-
Notifications
You must be signed in to change notification settings - Fork 0
/
kiali-cr.yaml
814 lines (784 loc) · 36.5 KB
/
kiali-cr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
name: kiali
annotations:
ansible.operator-sdk/verbosity: "0"
spec:
###################################################################
# kiali_cr.yaml
#
# This is a fully documented Kiali custom resource yaml file.
# It can be used to tell the Kiali Operator to install Kiali.
#
# This is actually an empty Kiali CR, however, it provides
# documentation on all available settings.
# In each documented section, you will see a "---" marker;
# below that marker you will see the names of the settings along
# with their default values. If the setting is not defined by
# default, its name will be prefixed with "#".
###################################################################
##########
# ---
# additional_display_details:
# - title: "API Documentation"
# annotation: "kiali.io/api-spec"
# icon_annotation: "kiali.io/api-type"
#
# A list of additional details that Kiali will look for in annotations and display, for every workload and service, in their respective details pages.
# It can typically be used to inject some CI metadata or documentation links into Kiali views.
# Each item in the list is an object with "annotation", "title" and "icon_annotation" fields to indicate which annotation Kiali needs to look for, and how it should be displayed.
# "icon_annotation" is optional and would display an icon next to the text.
# At the moment, the value of the icon annotation can only be one of "rest", "grpc" or "graphql"; otherwise, it is ignored.
# By default, these settings recognize API Documentation links via annotation "kiali.io/api-spec" and icon-annotation "kiali.io/api-type".
# For example, it would make Kiali recognize these annotations in a service or a workload definition (Deployment, StatefulSet, etc.) to display the appropriate link and text:
# annotations:
# kiali.io/api-spec: http://link/to/my/doc
# kiali.io/api-type: rest
# Should you change this setting for your own custom annotations, keep in mind that it would override the current default.
