How to configure global outboundTrafficPolicy with Helm install?

I am installing istio 1.9.5 as described here: Istio / Install with Helm

I want to set the global outboundTrafficPolicy to REGISTRY_ONLY.

Have tried setting it in the base chart like.

meshConfig:
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY

In the discovery chart like.

meshConfig:
  enablePrometheusMerge: true
  # Config for the default ProxyConfig.
  # Initially using directly the proxy metadata - can also be activated using annotations
  # on the pod. This is an unsupported low-level API, pending review and decisions on
  # enabling the feature. Enabling the DNS listener is safe - and allows further testing
  # and gradual adoption by setting capture only on specific workloads. It also allows
  # VMs to use other DNS options, like dnsmasq or unbound.

  # The namespace to treat as the administrative root namespace for Istio configuration.
  # When processing a leaf namespace Istio will search for declarations in that namespace first
  # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
  # is processed as if it were declared in the leaf namespace.

  rootNamespace:

  # TODO: the intent is to eventually have this enabled by default when security is used.
  # It is not clear if user should normally need to configure - the metadata is typically
  # used as an escape and to control testing and rollout, but it is not intended as a long-term
  # stable API.

  # What we may configure in mesh config is the ".global" - and use of other suffixes.
  # No hurry to do this in 1.6, we're trying to prove the code.
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY

And in the gateway egress chart like.

meshConfig:
  outboundTrafficPolicy:
    mode: REGISTRY_ONLY
  enablePrometheusMerge: true
  defaultConfig:
    proxyMetadata: {}
    tracing:
    #      tlsSettings:
    #        mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
    #        clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
    #        privateKey:        # example: /etc/istio/tracer/key.pem
    #        caCertificates:    # example: /etc/istio/tracer/root-cert.pem
    #        sni:               # example: tracer.somedomain
    #        subjectAltNames: []
    # - tracer.somedomain

But it doesn’t seem to work. Can anyone guide me on how to set these global values?

Ahh, I got it to work. I had to add it to the discovery chart in both the meshConfig section and the global section.

1 Like