probeStartupDelay 200
tracing.zipkin.queryPort 9411
tracing.zipkin.resources.limits.cpu 300m
tracing.zipkin.resources.limits.memory 900Mi
tracing.zipkin.resources.requests.cpu 150m
tracing.zipkin.resources.requests.memory 900Mi
tracing.zipkin.javaOptsHeap 700
tracing.zipkin.maxSpans 500000
tracing.zipkin.node.cpus 2

New sidecarInjectorWebhook key/value pairs

Key Default Value Description
sidecarInjectorWebhook.nodeSelector {}
sidecarInjectorWebhook.rewriteAppHTTPProbe false If true, webhook or istioctl injector will rewrite PodSpec for livenesshealth check to redirect request to sidecar. This makes liveness check workeven when mTLS is enabled.

New global key/value pairs

Key Default Value Description
global.monitoringPort 15014 monitoring port used by mixer, pilot, galley
global.k8sIngress.enabled false
global.k8sIngress.gatewayName ingressgateway Gateway used for k8s Ingress resources. By default it isusing 'istio:ingressgateway' that will be installed by setting'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'flags to true.
global.k8sIngress.enableHttps false enableHttps will add port 443 on the ingress.It REQUIRES that the certificates are installed in theexpected secrets - enabling this option without certificateswill result in LDS rejection and the ingress will not work.
global.proxy.clusterDomain "cluster.local" cluster domain. Default value is "cluster.local".
global.proxy.resources.requests.memory 128Mi
global.proxy.resources.limits.cpu 2000m
global.proxy.resources.limits.memory 128Mi
global.proxy.concurrency 2 Controls number of Proxy worker threads.If set to 0 (default), then start worker thread for each CPU thread/core.
global.proxy.accessLogFormat "" Configure how and what fields are displayed in sidecar access log. Setting toempty string will result in default log format
global.proxy.accessLogEncoding TEXT Configure the access log for sidecar to JSON or TEXT.
global.proxy.dnsRefreshRate 5s Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS5 seconds is the default refresh rate used by Envoy
global.proxy.privileged false If set to true, istio-proxy container will have privileged securityContext
global.proxy.statusPort 15020 Default port for Pilot agent health checks. A value of 0 will disable health checking.
global.proxy.readinessInitialDelaySeconds 1 The initial delay for readiness probes in seconds.
global.proxy.readinessPeriodSeconds 2 The period between readiness probes.
global.proxy.readinessFailureThreshold 30 The number of successive failed probes before indicating readiness failure.
global.proxy.kubevirtInterfaces "" pod internal interfaces
global.proxy.envoyMetricsService.enabled false
global.proxy.envoyMetricsService.host `` example: metrics-service.istio-system
global.proxy.envoyMetricsService.port `` example: 15000
global.proxy.tracer "zipkin" Specify which tracer to use. One of: lightstep, zipkin
global.policyCheckFailOpen false policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.Default is false which means the traffic is denied when the client is unable to connect to Mixer.
global.tracer.lightstep.address "" example: lightstep-satellite:443
global.tracer.lightstep.accessToken "" example: abcdefg1234567
global.tracer.lightstep.secure true example: true\|false
global.tracer.lightstep.cacertPath "" example: /etc/lightstep/cacert.pem
global.tracer.zipkin.address ""
global.defaultNodeSelector {} Default node selector to be applied to all deployments so that all pods can beconstrained to run a particular nodes. Each component can overwrite these defaultvalues by adding its node selector block in the relevant section below and settingthe desired values.
global.meshExpansion.enabled false
global.meshExpansion.useILB false If set to true, the pilot and citadel mtls and the plain text pilot portswill be exposed on an internal gateway
global.multiCluster.enabled false Set to true to connect two kubernetes clusters via their respectiveingressgateway services when pods in each cluster cannot directlytalk to one another. All clusters should be using Istio mTLS and musthave a shared root CA for this model to work.
global.defaultPodDisruptionBudget.enabled true
global.useMCP true Use the Mesh Control Protocol (MCP) for configuring Mixer andPilot. Requires galley (--set galley.enabled=true).
global.trustDomain ""
global.outboundTrafficPolicy.mode ALLOW_ANY
global.sds.enabled false SDS enabled. IF set to true, mTLS certificates for the sidecars will bedistributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
global.sds.udsPath ""
global.sds.useTrustworthyJwt false
global.sds.useNormalJwt false
global.meshNetworks {}
global.enableHelmTest false Specifies whether helm test is enabled or not.This field is set to false by default, so 'helm template ...'will ignore the helm test yaml files when generating the template