# So you would have to copy the "API Documentation" setting as shown above if you want to preserve these links.
##########
# Tag used to identify a particular instance/installation of the Kiali server.
# ---
# installation_tag: ""
##########
# The namespaces where individual Istio components are installed.
# If left empty, it is assumed all Istio components are installed in the
# defined istio_namespace. If a component is not listed here, it is
# assumed that component is installed in istio_namespace. For example:
# istio_component_namespaces:
# prometheus: prom-ns
# means Prometheus is installed in the namespace "prom-ns" but all other
# Istio components are installed in the namespace defined in istio_namespace.
# ---
# istio_component_namespaces: {}
##########
# The namespace where Istio is installed. If left empty, it is assumed to be the
# same namespace as where Kiali is installed (i.e. deployment.namespace).
# Note that if you install some Istio components in other namespaces, specify
# that component's namespace in istio_component_namespaces.
# ---
# istio_namespace: ""
##########
# The version of the Ansible playbook to execute in order to install that version of Kiali.
# If not specified, a default version of Kiali will be installed which will be the most recent release of Kiali.
# The currently allowed values for this setting are: "default", "v1.0", "v1.12", "v1.24"
# Refer to this file to see where these values are defined in the master branch:
# https://github.com/kiali/kiali-operator/tree/master/playbooks/default-supported-images.yml
#
# This version setting affects the defaults of the deployment.image_name and
# deployment.image_version settings. See the comments for those settings
# below for additional details. But in short, this version setting will
# dictate which version of the Kiali image will be deployed by default.
# Note that if you explicitly set deployment.image_name and/or
# deployment.image_version you are responsible for ensuring those settings
# are compatible with this setting (i.e. the Kiali image must be compatible
# with the rest of the configuration and resources the operator will install).
#
# See the Kiali documentation to determine which of these versions support
# the version of Istio you are installing Kiali with.
#
# ---
# version: "default"
##########
# ---
# api:
#
# Allows for controlling what namespaces/projects are returned by Kiali.
#
# 'exclude' is optional and takes a list of namespaces to be excluded from the list
# of namespaces provided by the API and UI. Regex is supported. This does not affect
# explicit namespace access.
#
# 'label_selector' is optional and takes a string value of a Kubernetes label selector
# (e.g. "myLabel=myValue") which is used when fetching the list of available namespaces.
# This does not affect explicit namespace access.
# Note that if you do not set this but deployment.accessible_namespaces does not have the
# special "all namespaces" value of "**" then this label_selector will be set
# to a default value of "kiali.io/member-of=<deployment.namespace>" where
# <deployment.namespace> is the namespace where Kiali is to be installed.
# If deployment.accessible_namespaces does not have the special value of "**"
# then the Kiali operator will add a new label to all accessible namespaces - that new
# label will be this label_selector.
#
# ---
# namespaces:
# exclude:
# - "istio-operator"
# - "kube.*"
# - "openshift.*"
# - "ibm.*"
# - "kiali-operator"
# #label_selector:
##########
# ---
# auth:
#
# Determines what authentication strategy to use when users log into Kiali.
# Options are "anonymous", "token", "openshift", "openid".
# Choose "anonymous" to allow full access to Kiali without requiring any credentials.
# Choose "token" to allow access to Kiali using service account tokens, which controls
# access based on RBAC roles assigned to the service account.
# Choose "openshift" to use the OpenShift OAuth login which controls access based on
# the individual's RBAC roles in OpenShift. Not valid for non-OpenShift environments.
# Choose "openid" to enable OpenID connect based authentication. Your cluster is required to
# be configured to accept the tokens issued by your IdP. There are additional required
# configurations for this strategy. See below for the additional OpenID configuration section.
# When empty, its value will default to "openshift" on OpenShift and "token" on Kubernetes.
# ---
# strategy: ""
#
# To learn how to configure the OpenId authentication strategy, read the documentation
# at the website on https://kiali.io/documentation/latest/configuration/authentication/openid/
#
# ---
# openid:
# api_proxy: ""
# api_proxy_ca_data: ""
# authentication_timeout: 300
# authorization_endpoint: ""
# client_id: ""
# disable_rbac: false
# insecure_skip_verify_tls: false
# issuer_uri: ""
# scopes: ["openid", "profile", "email"]
# username_claim: "sub"
#
# The Route resource name and OAuthClient resource name will have this value as its prefix.
# This value normally should never change. The installer will ensure this value is set correctly.
# ---
# openshift:
# client_id_prefix: kiali
auth:
