Installation Options

Customizing the Installation

Maistra uses the istio-operator, a custom installer built around Istio’s helm charts. Many of the parameters supported by the installer are shown below.

apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
metadata:
  name: auth-install
spec:
  template: default
  # NOTE, if you remove all children from an element, you should remove the
  # element too.  An empty element is interpreted as null and will override all
  # default values (i.e. no values will be specified for that element, not even
  # the defaults baked into the chart values.yaml).
  istio:
    global:
      # the following lines enable tls across the control and data planes
      controlPlaneSecurityEnabled: true
      mtls:
        enabled: true

      proxy:
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 500m
            memory: 128Mi

    gateways:
      istio-egressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
      istio-ingressgateway:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
        # set to true to enable IOR
        ior_enabled: false

    mixer:
      policy:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false

      telemetry:
        # disable autoscaling for use in smaller environments
        autoscaleEnabled: false
        # constrain resources for use in smaller environments
        resources:
          requests:
            cpu: 100m
            memory: 1G
          limits:
            cpu: 500m
            memory: 4G

    pilot:
      # disable autoscaling for use in smaller environments
      autoscaleEnabled: false
      # increase random sampling rate for development/testing
      traceSampling: 100.0

    kiali:
      # change to false to disable kiali
      enabled: true

      # create a secret for accessing kiali dashboard with the following credentials
      # dashboard:
      #   user: admin
      #   passphrase: admin

    tracing:
      # change to false to disable tracing (i.e. jaeger)
      enabled: true
      jaeger:
        tag: 1.13.1
        # simple, all-in-one strategy
        template: all-in-one
        # production strategy, utilizing elasticsearch
        #template: production-elasticsearch
        # if required. only one instance may use agentStrategy=DaemonSet
        #agentStrategy: DaemonSet

  threeScale:
    enabled: false

General Parameters

Parameter Description Default

template

A template references a ServiceMeshControlPlane referenced in the smcp-templates ConfigMap from which configuration should be inherited. See template documentation for details.

default

Istio Global Values

  istio:
    global:
      hub: docker.io/maistra
      tag: 1.2.0
      mtls:
        enabled: true
      proxy:
        resources:
          requests:
            cpu: 10m
            memory: 128Mi
          limits:
      disablePolicyChecks: true
      policyCheckFailOpen: false
      imagePullSecrets:
        - MyPullSecret
Parameter Description Default

disablePolicyChecks

This parameter enables/disables policy checks.

disablePolicyChecks must be false for 3scale to work.

true

policyCheckFailOpen

This parameter indicates whether traffic should be allowed to pass through Envoy when the mixer policy service cannot be reached.

false

hub

The hub to use to pull the Istio images.

docker.io/maistra

tag

The tag to use to pull the Istio images.

1.2.0

imagePullSecrets

If access to the registry providing the Istio images is secure, then an imagePullSecret can be listed here.

none

dnsRefreshRate

The number of seconds to wait to refresh the DNS cache in an Envoy instance.

300s

mTLS

Parameter Description Default

enabled

This parameter controls whether to enable mTLS between services by default.

false

proxy

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

{10m}

memory

This is the amount of memory that is requested in the environment.

{128Mi}

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that proxy is allowed to use.

2000m

memory

This is the amount of memory that is requested in the environment.

1024Mi

istio→gateways

  gateways:
    istio-egressgateway:
      autoscaleEnabled: false
      autoscaleMin: 1
      autoscaleMax: 5
    istio-ingressgateway:
      autoscaleEnabled: false
      autoscaleMin: 1
      autoscaleMax: 5
      ior_enabled: false

istio-egressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

istio-ingressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

ior_enabled

This parameter controls whether IOR is enabled. Learn more about IOR.

false

istio → mixer

  mixer:
    enabled: true
    policy:
      autoscaleEnabled: false

    telemetry:
      autoscaleEnabled: false
      resources:
        requests:
          cpu: 10m
          memory: 128Mi
        limits:
Parameter Description Default

enabled

This parameter controls whether to enable Mixer.

true

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

false

telemetry

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

10m

memory

This is the amount of memory that is requested in the environment.

128Mi

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that telemetry is allowed to use.

4800m

memory

This is the maximum amount of memory that telemetry is allowed to use.

4G

istio→pilot

  pilot:
    autoscaleEnabled: false
    traceSampling: 100.0
Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

false

traceSampling

This value controls how often random sampling should occur. Increase for development/testing.

1.0

jwksResolverExtraRootCA

Additional root certificates for JWKSResolver. To define additional certificates, add certificates as pem file format to this key. It is required for self signed jwksUri in Istio Policies.

none

resources→requests

These are the resources requested and may vary depending on your environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

10m

memory

This is the amount of memory that is requested in the environment.

128Mi

istio→kiali

  kiali:
    enabled: true
    hub: docker.io/kiali
    image: kiali
    dashboard:
      viewOnlyMode: true
Parameter Description Default

enabled

This enables or disables Kiali in the environment.

true

hub

The hub to use to pull the Kiali images.