New mixer key/value pairs

Key Default Value Description
mixer.env.GODEBUG gctrace=1
mixer.env.GOMAXPROCS "6" max procs should be ceil(cpu limit + 1)
mixer.policy.enabled false if policy is enabled, global.disablePolicyChecks has affect.
mixer.policy.replicaCount 1
mixer.policy.autoscaleEnabled true
mixer.policy.autoscaleMin 1
mixer.policy.autoscaleMax 5
mixer.policy.cpu.targetAverageUtilization 80
mixer.telemetry.enabled true
mixer.telemetry.replicaCount 1
mixer.telemetry.autoscaleEnabled true
mixer.telemetry.autoscaleMin 1
mixer.telemetry.autoscaleMax 5
mixer.telemetry.cpu.targetAverageUtilization 80
mixer.telemetry.sessionAffinityEnabled false
mixer.telemetry.loadshedding.mode enforce disabled, logonly or enforce
mixer.telemetry.loadshedding.latencyThreshold 100ms based on measurements 100ms p50 translates to p99 of under 1s. This is ok for telemetry which is inherently async.
mixer.telemetry.resources.requests.cpu 1000m
mixer.telemetry.resources.requests.memory 1G
mixer.telemetry.resources.limits.cpu 4800m It is best to do horizontal scaling of mixer using moderate cpu allocation.We have experimentally found that these values work well.
mixer.telemetry.resources.limits.memory 4G
mixer.podAnnotations {}
mixer.nodeSelector {}
mixer.adapters.kubernetesenv.enabled true
mixer.adapters.stdio.enabled false
mixer.adapters.stdio.outputAsJson true
mixer.adapters.prometheus.enabled true
mixer.adapters.prometheus.metricsExpiryDuration 10m
mixer.adapters.useAdapterCRDs true Setting this to false sets the useAdapterCRDs mixer startup argument to false

New grafana key/value pairs

Key Default Value Description
grafana.image.repository grafana/grafana
grafana.image.tag 5.4.0
grafana.ingress.enabled false
grafana.ingress.hosts grafana.local Used to create an Ingress record.
grafana.persist false
grafana.storageClassName ""
grafana.accessMode ReadWriteMany
grafana.security.secretName grafana
grafana.security.usernameKey username
grafana.security.passphraseKey passphrase
grafana.nodeSelector {}
grafana.contextPath /grafana
grafana.datasources.datasources.apiVersion 1
grafana.datasources.datasources.datasources.type prometheus
grafana.datasources.datasources.datasources.orgId 1
grafana.datasources.datasources.datasources.url http://prometheus:9090
grafana.datasources.datasources.datasources.access proxy
grafana.datasources.datasources.datasources.isDefault true
grafana.datasources.datasources.datasources.jsonData.timeInterval 5s
grafana.datasources.datasources.datasources.editable true
grafana.dashboardProviders.dashboardproviders.apiVersion 1
grafana.dashboardProviders.dashboardproviders.providers.orgId 1
grafana.dashboardProviders.dashboardproviders.providers.folder 'istio'
grafana.dashboardProviders.dashboardproviders.providers.type file
grafana.dashboardProviders.dashboardproviders.providers.disableDeletion false
grafana.dashboardProviders.dashboardproviders.providers.options.path /var/lib/grafana/dashboards/istio