strategy: anonymous
##########
# ---
# deployment:
#
# A list of namespaces Kiali is to be given access to.
# These namespaces have service mesh components that are to be observed by Kiali.
# You can provide names using regex expressions matched against all namespaces the operator can see.
# The default makes all namespaces accessible except for some internal namespaces that typically should be ignored.
# NOTE! If this has an entry with the special value of "**" (two asterisks), that will denote you want
# Kiali to be given access to all namespaces via a single cluster role (if using this special value of "**",
# you are required to have already granted the operator permissions to create cluster roles and cluster role bindings).
# ---
# accessible_namespaces: ["^((?!(istio-operator|kube.*|openshift.*|ibm.*|kiali-operator)).)*$"]
#
# Additional custom yaml to add to the service definition. This is used mainly to customize the service type.
# For example, if the deployment.service_type is set to "LoadBalancer" and you want to set the loadBalancerIP,
# you can do so here with: additional_service_yaml: { "loadBalancerIP": "78.11.24.19" }.
# Another example would be if the deployment.service_type is set to "ExternalName" you will need to configure
# the name via: additional_service_yaml: { "externalName": "my.kiali.example.com" }.
# A final example would be if external IPs need to be set: additional_service_yaml: { "externalIPs": ["80.11.12.10"] }
# ---
# #additional_service_yaml:
#
# Affinity definitions that are to be used to define the nodes where the Kiali pod should be contrained.
# See the Kubernetes documentation on Assigning Pods to Nodes for the proper syntax for these three
# different affinity types.
# ---
# affinity:
# node: {}
# pod: {}
# pod_anti: {}
#
# Names of the out-of-box custom monitoring dashboards that are to be installed.
# The custom monitoring dashboards are defined in yaml files located within the operator.
# Consult the operator templates for the custom monitoring dashboard yaml files available.
# For example, see this for the current list of yaml files available:
# https://github.com/kiali/kiali-operator/tree/master/roles/default/kiali-deploy/templates/dashboards
# These settings will determine the additional metric graphs that you will see within the Kiali UI.
# You can specify an includes and excludes list, the excludes list takes precedence.
# Each list can have fileglob wildcard characters '*' and '?' for file matching.
# ---
# custom_dashboards:
# excludes: ['']
# includes: ['*']
#
# Determines which Kiali image to download and install.
# If you set this to a specific name (i.e. you do not leave it as the default empty string),
# you must make sure that image is supported by the operator.
# If empty, the operator will use a known supported image name based on which "version" was defined.
# Note that, as a security measure, a cluster admin may have configured the Kiali operator to
# ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs
# a single, specific Kiali version, thus this setting may have no effect depending on how the
# operator itself was configured.
# ---
# image_name: ""
#
# The Kubernetes pull policy for the Kiali deployment.
# This is overridden to be "Always" if image_version is set to "latest".
# ---
# image_pull_policy: "IfNotPresent"
#
# The names of the secrets to be used when container images are to be pulled.
# ---
# image_pull_secrets: []
#
# Determines which version of Kiali to install.
# Choose "lastrelease" to use the last Kiali release.
# Choose "latest" to use the latest image (which may or may not be a released version of Kiali).
# Choose "operator_version" to use the image whose version is the same as the operator version.
# Otherwise, you can set this to any valid Kiali version (such as "v1.0").
# Note that if this is set to "latest" then the image_pull_policy will be "Always".
# If you set this to a specific version (i.e. you do not leave it as the default empty string),
# you must make sure that image is supported by the operator.
# If empty, the operator will use a known supported image version based on which "version" was defined.
# Note that, as a security measure, a cluster admin may have configured the Kiali operator to
# ignore this setting. A cluster admin may do this to ensure the Kiali operator only installs
# a single, specific Kiali version, thus this setting may have no effect depending on how the
# operator itself was configured.
# ---
# image_version: ""
#
# Determines if the Kiali endpoint should be exposed externally.
# If true, an Ingress will be created if on Kubernetes or a Route if on OpenShift.
# ---
# ingress_enabled: true
#
# Determines the logger configuration.
# log_format supports text and json.
# log_level supports trace, debug, info, warn, error, fatal.
# time_field_format supports a golang time format (https://golang.org/pkg/time/)
# sampler_rate defines a basic log sampler setting as an integer. With this setting every sampler_rate-th
# message will be logged. By default, every message is logged.
# ---
# logger:
# log_level: info
# log_format: text
# sampler_rate: "1"
# time_field_format: "2006-01-02T15:04:05Z07:00"
#
# The namespace into which Kiali is to be installed. If this is empty or not defined,
# the default will be the namespace where the Kiali CR is located.
