ztunnel

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally.

# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`.

image: chainreg.biz/chainguard-private/ztunnel:latest@sha256:f8ec40af509df8dd1ac744f9b426108c368d97f936e35a87de75ccd1c9348599

_internal_defaults_do_not_set:

# Hub to pull from. Image will be `Hub/Image:Tag-Variant`

hub: gcr.io/istio-testing

# Tag to pull from. Image will be `Hub/Image:Tag-Variant`

tag: latest

# Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.

variant: ""

# Image name to pull from. Image will be `Hub/Image:Tag-Variant`

# If Image contains a "/", it will replace the entire `image` in the pod.

image: ztunnel

# Same as `global.network`, but will override it if set.

# Network defines the network this cluster belong to. This name

# corresponds to the networks in the map of mesh networks.

network: ""

# resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'.

# If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart.

resourceName: ""

# Labels to apply to all top level resources

labels: {}

# Annotations to apply to all top level resources

annotations: {}

# Additional volumeMounts to the ztunnel container

volumeMounts: []

# Additional volumes to the ztunnel pod

volumes: []

# Tolerations for the ztunnel pod

tolerations:

- effect: NoSchedule

operator: Exists

- key: CriticalAddonsOnly

operator: Exists

- effect: NoExecute

operator: Exists

# Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).

podAnnotations:

prometheus.io/port: "15020"

prometheus.io/scrape: "true"

# Additional labels to apply on the pod level

podLabels: {}

# Pod resource configuration

resources:

requests:

cpu: 200m

# Ztunnel memory scales with the size of the cluster and traffic load

# While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.

memory: 512Mi

resourceQuotas:

enabled: false

pods: 5000

# List of secret names to add to the service account as image pull secrets

imagePullSecrets: []

# A `key: value` mapping of environment variables to add to the pod

env: {}

# Override for the pod imagePullPolicy

imagePullPolicy: ""

# Settings for multicluster

multiCluster:

# The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent

# with Istiod configuration.

clusterName: ""

# meshConfig defines runtime configuration of components.

# For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other

# components.

# TODO: https://github.com/istio/istio/issues/43248

meshConfig:

defaultConfig:

proxyMetadata: {}

# This value defines:

# 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)

# 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)

# Default K8S value is 30 seconds

terminationGracePeriodSeconds: 30

# Revision is set as 'version' label and part of the resource names when installing multiple control planes.

# Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.

revision: ""

# The customized CA address to retrieve certificates for the pods in the cluster.

# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.

caAddress: ""

# The customized XDS address to retrieve configuration.

# This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.

# By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012

xdsAddress: ""

# Used to locate the XDS and CA, if caAddress or xdsAddress are not set.

istioNamespace: istio-system

# Configuration log level of ztunnel binary, default is info.

# Valid values are: trace, debug, info, warn, error

logLevel: info

# To output all logs in json format

logAsJson: false

# Set to `type: RuntimeDefault` to use the default profile if available.

seLinuxOptions: {}

# TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead

#seLinuxOptions:

# type: spc_t

# resourceScope controls what resources will be processed by helm.

100

# This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator.

101

# It can be one of:

102

# - all: all resources are processed

103

# - cluster: only cluster-scoped resources are processed

104

# - namespace: only namespace-scoped resources are processed

105

resourceScope: all

106

# K8s DaemonSet update strategy.

107

# https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).

108

updateStrategy:

109

type: RollingUpdate

110

rollingUpdate:

111

maxSurge: 1

112

maxUnavailable: 0

113

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

ztunnel

The trusted source for open source

Product

Solutions

Customers

Resources

Company