tools/packaging/common/sidecar.env - dubbo-go-pixiu - Git at Google

 # Environment variables used to configure istio startup

 # Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio
 # sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar
 # will not be used via iptables.
 # ISTIO_SERVICE_CIDR=

 # Name of the service exposed by the machine.
 # ISTIO_SERVICE=myservice

 # The mode used to redirect inbound connections to Envoy. This setting
 # has no effect on outbound traffic: iptables REDIRECT is always used for
 # outbound connections.
 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
 # The "REDIRECT" mode loses source addresses during redirection.
 # If "TPROXY", use iptables TPROXY to redirect to Envoy.
 # The "TPROXY" mode preserves both the source and destination IP
 # addresses and ports, so that they can be used for advanced filtering
 # and manipulation.
 # The "TPROXY" mode also configures the sidecar to run with the
 # CAP_NET_ADMIN capability, which is required to use TPROXY.
 # If not set, defaults to "REDIRECT".
 # ISTIO_INBOUND_INTERCEPTION_MODE=REDIRECT

 # When the interception mode is "TPROXY", the iptables skb mark that is set on
 # every inbound packet to be redirected to Envoy.
 # If not set, defaults to "1337".
 # ISTIO_INBOUND_TPROXY_MARK=1337

 # When the interception mode is "TPROXY", the number of the routing table that
 # is configured and used to route inbound connections to the loopback interface
 # in order to be redirected to Envoy.
 # If not set, defaults to "133".
 # ISTIO_INBOUND_TPROXY_ROUTE_TABLE=133

 # Comma separated list of local ports that will use Istio sidecar for inbound services.
 # If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar.
 # If not set, no rules will be enabled
 # ISTIO_INBOUND_PORTS=

 # List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to *
 # Port 22 is automatically excluded
 # ISTIO_INBOUND_EXCLUDE_PORTS=

 # Namespace of the cluster.
 # ISTIO_NAMESPACE=default

 # Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used.
 # Needed if the host has multiple IP.
 # ISTIO_SVC_IP=

 # If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must
 # also configure the mesh expansion machines:
 # ISTIO_PILOT_PORT=15005
 # ISTIO_CP_AUTH=MUTUAL_TLS

 # Fine tunning - useful if installing/building binaries instead of using the .deb file, or running
 # multiple instances.

 # Port used by Envoy. Defaults to 15001, used in the autogenerated config
 # ENVOY_PORT=15001

 # User running Envoy. For testing you can use a regular user ID - however running iptables requires
 # root or netadmin capability. The debian file creates user istio.
 # ENVOY_USER=istio-proxy

 # Uncomment to enable debugging
 # ISTIO_AGENT_FLAGS="--proxyLogLevel debug"

 # Directory for stdout redirection. The redirection is required because envoy attempts to open
 # /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver
 # needs to be made, envoy reopens the file on SIGUSR1
 # ISTIO_LOG_DIR=/var/log/istio

 # Installation directory for istio binaries, customize in case you're using a binary.
 # This is likely to change - current path matches the docker layout in 0.1
 # ISTIO_BIN_BASE=/usr/local/bin

 # Location of istio configs.
 # ISTIO_CFG=/var/lib/istio

 # Ignore Istio iptables custom rules
 # Enable this flag if you would like to manage iptables yourself. Default to false (true/false)
 # ISTIO_CUSTOM_IP_TABLES=false

 # Location of provisioning certificates. VM provisioning tools must generate a certificate with
 # the expected SAN. Istio-agent will use it to connect to istiod and get fresh certificates.
 # PROV_CERT=/var/run/secrets/istio

 # Location to save the certificates from the CA. Setting this to the same location with PROV_CERT
 # allows rotation of the secrets. Users may also use longer-lived PROV_CERT, rotated under the control
 # of the provisioning tool.
 # Istiod may return a certificate with additional information and shorter lived, to be used for
 # workload communication. In order to use the certificate with applications not supporting SDS, set this
 # environment variable. If the value is different from PROV_CERTS the workload certs will be saved, but
 # the provisioning cert will remain under control of the VM provisioning tools.
 # OUTPUT_CERTS=/var/run/secrets/istio
 # OUTPUT_CERTS=/etc/certs

 # Address of the CA. The CA must implement the Istio protocol, accepting the provisioning certificate
 # and returning workload certificates. Istiod is implementing the protocol, and is the default value
 # if CA_ADDR is not set.
 # CA_ADDR
 # set CA_ADDR if your istiod.dubbo-system.svc is on port other than 15012
 # CA_ADDR=istiod.dubbo-system.svc:32018
	# Environment variables used to configure istio startup

	# Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio
	# sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar
	# will not be used via iptables.
	# ISTIO_SERVICE_CIDR=

	# Name of the service exposed by the machine.
	# ISTIO_SERVICE=myservice

	# The mode used to redirect inbound connections to Envoy. This setting
	# has no effect on outbound traffic: iptables REDIRECT is always used for
	# outbound connections.
	# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
	# The "REDIRECT" mode loses source addresses during redirection.
	# If "TPROXY", use iptables TPROXY to redirect to Envoy.
	# The "TPROXY" mode preserves both the source and destination IP
	# addresses and ports, so that they can be used for advanced filtering
	# and manipulation.
	# The "TPROXY" mode also configures the sidecar to run with the
	# CAP_NET_ADMIN capability, which is required to use TPROXY.
	# If not set, defaults to "REDIRECT".
	# ISTIO_INBOUND_INTERCEPTION_MODE=REDIRECT

	# When the interception mode is "TPROXY", the iptables skb mark that is set on
	# every inbound packet to be redirected to Envoy.
	# If not set, defaults to "1337".
	# ISTIO_INBOUND_TPROXY_MARK=1337

	# When the interception mode is "TPROXY", the number of the routing table that
	# is configured and used to route inbound connections to the loopback interface
	# in order to be redirected to Envoy.
	# If not set, defaults to "133".
	# ISTIO_INBOUND_TPROXY_ROUTE_TABLE=133

	# Comma separated list of local ports that will use Istio sidecar for inbound services.
	# If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar.
	# If not set, no rules will be enabled
	# ISTIO_INBOUND_PORTS=

	# List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to *
	# Port 22 is automatically excluded
	# ISTIO_INBOUND_EXCLUDE_PORTS=

	# Namespace of the cluster.
	# ISTIO_NAMESPACE=default

	# Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used.
	# Needed if the host has multiple IP.
	# ISTIO_SVC_IP=

	# If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must
	# also configure the mesh expansion machines:
	# ISTIO_PILOT_PORT=15005
	# ISTIO_CP_AUTH=MUTUAL_TLS

	# Fine tunning - useful if installing/building binaries instead of using the .deb file, or running
	# multiple instances.

	# Port used by Envoy. Defaults to 15001, used in the autogenerated config
	# ENVOY_PORT=15001

	# User running Envoy. For testing you can use a regular user ID - however running iptables requires
	# root or netadmin capability. The debian file creates user istio.
	# ENVOY_USER=istio-proxy

	# Uncomment to enable debugging
	# ISTIO_AGENT_FLAGS="--proxyLogLevel debug"

	# Directory for stdout redirection. The redirection is required because envoy attempts to open
	# /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver
	# needs to be made, envoy reopens the file on SIGUSR1
	# ISTIO_LOG_DIR=/var/log/istio

	# Installation directory for istio binaries, customize in case you're using a binary.
	# This is likely to change - current path matches the docker layout in 0.1
	# ISTIO_BIN_BASE=/usr/local/bin

	# Location of istio configs.
	# ISTIO_CFG=/var/lib/istio

	# Ignore Istio iptables custom rules
	# Enable this flag if you would like to manage iptables yourself. Default to false (true/false)
	# ISTIO_CUSTOM_IP_TABLES=false

	# Location of provisioning certificates. VM provisioning tools must generate a certificate with
	# the expected SAN. Istio-agent will use it to connect to istiod and get fresh certificates.
	# PROV_CERT=/var/run/secrets/istio

	# Location to save the certificates from the CA. Setting this to the same location with PROV_CERT
	# allows rotation of the secrets. Users may also use longer-lived PROV_CERT, rotated under the control
	# of the provisioning tool.
	# Istiod may return a certificate with additional information and shorter lived, to be used for
	# workload communication. In order to use the certificate with applications not supporting SDS, set this
	# environment variable. If the value is different from PROV_CERTS the workload certs will be saved, but
	# the provisioning cert will remain under control of the VM provisioning tools.
	# OUTPUT_CERTS=/var/run/secrets/istio
	# OUTPUT_CERTS=/etc/certs

	# Address of the CA. The CA must implement the Istio protocol, accepting the provisioning certificate
	# and returning workload certificates. Istiod is implementing the protocol, and is the default value
	# if CA_ADDR is not set.
	# CA_ADDR
	# set CA_ADDR if your istiod.dubbo-system.svc is on port other than 15012
	# CA_ADDR=istiod.dubbo-system.svc:32018