linode · j-zimnowoda · Jul 25, 2025 · Jul 25, 2025 · Jul 25, 2025 · Jul 25, 2025
@@ -43,6 +43,14 @@ dependencies:
   - name: istiod
     version: 1.26.3
     repository: https://istio-release.storage.googleapis.com/charts
+  - name: ztunnel
+    alias: istio-ztunnel
+    version: 1.26.2
+    repository: https://istio-release.storage.googleapis.com/charts
+  - name: cni
+    alias: istio-cni
+    version: 1.26.2
+    repository: https://istio-release.storage.googleapis.com/charts
   - name: jaeger-operator
     version: 2.46.0
     repository: https://jaegertracing.github.io/helm-charts

@@ -0,0 +1,11 @@
+apiVersion: v2
+appVersion: 1.26.2
+description: Helm chart for istio-cni components
+icon: https://istio.io/latest/favicons/android-192x192.png
+keywords:
+- istio-cni
+- istio
+name: cni
+sources:
+- https://github.com/istio/istio
+version: 1.26.2
@@ -0,0 +1,65 @@
+# Istio CNI Helm Chart
+
+This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/)
+for more information.
+
+## Setup Repo Info
+
+```console
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+```
+
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+
+## Installing the Chart
+
+To install the chart with the release name `istio-cni`:
+
+```console
+helm install istio-cni istio/cni -n kube-system
+```
+
+Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/)
+`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow
+'system-node-critical' outside of kube-system.
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+```console
+helm show values istio/istio-cni
+```
+
+### Profiles
+
+Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
+These can be set with `--set profile=<profile>`.
+For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
+
+For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
+
+Explicitly set values have highest priority, then profile settings, then chart defaults.
+
+As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
+When configuring the chart, you should not include this.
+That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
+
+### Ambient
+
+To enable ambient, you can use the ambient profile: `--set profile=ambient`.
+
+#### Calico
+
+For Calico, you must also modify the settings to allow source spoofing:
+
+- if deployed by operator,  `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'`
+- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. )
+
+### GKE notes
+
+On GKE, 'kube-system' is required.
+
+If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install`
+it is auto-detected.
@@ -0,0 +1,17 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      ISTIO_META_ENABLE_HBONE: "true"
+global:
+  variant: distroless
+pilot:
+  env:
+    PILOT_ENABLE_AMBIENT: "true"
+cni:
+  ambient:
+    enabled: true
@@ -0,0 +1,25 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    ENABLE_INBOUND_RETRY_POLICY: "false"
+    EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false"
+    PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false"
+    ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false"
+    PILOT_UNIFIED_SIDECAR_SCOPE: "false"
+
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # 1.24 behaviour changes
+      ENABLE_DEFERRED_STATS_CREATION: "false"
+      BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false"
+
+ambient:
+  # Not present in <1.24, defaults to `true` in 1.25+
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+pilot:
+  env:
+    # 1.24 behavioral changes
+    PILOT_ENABLE_IP_AUTOALLOCATE: "false"
+ambient:
+  dnsCapture: false
+  reconcileIptablesOnStartup: false
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+ambient:
+  # 1.26 behavioral changes
+  shareHostNetworkNamespace: true
@@ -0,0 +1,94 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The demo profile enables a variety of things to try out Istio in non-production environments.
+# * Lower resource utilization.
+# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
+# * More ports enabled on the ingress, which is used in some tasks.
+meshConfig:
+  accessLogFile: /dev/stdout
+  extensionProviders:
+    - name: otel
+      envoyOtelAls:
+        service: opentelemetry-collector.observability.svc.cluster.local
+        port: 4317
+    - name: skywalking
+      skywalking:
+        service: tracing.istio-system.svc.cluster.local
+        port: 11800
+    - name: otel-tracing
+      opentelemetry:
+        port: 4317
+        service: opentelemetry-collector.observability.svc.cluster.local
+    - name: jaeger
+      opentelemetry:
+        port: 4317
+        service: jaeger-collector.istio-system.svc.cluster.local        
+
+cni:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+ztunnel:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  waypoint:
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+
+pilot:
+  autoscaleEnabled: false
+  traceSampling: 100
+  resources:
+    requests:
+      cpu: 10m
+      memory: 100Mi
+
+gateways:
+  istio-egressgateway:
+    autoscaleEnabled: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
+  istio-ingressgateway:
+    autoscaleEnabled: false
+    ports:
+    ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
+    # Note that AWS ELB will by default perform health checks on the first port
+    # on this list. Setting this to the health check port will ensure that health
+    # checks always work. https://github.com/istio/istio/issues/12503
+    - port: 15021
+      targetPort: 15021
+      name: status-port
+    - port: 80
+      targetPort: 8080
+      name: http2
+    - port: 443
+      targetPort: 8443
+      name: https
+    - port: 31400
+      targetPort: 31400
+      name: tcp
+      # This is the port where sni routing happens
+    - port: 15443
+      targetPort: 15443
+      name: tls
+    resources:
+      requests:
+        cpu: 10m
+        memory: 40Mi
@@ -0,0 +1,10 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work
+  resourceQuotas:
+    enabled: true
+resourceQuotas:
+  enabled: true
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /bin
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d
+  cniBinDir: /var/lib/rancher/k3s/data/cni
@@ -0,0 +1,7 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniConfDir: /var/snap/microk8s/current/args/cni-network
+  cniBinDir: /var/snap/microk8s/current/opt/cni/bin
@@ -0,0 +1,6 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+cni:
+  cniNetnsDir: /var/run/docker/netns
@@ -0,0 +1,19 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
+cni:
+  cniBinDir: /var/lib/cni/bin
+  cniConfDir: /etc/cni/multus/net.d
+  chained: false
+  cniConfFileName: "istio-cni.conf"
+  provider: "multus"
+pilot:
+  cni:
+    enabled: true
+    provider: "multus"
+seLinuxOptions:
+  type: spc_t
+# Openshift requires privileged pods to run in kube-system
+trustedZtunnelNamespace: "kube-system"
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The preview profile contains features that are experimental.
+# This is intended to explore new features coming to Istio.
+# Stability, security, and performance are not guaranteed - use at your own risk.
+meshConfig:
+  defaultConfig:
+    proxyMetadata:
+      # Enable Istio agent to handle DNS requests for known hosts
+      # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
+      ISTIO_META_DNS_CAPTURE: "true"
@@ -0,0 +1,13 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile.
+istiodRemote:
+  enabled: true
+configMap: false
+telemetry:
+  enabled: false
+global:
+  # TODO BML maybe a different profile for a configcluster/revisit this
+  omitSidecarInjectorConfigMap: true
@@ -0,0 +1,8 @@
+# WARNING: DO NOT EDIT, THIS FILE IS A COPY.
+# The original version of this file is located at /manifests/helm-profiles directory.
+# If you want to make a change in this file, edit the original one and run "make gen".
+
+# The stable profile deploys admission control to ensure that only stable resources and fields are used
+# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
+experimental:
+  stableValidationPolicy: true
@@ -0,0 +1,5 @@
+"{{ .Release.Name }}" successfully installed!
+
+To learn more about the release, try:
+  $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+  $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
@@ -0,0 +1,8 @@
+{{- define "name" -}}
+    istio-cni
+{{- end }}
+
+
+{{- define "istio-tag" -}}
+    {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}
+{{- end }}