Custom Installation

Customizing the Installation

Maistra uses the istio-operator, a custom installer built around Istio’s helm charts. Many of the parameters supported by the installer are shown below.

apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
  name: auth-install
spec:
  # NOTE, if you remove all children from an element, you should remove the
  # element too.  An empty element is interpreted as null and will override all
  # default values (i.e. no values will be specified for that element, not even
  # the defaults baked into the chart values.yaml).
  istio:
    global:
      multitenant: false

      # the following lines enable tls across the control and data planes
      controlPlaneSecurityEnabled: true
      mtls:
        enabled: true

      proxy:
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi

    gateways:
      istio-egressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
      istio-ingressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
        # set to true to enable IOR
        ior_enabled: false

    mixer:
      policy:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false

      telemetry:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: 100m
            memory: 1G
          limits:
            cpu: 500m
            memory: 4G

    pilot:
      # disable autoscaling for use in smaller environments
      autoscaleEnabled: false
      # increase random sampling rate for development/testing
      traceSampling: 100.0

    kiali:
      # change to false to disable kiali
      enabled: true

      # to use oauth, remove the following 'dashboard' section
      # create a secret for accessing kiali dashboard with the following credentials
      dashboard:
        user: admin
        passphrase: admin

    tracing:
      # change to false to disable tracing (i.e. jaeger)
      enabled: true
  threescale:
    enabled: false

Istio Globals

  istio:
    global:
      multitenant: false
      proxy_init:
          image: maistra/proxy-init-ubi8
      hub: my-private-registry.com/custom-namespace
      tag: 0.11.0
      mtls:
        enabled: true
      proxy:
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi
      disablePolicyChecks: true
      policyCheckFailOpen: false
      imagePullSecrets:
        - MyPullSecret
Parameter Description Default

multitenant

This is a boolean indicating whether to enable multitenancy

disablePolicyChecks

This is a boolean indicating whether to enable policy checks.

disablePolicyChecks must be false for 3scale to work.

true

policyCheckFailOpen

This is a boolean indicating wehther to traffic should be allowed through hwen the mixer policy service cannot be reached.

false

hub

The hub to use to pull the Istio images.

maistra/ if deployment_type is origin and openshift-istio-tech-preview/ if deployment_type is openshift

tag

The tag to use to pull the Istio images.

0.11.0

imagePullSecrets

If access to the registry providing the Istio images is secure, then an imagePullSecret can be listed here.

none

proxy_init

Parameter Description Default

image

This parameter controls the image to use for proxy-init.

This must be changed to maistra/proxy-init-centos7:0.11.0 if running on a RHEL7 host.

maistra/proxy-init-ubi8

mtls

Parameter Description Default

enabled

This parameter controls whether to enable mTLS between services by default.

false

proxy

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

100m

memory

This is the ammount of memory that is requested in the environment.

128Mi

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that proxy is allowed to use.

2000m

memory

This is the ammount of memory that is requested in the environment.

128Mi

istio→gateways

 gateways:
      istio-egressgateway:
        autoscaleEnabled: false
        autoscaleMin: 1
        autoscaleMax: 5
      istio-ingressgateway:
        autoscaleEnabled: false
        autoscaleMin: 1
        autoscaleMax: 5
        ior_enabled: false

istio-egressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether autoscaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

istio-ingressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether autoscaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

ior_enabled

This parameter controls whether Istio routes should automatically be configured in OpenShift.

false

istio→mixer

 mixer:
      enabled: true
      policy:
        autoscaleEnabled: false

      telemetry:
        autoscaleEnabled: false
        resources:
          requests:
            cpu: 100m
            memory: 1G
          limits:
            cpu: 500m
            memory: 4G
Parameter Description Default

enabled

This parameter controls whether to enable Mixer.

true

autoscaleEnabled

This parameter controls whether autoscaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

false

telemetry

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

1000m

memory

This is the ammount of memory that is requested in the environment.

1G

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that telemetry is allowed to use.

4800m

memory

This is the maximum ammount of memory that telemetry is allowed to use.

4G

istio→pilot

   pilot:
      autoscaleEnabled: false
      traceSampling: 100.0

resources→requests

These are the resources requested and may vary depending on your environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

500m

memory

This is the ammount of memory that is requested in the environment.

2048Mi

traceSampling

This value controls how often random sampling should occur. Increase for development/testing.

1.0

istio→kiali

   kiali:
      enabled: true
      hub: kiali
      tag: v0.16.2
      dashboard:
        user: admin
        passphrase: admin
Parameter Description Default

enabled

This enables or disables Kiali in the environment.

true

hub

The hub to use to pull the Kiali images.

kiali/ if deployment_type is origin and openshift-istio-tech-preview/ if deployment_type is openshift

tag

The tag to use to pull the Kiali images

0.16.2

dashboard

Parameter Description Default

user

This is the username used to access the Kiali console. Note that this is not related to any account on OpenShift.

true

passphrase

This is the username used to access the Kiali console. Note that this is not related to any account on OpenShift

none

istio→tracing

Parameter Description Default

enabled

This enables or disables tracing in the environment.

true

3scale

disablePolicyChecks must be false for 3scale to work.

    threescale:
        enabled: false
        PARAM_THREESCALE_LISTEN_ADDR: 3333
        PARAM_THREESCALE_LOG_JSON: true
        PARAM_THREESCALE_LOG_JSON: true
        PARAM_THREESCALE_REPORT_METRICS: true
        PARAM_THREESCALE_METRICS_PORT: 8080
        PARAM_THREESCALE_CACHE_TTL_SECONDS: 300
        PARAM_THREESCALE_CACHE_REFRESH_SECONDS: 180
        PARAM_THREESCALE_CACHE_ENTRIES_MAX: 1000
        PARAM_THREESCALE_CACHE_REFRESH_RETRIES: 1
        PARAM_THREESCALE_ALLOW_INSECURE_CONN: false
        PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS: 10
Parameter Description Default

enabled

This controls whether to enable 3scale.

false

PARAM_THREESCALE_LISTEN_ADDR

This sets the listen address for the gRPC server.

3333

PARAM_THREESCALE_LOG_LEVEL

This sets the minimum log output level. Accepted values are one of debug,info,warn,error,none

info

PARAM_THREESCALE_LOG_JSON

This controls whether the log is formatted as JSON

true

PARAM_THREESCALE_REPORT_METRICS

This controls whether the 3scale system and backend metrics are collected and reported to Prometheus.

true

PARAM_THREESCALE_METRICS_PORT

This sets the port which 3scale /metrics endpoint can be scraped from.

8080

PARAM_THREESCALE_CACHE_TTL_SECONDS

This is the time period, in seconds, to wait before purging expired items from the cache.

300

PARAM_THREESCALE_CACHE_REFRESH_SECONDS

This is the time period before expiry, when cache elements are attempted to be refreshed.

180

PARAM_THREESCALE_CACHE_ENTRIES_MAX

This is the ax number of items that can be stored in the cache at any time. Set to 0 to disable caching.

1000

PARAM_THREESCALE_CACHE_REFRESH_RETRIES

This sets the number of times unreachable hosts will be retried during a cache update loop.

1

PARAM_THREESCALE_ALLOW_INSECURE_CONN

This controls whether to allow certificate verification when calling 3scale APIs. Enabling is not recommended.

false

PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS

This sets the number of seconds to wait before terminating requests to 3scale System and the backend

10

For further options, see the link: https://istio.io/docs/reference/config/installation-options/[helm docs].