istio-ztunnel
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.
2
# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.
3
image: cgr.dev/chainguard-private/ztunnel:1.29@sha256:7ebcd78ab0715f5ee007828c1422df4da4cca8aef2e9a4a094d0a4ec92b5fcf2
4
_internal_defaults_do_not_set:
5
# Hub to pull from. Image will be `Hub/Image:Tag-Variant`
6
hub: gcr.io/istio-testing
7
# Tag to pull from. Image will be `Hub/Image:Tag-Variant`
8
tag: latest
9
# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
10
variant: ""
11
# Image name to pull from. Image will be `Hub/Image:Tag-Variant`
12
# If Image contains a "/", it will replace the entire `image` in the pod.
13
image: ztunnel
14
# Same as `global.network`, but will override it if set.
15
# Network defines the network this cluster belong to. This name
16
# corresponds to the networks in the map of mesh networks.
17
network: ""
18
global:
19
# When enabled, default NetworkPolicy resources will be created
20
networkPolicy:
21
enabled: false
22
# resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.
23
# If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.
24
resourceName: ""
25
# Labels to apply to all top level resources
26
labels: {}
27
# Annotations to apply to all top level resources
28
annotations: {}
29
# Additional volumeMounts to the ztunnel container
30
volumeMounts: []
31
# Additional volumes to the ztunnel pod
32
volumes: []
33
# Tolerations for the ztunnel pod
34
tolerations:
35
- effect: NoSchedule
36
operator: Exists
37
- key: CriticalAddonsOnly
38
operator: Exists
39
- effect: NoExecute
40
operator: Exists
41
# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
42
podAnnotations:
43
prometheus.io/port: "15020"
44
prometheus.io/scrape: "true"
45
# Additional labels to apply on the pod level
46
podLabels: {}
47
# Pod resource configuration
48
resources:
49
requests:
50
cpu: 200m
51
# Ztunnel memory scales with the size of the cluster and traffic load
52
# While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
53
memory: 512Mi
54
resourceQuotas:
55
enabled: false
56
pods: 5000
57
# Certificate Revocation List (CRL) support for plugged-in CAs.
58
# When enabled, ztunnel will check certificates against the CRL
59
peerCaCrl:
60
enabled: false
61
# List of secret names to add to the service account as image pull secrets
62
imagePullSecrets: []
63
# A `key: value` mapping of environment variables to add to the pod
64
env: {}
65
# Override for the pod imagePullPolicy
66
imagePullPolicy: ""
67
# Settings for multicluster
68
multiCluster:
69
# The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
70
# with Istiod configuration.
71
clusterName: ""
72
# meshConfig defines runtime configuration of components.
73
# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
74
# components.
75
# TODO: https://github.com/istio/istio/issues/43248
76
meshConfig:
77
defaultConfig:
78
proxyMetadata: {}
79
# This value defines:
80
# 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
81
# 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
82
# Default K8S value is 30 seconds
83
terminationGracePeriodSeconds: 30
84
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
85
# Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
86
revision: ""
87
# The customized CA address to retrieve certificates for the pods in the cluster.
88
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
89
caAddress: ""
90
# The customized XDS address to retrieve configuration.
91
# This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
92
# By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
93
xdsAddress: ""
94
# Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
95
istioNamespace: istio-system
96
# Configuration log level of ztunnel binary, default is info.
97
# Valid values are: trace, debug, info, warn, error
98
logLevel: info
99
# To output all logs in json format
100
logAsJson: false
101
# Set to `type: RuntimeDefault` to use the default profile if available.
102
seLinuxOptions: {}
103
# TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
104
#seLinuxOptions:
105
# type: spc_t
106
107
# resourceScope controls what resources will be processed by helm.
108
# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.
109
# It can be one of:
110
# - all: all resources are processed
111
# - cluster: only cluster-scoped resources are processed
112
# - namespace: only namespace-scoped resources are processed
113
resourceScope: all
114
# K8s DaemonSet update strategy.
115
# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
116
updateStrategy:
117
type: RollingUpdate
118
rollingUpdate:
119
maxSurge: 1
120
maxUnavailable: 0
121
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.