Installation Options

Customizing the Installation

Maistra uses the istio-operator, a custom installer built around Istio’s helm charts. Many of the parameters supported by the installer are shown below.

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
spec:
  proxy:
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 500m
        memory: 128Mi
  tracing:
    type: Jaeger
  gateways:
    ingress: # istio-ingressgateway
      service:
        type: ClusterIP
        ports:
        - name: status-port
          port: 15020
        - name: http2
          port: 80
          targetPort: 8080
        - name: https
          port: 443
          targetPort: 8443
      meshExpansionPorts: []
    egress: # istio-egressgateway
      service:
        type: ClusterIP
        ports:
        - name: status-port
          port: 15020
        - name: http2
          port: 80
          targetPort: 8080
        - name: https
          port: 443
          targetPort: 8443
    additionalIngress:
      some-other-ingress-gateway: {}
    additionalEgress:
      some-other-egress-gateway: {}

  policy:
    type: Istiod # or Mixer
    mixer: # only applies if policy.type: Mixer
      enableChecks: false
      failOpen: false

  telemetry:
    type: Istiod # or Mixer
    mixer: # only applies if telemetry.type: Mixer, for v1 telemetry
      sessionAffinity: false
      batching:
        maxEntries: 100
        maxTime: 1s
      adapters:
        kubernetesenv: true
        stdio:
          enabled: true
          outputAsJSON: true
  addons:
    grafana:
      enabled: true
      install:
        config:
          env: {}
          envSecrets: {}
        persistence:
          storageClassName: ""
          accessMode: ReadWriteOnce
          capacity: 5Gi
        service:
          ingress:
            contextPath: /grafana
            tls:
              termination: reencrypt
    kiali:
      name: kiali
      enabled: true
      install: # install kiali CR if not present
        dashboard:
          viewOnly: false
          enableGrafana: true
          enableTracing: true
          enablePrometheus: true
      service:
        ingress:
          contextPath: /kiali
    jaeger:
      name: jaeger
      install:
        storage:
          type: Memory # or Elasticsearch
          memory:
            maxTraces: 100000
          elasticsearch:
            nodeCount: 3
            storage: {}
            redundancyPolicy: SingleRedundancy
            indexCleaner: {}
        ingress: {} # jaeger ingress configuration
  runtime:
    components:
      pilot:
        deployment:
          replicas: 2
        pod:
          affinity: {}
        container:
          resources:
          limits: {}
          requirements: {}
      grafana:
        deployment: {}
        pod: {}
      kiali:
        deployment: {}
        pod: {}

General Parameters

Parameter Description Default

version

Maistra version that should be deployed in this control plane installation. Maistra operator supports installing different versions of a control plane. This means that you can have multiple service meshes in your cluster with different Maistra versions. If this field is not present, Maistra operator will install the latest version it supports. For Maistra operator 2.0 one of the following values are allowed in this field: [v1.1, v2.0 ].

Latest supported by Maistra operator in use.

template

A template references a ServiceMeshControlPlane referenced in the smcp-templates ConfigMap from which configuration should be inherited. See template documentation for details.

default

Istio Global Values

  istio:
    global:
      hub: docker.io/maistra
      tag: 2.0.0
      mtls:
        enabled: true
      proxy:
        resources:
          requests:
            cpu: 10m
            memory: 128Mi
          limits:
      disablePolicyChecks: true
      policyCheckFailOpen: false
      imagePullSecrets:
        - MyPullSecret
Parameter Description Default

disablePolicyChecks

This parameter enables/disables policy checks.

disablePolicyChecks must be false for 3scale to work.

true

policyCheckFailOpen

This parameter indicates whether traffic should be allowed to pass through Envoy when the mixer policy service cannot be reached.

false

hub

The hub to use to pull the Istio images.

docker.io/maistra

tag

The tag to use to pull the Istio images.