# ---
# namespace: ""
#
# A set of node labels that dictate onto which node the Kiali pod will be deployed.
# ---
# node_selector: {}
#
# Because an ingress into a cluster can vary wildly in its desired configuration,
# this setting provides a way to override complete portions of the ingress resource
# configuration (Ingress on Kubernetes and Route on OpenShift). It is up to the user
# to ensure this override YAML configuration is valid and supports the cluster environment
# since the operator will blindly copy this custom configuration into the resource it
# creates.
# This setting is not used if deployment.ingress_enabled is set to 'false'.
# Note that only 'metadata.annotations' and 'spec' is valid and only they will
# be used to override those same sections in the created resource. You can define
# either one or both.
# Example:
# override_ingress_yaml:
# metadata:
# annotations:
# nginx.ingress.kubernetes.io/secure-backends: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# spec:
# rules:
# - http:
# paths:
# - path: /kiali
# backend:
# serviceName: kiali
# servicePort: 20001
# ---
# #override_ingress_yaml:
#
# Custom annotations to be created on the Kiali pod.
# ---
# pod_annotations: {}
#
# Custom labels to be created on the Kiali pod.
# ---
# pod_labels: {}
#
# The priorityClassName used to assign the priority of the Kiali pod.
# ---
# priority_class_name: ""
#
# The replica count for the Kiail deployment.
# ---
# replicas: 1
#
# Defines compute resources that are to be given to the Kiali pod's container.
# The value is a dict as defined by Kubernetes. See the Kubernetes documentation
# https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container
# ---
# resources: {}
#
# The name of a secret used by the Kiali. Reserved for future use - not currently used.
# ---
# secret_name: "kiali"
#
# Custom annotations to be created on the Kiali Service resource.
# ---
# service_annotations: {}
#
# The Kiali service type. Kubernetes determines what values are valid.
# Common values are "NodePort", "ClusterIP", and "LoadBalancer".
# ---
# #service_type:
#
# A list of tolerations which declare which node taints Kiali can tolerate.
# See the Kubernetes documentation on Taints and Tolerations for more details.
# ---
# tolerations: []
#
# DEPRECATED - use the logger.log_level setting.
# Determines which priority levels of log messages Kiali will output.
# Typical values are "3" for INFO and higher priority, "4" for DEBUG and higher priority.
# ---
# verbose_mode: "3"
#
# Kiali resources will be assigned a "version" label when they are deployed.
# This determines what value those "version" labels will have.
# When empty, its default will be determined as follows:
# If image_version is "latest", version_label will be fixed to "master".
# If image_version is "lastrelease", version_label will be fixed to
# the last Kiali release version string.
# If the image_version is anything else, version_label will be that value, too.
# ---
# version_label: ""
#
# When true, Kiali will be in "view only" mode, allowing the user to view and retrieve
# management and monitoring data for the service mesh, but not allow the user to
# modify the service mesh.
# ---
# view_only_mode: false
deployment:
ingress_enabled: false
namespace: "istio-system"
##########
# ---
# extensions:
#
# Kiali enabled integration with Iter8 project.
# If this extension is enabled, Kiali will communicate with Iter8 controller allowing to manage Experiments and review results.
# Additional documentation https://iter8.tools/
# ---
# iter_8:
#
# Flag to indicate if iter8 extension is enabled in Kiali
# ---
# enabled: false
##########
# ---
# external_services:
#
# Note about sensitive values in the external_services "auth" sections:
# Some external services configured below support an "auth" sub-section in order to tell Kiali how it should
# authenticate with the external services. Credentials used to authenticate Kiali to those external services can
# be defined in the "auth.password" and "auth.token" values within the "auth" sub-section.
# Because these are sensitive values, you may not want to declare the actual credentials here in the Kiali CR. In
# this case, you may store the actual password or token string in a Kubernetes secret. If you do, you need to
# set the "auth.password" or "auth.token" to a value in the format "secret:<secretName>:<secretKey>" where
# "<secretName>" is the name of the secret object that Kiali can access, and <secretKey> is the name of the key
# within the named secret that contains the actual password or token string. For example, if Grafana requires a
# password, you can store that password in a secret named "myGrafanaCredentials" in a key named "myGrafanaPw".
# In this case, you would set "external_services.grafana.auth.password" to "secret:myGrafanaCredentials:myGrafanaPw".
external_services:
#
# **Custom-dashboards settings:
# enabled: enable or disable custom dashboards, including the dashboards discovery process. Default: true.
# is_core_component: Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
# namespace_label: Prometheus label name used for identifying namespaces in metrics for custom dashboards.
# Default is "kubernetes_namespace". It is quite common to use just "namespace" as well, depending on your Prometheus configuration.