New prometheus key/value pairs

Key Default Value Description
prometheus.retention 6h
prometheus.nodeSelector {}
prometheus.scrapeInterval 15s Controls the frequency of prometheus scraping
prometheus.contextPath /prometheus
prometheus.ingress.enabled false
prometheus.ingress.hosts prometheus.local Used to create an Ingress record.
prometheus.security.enabled true

New gateways key/value pairs

Key Default Value Description
gateways.istio-ingressgateway.sds.enabled false If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
gateways.istio-ingressgateway.sds.image node-agent-k8s SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.This server runs in the same pod as ingress gateway.
gateways.istio-ingressgateway.autoscaleEnabled true
gateways.istio-ingressgateway.cpu.targetAverageUtilization 80
gateways.istio-ingressgateway.loadBalancerSourceRanges []
gateways.istio-ingressgateway.externalIPs []
gateways.istio-ingressgateway.podAnnotations {}
gateways.istio-ingressgateway.ports.targetPort 15029
gateways.istio-ingressgateway.ports.name https-kiali
gateways.istio-ingressgateway.ports.name https-prometheus
gateways.istio-ingressgateway.ports.name https-grafana
gateways.istio-ingressgateway.ports.targetPort 15032
gateways.istio-ingressgateway.ports.name https-tracing
gateways.istio-ingressgateway.ports.targetPort 15443
gateways.istio-ingressgateway.ports.name tls
gateways.istio-ingressgateway.ports.targetPort 15020
gateways.istio-ingressgateway.ports.name status-port
gateways.istio-ingressgateway.meshExpansionPorts.targetPort 15011
gateways.istio-ingressgateway.meshExpansionPorts.name tcp-pilot-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort 15004
gateways.istio-ingressgateway.meshExpansionPorts.name tcp-mixer-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort 8060
gateways.istio-ingressgateway.meshExpansionPorts.name tcp-citadel-grpc-tls
gateways.istio-ingressgateway.meshExpansionPorts.targetPort 853
gateways.istio-ingressgateway.meshExpansionPorts.name tcp-dns-tls
gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE "sni-dnat" A gateway with this mode ensures that pilot generates an additionalset of clusters for internal services but without Istio mTLS, toenable cross cluster routing.
gateways.istio-ingressgateway.nodeSelector {}
gateways.istio-egressgateway.autoscaleEnabled true
gateways.istio-egressgateway.cpu.targetAverageUtilization 80
gateways.istio-egressgateway.podAnnotations {}
gateways.istio-egressgateway.ports.targetPort 15443
gateways.istio-egressgateway.ports.name tls
gateways.istio-egressgateway.env.ISTIO_META_ROUTER_MODE "sni-dnat"
gateways.istio-egressgateway.nodeSelector {}
gateways.istio-ilbgateway.autoscaleEnabled true
gateways.istio-ilbgateway.cpu.targetAverageUtilization 80
gateways.istio-ilbgateway.podAnnotations {}
gateways.istio-ilbgateway.nodeSelector {}

New kiali key/value pairs

Key Default Value Description
kiali.contextPath /kiali
kiali.nodeSelector {}
kiali.ingress.hosts kiali.local Used to create an Ingress record.
kiali.dashboard.secretName kiali
kiali.dashboard.usernameKey username
kiali.dashboard.passphraseKey passphrase
kiali.prometheusAddr http://prometheus:9090
kiali.createDemoSecret false When true, a secret will be created with a default username and password. Useful for demos.

New istiocoredns key/value pairs

Key Default Value Description
istiocoredns.enabled false
istiocoredns.replicaCount 1
istiocoredns.coreDNSImage coredns/coredns:1.1.2
istiocoredns.coreDNSPluginImage istio/coredns-plugin:0.2-istio-1.1
istiocoredns.nodeSelector {}

New security key/value pairs

Key Default Value Description
security.enabled true
security.createMeshPolicy true
security.nodeSelector {}