2.0.0

imagePullSecrets

If access to the registry providing the Istio images is secure, then an imagePullSecret can be listed here.

none

dnsRefreshRate

The number of seconds to wait to refresh the DNS cache in an Envoy instance.

300s

mTLS

Parameter Description Default

enabled

This parameter controls whether to enable mTLS between services by default.

false

proxy

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

{10m}

memory

This is the amount of memory that is requested in the environment.

{128Mi}

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that proxy is allowed to use.

2000m

memory

This is the amount of memory that is requested in the environment.

1024Mi

istio→gateways

  gateways:
    istio-egressgateway:
      autoscaleEnabled: false
      autoscaleMin: 1
      autoscaleMax: 5
    istio-ingressgateway:
      autoscaleEnabled: false
      autoscaleMin: 1
      autoscaleMax: 5
      ior_enabled: false

istio-egressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

istio-ingressgateway

Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

true

autoscaleMin

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

1

autoscaleMax

This parameter controls the minimum pods to deploy based on the autoscaleEnabled setting.

5

ior_enabled

This parameter controls whether IOR is enabled. Learn more about IOR.

false

istio → mixer

  mixer:
    enabled: true
    policy:
      autoscaleEnabled: false

    telemetry:
      autoscaleEnabled: false
      resources:
        requests:
          cpu: 10m
          memory: 128Mi
        limits:
Parameter Description Default

enabled

This parameter controls whether to enable Mixer.

true

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

false

telemetry

resources→requests

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

10m

memory

This is the amount of memory that is requested in the environment.

128Mi

resources → limits

These are the resources requested and may vary depending on your environment. The example above allows Maistra to run in a smaller environment.

Parameter Description Default

cpu

This is the maximum number of CPUs that telemetry is allowed to use.

4800m

memory

This is the maximum amount of memory that telemetry is allowed to use.

4G

istio→pilot

  pilot:
    autoscaleEnabled: false
    traceSampling: 100.0
Parameter Description Default

autoscaleEnabled

This parameter controls whether auto scaling is enabled. The example above disables it to allow running Maistra in a smaller environment.

false

traceSampling

This value controls how often random sampling should occur. Increase for development/testing.

1.0

jwksResolverExtraRootCA

Additional root certificates for JWKSResolver. To define additional certificates, add certificates as pem file format to this key. It is required for self signed jwksUri in Istio Policies.

none

resources→requests

These are the resources requested and may vary depending on your environment.

Parameter Description Default

cpu

This is the number of CPUs that are requested in the environment.

10m

memory

This is the amount of memory that is requested in the environment.

128Mi

istio→kiali

  kiali:
    enabled: true
    hub: docker.io/kiali
    image: kiali
    dashboard:
      viewOnlyMode: true
Parameter Description Default

enabled

This enables or disables Kiali in the environment.

true

hub

The hub to use to pull the Kiali images.

Delegates to Kiali operator

image

The name of the Kiali image

Delegates to Kiali operator

jaegerInClusterURL

The URL used by Kiali to query Jaeger. This will be automatically set by the operator if you deploy Jaeger using tracing.enabled: true

none

If you intend to use a custom image, you must override all three values of hub and image. The tag must match that expected by Kiali.

istio→kiali→dashboard

Parameter Description Default

viewOnlyMode

Whether the Kiali dashboard should be in a view-only mode, not allowing any changes to the Service Mesh to be made

false

grafanaURL

Sets the URL for Grafana

none

jaegerURL

Sets the URL for Jaeger

none

istio→tracing

  tracing:
    enabled: true
    jaeger:
      template: all-in-one
      memory:
        max_traces: 100000
Parameter Description Default

enabled

This enables or disables tracing in the environment.

true

istio→tracing→jaeger

Parameter Description Default

hub

delegates to Jaeger operator

jaegertracing/ or registry.redhat.io/openshift-service-mesh

tag

The tag that the Operator uses to pull the Jaeger images

delegates to Jaeger operator

template

The deployment template to use for Jaeger

all-in-one/all-in-one

memory→max_traces

100000

This sets the maximum number of traces.

istio→tracing→jaeger→elasticSearch

These parameters apply in the production-elasticsearch template only.