# prometheus: please check the section below about Prometheus-specific settings: they are identical. The Prometheus
# configuration defined here is dedicated to fetching custom dashboards, hence allowing to use a different instance
# of Prometheus. If omitted, the same Prometheus as for Istio metrics will be reused for custom dashboards.
# ---
# custom_dashboards:
# enabled: true
# is_core_component: false
# namespace_label: "kubernetes_namespace"
# prometheus:
# auth:
# ca_file: ""
# insecure_skip_verify: false
# password: ""
# token: ""
# type: "none"
# use_kiali_token: false
# username: ""
# url: ""
custom_dashboards:
enabled: true
is_core_component: false
# Prometheus not specified here. Specification for external_services.prometheus (below) will be used
#
# **Grafana-specific settings:
# auth: authentication settings to connect to Grafana:
# ca_file: The certificate authority file to use when accessing Grafana using https. An empty string means no extra
# certificate authority file is used. Default is an empty string.
# insecure_skip_verify: Set true to skip verifying certificate validity when Kiali contacts Grafana over https.
# password: Password to be used when making requests to Grafana, for basic authentication. User only requires viewer permissions. May refer to a secret - see note above.
# token: Token / API key to access Grafana, for token-based authentication. It only requires viewer permissions. May refer to a secret - see note above.
# type: The type of authentication to use when contacting the server from the Kiali backend. Use "bearer" to send the
# token to the Grafana server. Use "basic" to connect with username and password credentials. Use "none" to not use any authentication.
# Default is "none"
# use_kiali_token: When true and if auth.type is "bearer", the same OAuth token used for authentication in Kiali will be used for the API calls to Grafana,
# and auth.token config is ignored then.
# username: Username to be used when making requests to Grafana, for basic authentication. User only requires viewer permissions.
# is_core_component: Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
# dashboards: A list of Grafana dashboards that Kiali can link to. Each item contains:
# name: The name of the dashboard in Grafana
# variables:
# app: The name of a variable that holds the app name, if used in that dashboard (else it must be omitted)
# namespace: The name of a variable that holds the namespace, if used in that dashboard (else it must be omitted)
# service: The name of a variable that holds the service name, if used in that dashboard (else it must be omitted)
# workload: The name of a variable that holds the workload name, if used in that dashboard (else it must be omitted)
# enabled: When true, Grafana support will be enabled in Kiali.
# in_cluster_url: Set URL for in-cluster access. Example: "http://grafana.istio-system:3000". This URL can contain query parameters if needed, such as "?orgId=1".
# url: The URL that Kiali uses when integrating with Grafana. This URL must be accessible to clients external to
# the cluster in order for the integration to work properly. If empty, an attempt to auto-discover it is made.
# This URL can contain query parameters if needed, such as "?orgId=1".
# ---
# grafana:
# auth:
# ca_file: ""
# insecure_skip_verify: false
# password: ""
# token: ""
# type: "none"
# use_kiali_token: false
# username: ""
# is_core_component: false
# dashboards:
# - name: "Istio Service Dashboard"
# variables:
# namespace: "var-namespace"
# service: "var-service"
# - name: "Istio Workload Dashboard"
# variables:
# namespace: "var-namespace"
# workload: "var-workload"
# enabled: true
# in_cluster_url: "http://grafana.istio-system:3000"
# url: ""
grafana:
auth:
type: none
in_cluster_url: "http://c756-grafana.istio-system.svc.cluster.local:80"
# **Istio-specific settings:
# component_status:
# enabled: Enable/Disable of istio component status into masthead indicator. It defaults to true.
# components: A list of components that Kiali will check its statuses.
# app_label: Istio component pod app label.
# is_core: Whether the component is core for your deployment.
# namespace: The namespace where the component is installed in. It defaults to the 'istio_namespace' setting.
# config_map_name: The name of the istio control plane config map. It defaults to `istio`.
# envoy_admin_local_port: The port which kiali will open to fetch envoy config data information.
# istio_identity_domain: The annotation used by Istio to identify domains.
# istio_injection_annotation: The annotation used by Istio to automatically inject a specific workload
# istio_sidecar_annotation: The pod annotation used by Istio to identify the sidecar.
# url_service_version: The Istio service used to determine the Istio version. If empty, assumes the URL for the well-known Istio version endpoint.