New nodeagent key/value pairs

Key Default Value Description
nodeagent.enabled false
nodeagent.image node-agent-k8s
nodeagent.env.CA_PROVIDER "" name of authentication provider.
nodeagent.env.CA_ADDR "" CA endpoint.
nodeagent.env.Plugins "" names of authentication provider's plugins.
nodeagent.nodeSelector {}

New pilot key/value pairs

Key Default Value Description
pilot.autoscaleEnabled true
pilot.env.GODEBUG gctrace=1
pilot.cpu.targetAverageUtilization 80
pilot.nodeSelector {}
pilot.keepaliveMaxServerConnectionAge 30m The following is used to limit how long a sidecar can be connectedto a pilot. It balances out load across pilot instances at the cost ofincreasing system churn.

Removed configuration options

Removed ingress key/value pairs

Key Default Value Description
ingress.service.ports.nodePort 32000
ingress.service.selector.istio ingress
ingress.autoscaleMin 1
ingress.service.loadBalancerIP ""
ingress.enabled false
ingress.service.annotations {}
ingress.service.ports.name http
ingress.service.ports.name https
ingress.autoscaleMax 5
ingress.replicaCount 1
ingress.service.type LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be

Removed servicegraph key/value pairs

Key Default Value Description
servicegraph servicegraph.local
servicegraph.ingress servicegraph.local
servicegraph.service.internalPort 8088

Removed telemetry-gateway key/value pairs

Key Default Value Description
telemetry-gateway.prometheusEnabled false
telemetry-gateway.gatewayName ingressgateway
telemetry-gateway.grafanaEnabled false

Removed global key/value pairs

Key Default Value Description
global.hyperkube.tag v1.7.6_coreos.0
global.k8sIngressHttps false
global.crds true
global.hyperkube.hub quay.io/coreos
global.meshExpansion false
global.k8sIngressSelector ingress
global.meshExpansionILB false

Removed mixer key/value pairs

Key Default Value Description
mixer.autoscaleMin 1
mixer.istio-policy.cpu.targetAverageUtilization 80
mixer.autoscaleMax 5
mixer.istio-telemetry.autoscaleMin 1
mixer.prometheusStatsdExporter.tag v0.6.0
mixer.istio-telemetry.autoscaleMax 5
mixer.istio-telemetry.cpu.targetAverageUtilization 80
mixer.istio-policy.autoscaleEnabled true
mixer.istio-telemetry.autoscaleEnabled true
mixer.replicaCount 1
mixer.prometheusStatsdExporter.hub docker.io/prom
mixer.istio-policy.autoscaleMin 1
mixer.istio-policy.autoscaleMax 5

Removed grafana key/value pairs

Key Default Value Description
grafana.image grafana
grafana.service.internalPort 3000
grafana.security.adminPassword admin
grafana.security.adminUser admin

Removed gateways key/value pairs

Key Default Value Description
gateways.istio-ilbgateway.replicaCount 1
gateways.istio-egressgateway.replicaCount 1
gateways.istio-ingressgateway.replicaCount 1
gateways.istio-ingressgateway.ports.name tcp-pilot-grpc-tls
gateways.istio-ingressgateway.ports.name tcp-citadel-grpc-tls
gateways.istio-ingressgateway.ports.name http2-prometheus
gateways.istio-ingressgateway.ports.name http2-grafana
gateways.istio-ingressgateway.ports.targetPort 15011
gateways.istio-ingressgateway.ports.targetPort 8060

Removed tracing key/value pairs

Key Default Value Description
tracing.service.internalPort 9411
tracing.replicaCount 1
tracing.jaeger.ingress jaeger.local
tracing.ingress tracing.local
tracing.jaeger jaeger.local
tracing jaeger.local tracing.local
tracing.jaeger.ingress.hosts jaeger.local
tracing.jaeger.ingress.enabled false
tracing.ingress.hosts tracing.local
tracing.jaeger.ui.port 16686

Removed kiali key/value pairs

Key Default Value Description
kiali.dashboard.username admin
kiali.dashboard.passphrase admin

Removed pilot key/value pairs

Key Default Value Description
pilot.replicaCount 1
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!