Parameter Description Default

nodeCount

The number of Elastic Search nodes to deploy

1

resources→requests→memory

The amount of memory to request

"16Gi"

resources→requests→cpus

The number of CPUs to request

"1"

resources→limits→cpus

The limit for the number of CPUs

resources→limits→memory

The memory limit

"16Gi"

3scale

disablePolicyChecks must be false for 3scale to work.

  threeScale:
    enabled: false
    hub: quay.io/3scale
    image: 3scale-istio-adapter
    tag: v1.0.0
    PARAM_THREESCALE_LISTEN_ADDR: 3333
    PARAM_THREESCALE_LOG_LEVEL: info
    PARAM_THREESCALE_LOG_JSON: true
    PARAM_THREESCALE_LOG_GRPC: false
    PARAM_THREESCALE_REPORT_METRICS: true
    PARAM_THREESCALE_METRICS_PORT: 8080
    PARAM_THREESCALE_CACHE_TTL_SECONDS: 300
    PARAM_THREESCALE_CACHE_REFRESH_SECONDS: 180
    PARAM_THREESCALE_CACHE_ENTRIES_MAX: 1000
    PARAM_THREESCALE_CACHE_REFRESH_RETRIES: 1
    PARAM_THREESCALE_ALLOW_INSECURE_CONN: false
    PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS: 10
    PARAM_THREESCALE_GRPC_CONN_MAX_SECONDS: 60
Parameter Description Default

enabled

This controls whether to enable 3scale.

false

hub

The repository to use to pull 3Scale images.

quay.io/3scale or registry.redhat.io/openshift-service-mesh

image

The image to use for the 3Scale adapter.

3scale-istio-adapter or registry.redhat.io/openshift-service-mesh

tag

The image tag to use.

v1.0.0 (for community) or 1.0.0 (product)

PARAM_THREESCALE_LISTEN_ADDR

This sets the listen address for the gRPC server.

3333

PARAM_THREESCALE_LOG_LEVEL

This sets the minimum log output level. Accepted values are one of debug, info, warn, error, and none

info

PARAM_THREESCALE_LOG_JSON

This controls whether the log is formatted as JSON

true

PARAM_THREESCALE_LOG_GRPC

This controls whether the log includes gRPC information

false

PARAM_THREESCALE_REPORT_METRICS

This controls whether the 3scale system and backend metrics are collected and reported to Prometheus.

true

PARAM_THREESCALE_METRICS_PORT

This sets the port which 3scale /metrics endpoint can be scraped from.

8080

PARAM_THREESCALE_CACHE_TTL_SECONDS

This is the time period, in seconds, to wait before purging expired items from the cache.

300

PARAM_THREESCALE_CACHE_REFRESH_SECONDS

This is the time period before expiry, when cache elements are attempted to be refreshed.

180

PARAM_THREESCALE_CACHE_ENTRIES_MAX

This is the max number of items that can be stored in the cache at any time. Set to 0 to disable caching.

1000

PARAM_THREESCALE_CACHE_REFRESH_RETRIES

This sets the number of times unreachable hosts will be retried during a cache update loop.

1

PARAM_THREESCALE_ALLOW_INSECURE_CONN

This controls whether to allow certificate verification when calling 3scale APIs. Enabling is not recommended.

false

PARAM_THREESCALE_CLIENT_TIMEOUT_SECONDS

This sets the number of seconds to wait before terminating requests to 3scale System and the backend

10

PARAM_THREESCALE_GRPC_CONN_MAX_SECONDS

This sets the maximum number of seconds (+/-10% jitter) a connection may exist before it will be closed

60

For further options, see the link: helm docs.