# ---
# istio:
# component_status:
# enabled: true
# components:
# - app_label: istiod
# is_core: true
# - app_label: istio-ingressgateway
# is_core: true
# - app_label: istio-egressgateway
# is_core: false
# config_map_name: "istio"
# envoy_admin_local_port: 15000
# istio_identity_domain: "svc.cluster.local"
# istio_injection_annotation: "sidecar.istio.io/inject"
# istio_sidecar_annotation: "sidecar.istio.io/status"
# url_service_version: ""
istio:
component_status:
enabled: true
components:
- app_label: istiod
is_core: true
- app_label: istio-ingressgateway
is_core: true
- app_label: istio-egressgateway
is_core: false
config_map_name: "istio"
envoy_admin_local_port: 15000
istio_identity_domain: "svc.cluster.local"
istio_injection_annotation: "sidecar.istio.io/inject"
istio_sidecar_annotation: "sidecar.istio.io/status"
url_service_version: ""
#
#
# **Prometheus-specific settings:
# auth: authentication settings to connect to Prometheus:
# ca_file: The certificate authority file to use when accessing Prometheus using https. An empty string means no extra
# certificate authority file is used. Default is an empty string.
# insecure_skip_verify: Set true to skip verifying certificate validity when Kiali contacts Prometheus over https.
# password: Password to be used when making requests to Prometheus, for basic authentication. May refer to a secret - see note above.
# token: Token / API key to access Prometheus, for token-based authentication. May refer to a secret - see note above.
# type: The type of authentication to use when contacting the server from the Kiali backend. Use "bearer" to send the
# token to the Prometheus server. Use "basic" to connect with username and password credentials. Use "none" to not use any authentication.
# Default is "none"
# use_kiali_token: When true and if auth.type is "bearer", Kiali Service Account token will be used for the API calls to Prometheus,
# and auth.token config is ignored then.
# username: Username to be used when making requests to Prometheus, for basic authentication.
# cache_duration: Prometheus caching duration expressed in seconds
# cache_enabled: Enable/disable Prometheus caching used for Health services
# cache_expiration: Prometheus caching expiration expressed in seconds
# url: The URL used to query the Prometheus Server. This URL must be accessible from the Kiali pod.
# If empty, assumes it is in the istio namespace at the URL "http://prometheus.<istio_namespace>:9090"
# ---
# prometheus:
# auth:
# ca_file: ""
# insecure_skip_verify: false
# password: ""
# token: ""
# type: "none"
# use_kiali_token: false
# username: ""
# cache_duration: 10
# cache_enabled: true
# cache_expiration: 300
# url: ""
prometheus:
auth:
type: none
url: http://c756-kube-prometheus-stack-prometheus.istio-system.svc.cluster.local:9090
#
# **Tracing-specific settings:
# - Right now we only support Jaeger
# auth: authentication settings to connect to Jaeger:
# ca_file: The certificate authority file to use when accessing Jaeger using https. An empty string means no extra
# certificate authority file is used. Default is an empty string.
# insecure_skip_verify: Set true to skip verifying certificate validity when Kiali contacts Jaeger over https.
# password: Password to be used when making requests to Jaeger, for basic authentication. User only requires viewer permissions. May refer to a secret - see note above.
# token: Token / API key to access Jaeger, for token-based authentication. It only requires viewer permissions. May refer to a secret - see note above.
# type: The type of authentication to use when contacting the server from the Kiali backend. Use "bearer" to send the
# token to Jaeger Query. Use "basic" to connect with username and password credentials. Use "none" to not use any authentication.
# Default is "none"
# use_kiali_token: When true and if auth.type is "bearer", the same OAuth token used for authentication in Kiali will be used for the API calls to Jaeger Query,
# and auth.token config is ignored then.
# username: Username to be used when making requests to Jaeger, for basic authentication. User only requires viewer permissions.