Delegates to Kiali operator

image

The name of the Kiali image

Delegates to Kiali operator

jaegerInClusterURL

The URL used by Kiali to query Jaeger. This will be automatically set by the operator if you deploy Jaeger using tracing.enabled: true

none

If you intend to use a custom image, you must override all three values of hub and image. The tag must match that expected by Kiali.

istio→kiali→dashboard

Parameter Description Default

viewOnlyMode

Whether the Kiali dashboard should be in a view-only mode, not allowing any changes to the Service Mesh to be made

false

grafanaURL

Sets the URL for Grafana

none

jaegerURL

Sets the URL for Jaeger

none

istio→tracing

  tracing:
    enabled: true
    jaeger:
      template: all-in-one
      memory:
        max_traces: 100000
Parameter Description Default

enabled

This enables or disables tracing in the environment.

true

istio→tracing→jaeger

Parameter Description Default

hub

delegates to Jaeger operator

jaegertracing/ or registry.redhat.io/openshift-service-mesh

tag

The tag that the Operator uses to pull the Jaeger images

delegates to Jaeger operator

template

The deployment template to use for Jaeger

all-in-one/all-in-one

memory→max_traces

100000

This sets the maximum number of traces.

istio→tracing→jaeger→elasticSearch

These parameters apply in the production-elasticsearch template only.

Parameter Description Default

nodeCount

The number of Elastic Search nodes to deploy

1

resources→requests→memory

The amount of memory to request

"16Gi"

resources→requests→cpus

The number of CPUs to request

"1"

resources→limits→cpus

The limit for the number of CPUs

resources→limits→memory

The memory limit

"16Gi"

3scale

disablePolicyChecks must be false for 3scale to work.

  threeScale:
    enabled: false
    hub: quay.io/3scale
    image: 3scale-istio-adapter
    tag: v1.0.0
    PARAM_THREESCALE_LISTEN_ADDR: 3333
    PARAM_THREESCALE_LOG_LEVEL: info
    PARAM_THREESCALE_LOG_JSON: true
    PARAM_THREESCALE_LOG_GRPC: false
    PARAM_THREESCALE_REPORT_METRICS: true
    PARAM_THREESCALE_METRICS_PORT: 8080
    PARAM_THREESCALE_CACHE_TTL_SECONDS: 300
    PARAM_THREESCALE_CACHE_REFRESH_SECONDS: 180
    PARAM_THREESCALE_CACHE_ENTRIES_MAX: 1000
    PARAM_THREESCALE_CACHE_REFRESH_RETRIES: 1
    PARAM_THREESCALE_ALLOW_INSECURE_CONN: false
    PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS: 10
    PARAM_THREESCALE_GRPC_CONN_MAX_SECONDS: 60
Parameter Description Default

enabled

This controls whether to enable 3scale.

false

hub

The repository to use to pull 3Scale images.

quay.io/3scale or registry.redhat.io/openshift-service-mesh

image

The image to use for the 3Scale adapter.

3scale-istio-adapter or registry.redhat.io/openshift-service-mesh

tag

The image tag to use.

v1.0.0 (for community) or 1.0.0 (product)

PARAM_THREESCALE_LISTEN_ADDR

This sets the listen address for the gRPC server.

3333

PARAM_THREESCALE_LOG_LEVEL

This sets the minimum log output level. Accepted values are one of debug, info, warn, error, and none

info

PARAM_THREESCALE_LOG_JSON

This controls whether the log is formatted as JSON

true

PARAM_THREESCALE_LOG_GRPC

This controls whether the log includes gRPC information

false

PARAM_THREESCALE_REPORT_METRICS

This controls whether the 3scale system and backend metrics are collected and reported to Prometheus.

true

PARAM_THREESCALE_METRICS_PORT

This sets the port which 3scale /metrics endpoint can be scraped from.

8080

PARAM_THREESCALE_CACHE_TTL_SECONDS

This is the time period, in seconds, to wait before purging expired items from the cache.

300

PARAM_THREESCALE_CACHE_REFRESH_SECONDS

This is the time period before expiry, when cache elements are attempted to be refreshed.

180

PARAM_THREESCALE_CACHE_ENTRIES_MAX

This is the max number of items that can be stored in the cache at any time. Set to 0 to disable caching.

1000

PARAM_THREESCALE_CACHE_REFRESH_RETRIES

This sets the number of times unreachable hosts will be retried during a cache update loop.

1

PARAM_THREESCALE_ALLOW_INSECURE_CONN

This controls whether to allow certificate verification when calling 3scale APIs. Enabling is not recommended.

false

PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS

This sets the number of seconds to wait before terminating requests to 3scale System and the backend

10

PARAM_THREESCALE_GRPC_CONN_MAX_SECONDS

This sets the maximum number of seconds (+/-10% jitter) a connection may exist before it will be closed

60

For further options, see the link: helm docs.