| # Environment variables used to configure istio startup |
| |
| # Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio |
| # sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar |
| # will not be used via iptables. |
| # ISTIO_SERVICE_CIDR= |
| |
| # Name of the service exposed by the machine. |
| # ISTIO_SERVICE=myservice |
| |
| # The mode used to redirect inbound connections to Envoy. This setting |
| # has no effect on outbound traffic: iptables REDIRECT is always used for |
| # outbound connections. |
| # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. |
| # The "REDIRECT" mode loses source addresses during redirection. |
| # If "TPROXY", use iptables TPROXY to redirect to Envoy. |
| # The "TPROXY" mode preserves both the source and destination IP |
| # addresses and ports, so that they can be used for advanced filtering |
| # and manipulation. |
| # The "TPROXY" mode also configures the sidecar to run with the |
| # CAP_NET_ADMIN capability, which is required to use TPROXY. |
| # If not set, defaults to "REDIRECT". |
| # ISTIO_INBOUND_INTERCEPTION_MODE=REDIRECT |
| |
| # When the interception mode is "TPROXY", the iptables skb mark that is set on |
| # every inbound packet to be redirected to Envoy. |
| # If not set, defaults to "1337". |
| # ISTIO_INBOUND_TPROXY_MARK=1337 |
| |
| # When the interception mode is "TPROXY", the number of the routing table that |
| # is configured and used to route inbound connections to the loopback interface |
| # in order to be redirected to Envoy. |
| # If not set, defaults to "133". |
| # ISTIO_INBOUND_TPROXY_ROUTE_TABLE=133 |
| |
| # Comma separated list of local ports that will use Istio sidecar for inbound services. |
| # If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar. |
| # If not set, no rules will be enabled |
| # ISTIO_INBOUND_PORTS= |
| |
| # List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to * |
| # Port 22 is automatically excluded |
| # ISTIO_INBOUND_EXCLUDE_PORTS= |
| |
| # Namespace of the cluster. |
| # ISTIO_NAMESPACE=default |
| |
| # Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used. |
| # Needed if the host has multiple IP. |
| # ISTIO_SVC_IP= |
| |
| # If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must |
| # also configure the mesh expansion machines: |
| # ISTIO_PILOT_PORT=15005 |
| # ISTIO_CP_AUTH=MUTUAL_TLS |
| |
| # Fine tunning - useful if installing/building binaries instead of using the .deb file, or running |
| # multiple instances. |
| |
| # Port used by Envoy. Defaults to 15001, used in the autogenerated config |
| # ENVOY_PORT=15001 |
| |
| # User running Envoy. For testing you can use a regular user ID - however running iptables requires |
| # root or netadmin capability. The debian file creates user istio. |
| # ENVOY_USER=istio-proxy |
| |
| # Uncomment to enable debugging |
| # ISTIO_AGENT_FLAGS="--proxyLogLevel debug" |
| |
| # Directory for stdout redirection. The redirection is required because envoy attempts to open |
| # /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver |
| # needs to be made, envoy reopens the file on SIGUSR1 |
| # ISTIO_LOG_DIR=/var/log/istio |
| |
| # Installation directory for istio binaries, customize in case you're using a binary. |
| # This is likely to change - current path matches the docker layout in 0.1 |
| # ISTIO_BIN_BASE=/usr/local/bin |
| |
| # Location of istio configs. |
| # ISTIO_CFG=/var/lib/istio |
| |
| # Ignore Istio iptables custom rules |
| # Enable this flag if you would like to manage iptables yourself. Default to false (true/false) |
| # ISTIO_CUSTOM_IP_TABLES=false |
| |
| # Location of provisioning certificates. VM provisioning tools must generate a certificate with |
| # the expected SAN. Istio-agent will use it to connect to istiod and get fresh certificates. |
| # PROV_CERT=/var/run/secrets/istio |
| |
| # Location to save the certificates from the CA. Setting this to the same location with PROV_CERT |
| # allows rotation of the secrets. Users may also use longer-lived PROV_CERT, rotated under the control |
| # of the provisioning tool. |
| # Istiod may return a certificate with additional information and shorter lived, to be used for |
| # workload communication. In order to use the certificate with applications not supporting SDS, set this |
| # environment variable. If the value is different from PROV_CERTS the workload certs will be saved, but |
| # the provisioning cert will remain under control of the VM provisioning tools. |
| # OUTPUT_CERTS=/var/run/secrets/istio |
| # OUTPUT_CERTS=/etc/certs |
| |
| # Address of the CA. The CA must implement the Istio protocol, accepting the provisioning certificate |
| # and returning workload certificates. Istiod is implementing the protocol, and is the default value |
| # if CA_ADDR is not set. |
| # CA_ADDR |
| # set CA_ADDR if your istiod.dubbo-system.svc is on port other than 15012 |
| # CA_ADDR=istiod.dubbo-system.svc:32018 |