# is_core_component: Used in the Components health feature. When true, the unhealthy scenarios will be raised as errors. Otherwise, they will be raised as a warning.
# enabled: When true, connections to Jaeger are enabled. "in_cluster_url" and/or "url" need to be provided.
# in_cluster_url: Set URL for in-cluster access, which enables further integration between Kiali and Jaeger.
# When not provided, Kiali will only show external links using the "url" config.
# Example: "http://tracing.istio-system".
# namespace_selector: Kiali use this boolean to look traces with namespace selector : service.namespace. Default: true
# url: External URL that will be used to generate links to Jaeger. It must be accessible to clients external to
# the cluster (e.g: browser) in order to generate valid links.
# If tracing service is deployed in a QUERY_BASE_PATH set this in the url like https://<hostname>/<QUERY_BASE_PATH> . EX: https://tracing-service:8080/jaeger
# whitelist_istio_system: Set whitelist services in istio-system to check their traces
# ---
# tracing:
# auth:
# ca_file: ""
# insecure_skip_verify: false
# password: ""
# token: ""
# type: "none"
# use_kiali_token: false
# username: ""
# is_core_component: false
# enabled: true
# in_cluster_url: ""
# namespace_selector: true
# url: ""
# whitelist_istio_system: ["jaeger-query", "istio-ingressgateway"]
tracing:
auth:
type: "none"
enabled: false
##########
# ---
# health_config:
#
# rate: A list of health configurations that Kiali uses to determine what is (and is not) healthy nodes. Each item contains:
# namespace: The name of the namespace that this configuration applies to. This is a regular expression.
# kind: The type of resource that this configuration applies to. This is a regular expression.
# name: The name of a resource that this configuration applies to. This is a regular expression.
# tolerance: A list of tolerances for this configuration. Each item contains:
# protocol: The protocol that applies for this tolerance (e.g. grpc or http). This is a regular expression.
# direction: The direction that applies for this tolerance (e.g. inbound or outbound). This is a regular expression.
# code: The status code that applies for this tolerance. This is a regular expression.
# degraded: Health will be considered degraded when the telemetry reaches this value (specified as a %).
# failure: A failure status will be shown when the telemetry reaches this value (specified as a %).
# ---
# rate: []
##########
# ---
# identity:
#
# Certificate file used to identify the file server. If set, you must go over https to access Kiali.
# The operator will set these if it deploys Kiali behind https.
# When left undefined, the operator will assign a cluster-specific cert file to provide https by default.
# When set to an empty string, https will be disabled.
# ---
# #cert_file:
#
# Private key file used to identify the server. If set, you must go over https to access Kiali.
# When left undefined, the operator will assign a cluster-specific private key file to provide https by default.
# When set to an empty string, https will be disabled.
# ---
# #private_key_file:
##########
# ---
# istio_labels:
#
# This section defines what labels Istio is using to indicate apps and versions.
# Typical values are: ("app" and "version") or ("app.kubernetes.io/name" and "app.kubernetes.io/version").
# Kiali needs to know what labels Istio is using to be in sync with what Istio considers applications.
# It adds the label used to instruct Istio to automatically inject sidecar proxies when applications are deployed.
# ---
# app_label_name: "app"
# injection_label_name: "istio-injection"
# version_label_name: "version"
##########
# Kiali features that can be enabled/disabled via configuration
# ---
# kiali_feature_flags:
#
# Flag to indicate Kiali to enable/disable an Action to label a namespace for automatic Istio Sidecar injection.
# ---
# istio_injection_action: true
##########
# ---
# kubernetes_config:
#
# The Burst value of the Kubernetes client.
# ---
# burst: 200
#
# The ratio interval (expressed in seconds) used for the cache to perform a full refresh.
# Only used when cache_enabled is true.
# ---
# cache_duration: 300
#
# Flag to use a Kubernetes cache for watching changes and updating pods and controllers data asynchronously.
# ---
# cache_enabled: true
#
# Kiali can cache VirtualService,DestinationRule,Gateway and ServiceEntry Istio resources if they are present
# on this list of Istio types. Other Istio types are not yet supported.
# ---
# cache_istio_types:
# - "DestinationRule"
# - "Gateway"
# - "ServiceEntry"
# - "VirtualService"
# - "Sidecar"
# - "PeerAuthentication"
# - "RequestAuthentication"
# - "AuthorizationPolicy"
#
# List of namespaces or regex defining namespaces to include in a cache.
# ---
# cache_namespaces:
# - ".*"
#
# Cache duration expressed in seconds
# Kiali cache list of namespaces per user, this is typically short lived cache compared with the duration of the
# namespace cache defined by previous CacheDuration parameter
# ---
# cache_token_namespace_duration: 10
#
# List of controllers that won't be used for Workload calculation.
# Kiali queries Deployment,ReplicaSet,ReplicationController,DeploymentConfig,StatefulSet,Job and CronJob controllers.
# Deployment and ReplicaSet will be always queried, but ReplicationController,DeploymentConfig,StatefulSet,Job and CronJobs
# can be skipped from Kiali workloads query if they are present in this list.
# ---
# excluded_workloads:
# - "CronJob"
# - "DeploymentConfig"
# - "Job"
# - "ReplicationController"
#
# The QPS value of the Kubernetes client.
# ---
# qps: 175
##########
# ---
# login_token:
#
# The token expiration in seconds.
# ---
# expiration_seconds: 86400
#
# The signing key used to generate tokens for user authentication.
# Because this is potentially sensitive, you have the option to store this
# value in a secret. If you store this signing key value in a secret, you
# must indicate what key in what secret by setting this value to a string
# in the form of "secret:<secretName>:<secretKey>"
# If left as an empty string, a secret with a random signing key will be
# generated for you.
# ---
# signing_key: ""
##########
# ---
# server:
#
# Where the Kiali server is bound. The console and API server are accessible on this host.
# ---
# address: ""
#
# When true, allows additional audit logging on write operations.
# ---
# audit_log: true
#
# When true, allows the web console to send requests to other domains other than where the console came from.
# Typically used for development environments only.
# ---
# cors_allow_all: false
#
# When true, Kiali serves http requests with gzip enabled (if the browser supports it) when the requests are
# over 1400 bytes.
# ---
# gzip_enabled: true
#
# When true, the metrics endpoint will be available for Prometheus to scrape.
# ---
# metrics_enabled: true
#
# The port that the server will bind to in order to receive metric requests.
# This is the port Prometheus will need to scrape when collecting metrics from Kiali.
# ---
# metrics_port: 9090
#
# The port that the server will bind to in order to receive console and API requests.
# ---
# port: 20001
#
# Defines the public domain where Kiali is being served. This is the "domain" part
# of the URL (usually it's a fully-qualified domain name).
# For example, "kiali.example.org".
# When empty, Kiali will try to guess this value from HTTP headers.
# ---
# web_fqdn: ""
#
# Define the history mode of kiali UI. This can only take
# two possible values: either "browser" or "hash".
# When empty, it will always be considered as browser
# ---
# web_history_mode: ""
#
# Defines the ingress port where the connections come from. This is usually
# necessary when the application responds through a proxy/ingress, and it does
# not forward the correct headers so Kiali can guess the port.
#
# When empty, Kiali will try to guess this value from HTTP headers.
# ---
# web_port: ""
#
# Defines the context root path for the Kiali console and API endpoints and readiness probes.
# When providing a context root path that is not "/", do not add a trailing slash.
# For example, use "/kiali" not "/kiali/".
# When empty, will default to "/" on OpenShift and "/kiali" on Kubernetes.
# ---
# web_root: ""
#
# Defines the public HTTP schema used to serve Kiali. This can only take
# two possible values: either "http" or "https".
# When empty, Kiali will try to guess this value from HTTP headers.
# ---
# web_schema: ""