If you do not require the Istio sidecar for the Build pods, then they can be disabled by setting the value to true. Enable by setting the value to false.
If you want to use self signed certificates for TLS (https instead of http) for the service broker URL, the Kf controller requires the CA certificate. To configure Kf for this scenario, create an immutable Kubernetes secret in the kf namespace and update the kfsystem.spec.kf.config.secrets.controllerCACerts.name object to point to it.
Create a secret to store the self-signed certificate.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Customizing Kf Features\n\n| **Warning:** Please proceed with caution, and test before using any customizations in production.\n\nBuild Retention\n---------------\n\nYou can control how many Kf Builds are kept before being garbage collected.\n**Note:** This example sets the retention to 1 Build. Change the value as needed. \n\n```\nkubectl patch \\\nkfsystem kfsystem \\\n--type='json' \\\n-p=\"[{'op': 'replace', 'path': '/spec/kf/config/buildRetentionCount', 'value': 1}]\"\n```\n\nEnable or Disable the Istio Sidecar\n-----------------------------------\n\nIf you do not require the Istio sidecar for the Build pods, then they can be disabled by setting the value to `true`. Enable by setting the value to `false`. \n\n```\nkubectl patch \\\nkfsystem kfsystem \\\n--type='json' \\\n-p=\"[{'op': 'replace', 'path': '/spec/kf/config/buildDisableIstioSidecar', 'value': true}]\"\n```\n\nBuild Pod Resource Limits\n-------------------------\n\nThe default pod resource size can be increased from the default to accommodate very large builds. The units for the value are in `Mi` or `Gi`.\n**Note:** This is only applicable for built-in Tasks (which is normal for a `kf push` build). For V2 buildpack builds, this will be set on two steps and one for V3 buildpacks or Dockerfiles. This means that for a V2 build the required Pod size will be double the limit. For example, if the memory limit is 1Gi, then the pod will require 2Gi. \n\n```\nkubectl patch \\\nkfsystem kfsystem \\\n--type='json' \\\n-p=\"[{'op': 'replace', 'path': '/spec/kf/config/buildPodResources', 'value': {'limits': {'memory': '234Mi'}}}]\"\n```\n\nRead [Kubernetes container resource docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for more information about container resource management.\n\nSelf Signed Certificates for Service Brokers\n--------------------------------------------\n\nIf you want to use self signed certificates for TLS (`https` instead of `http`) for the service broker URL, the Kf controller requires the CA certificate. To configure Kf for this scenario, create an immutable Kubernetes secret in the `kf` namespace and update the `kfsystem.spec.kf.config.secrets.controllerCACerts.name` object to point to it.\n\n1. Create a secret to store the self-signed certificate.\n\n **Note:** Customize the secret name if desired, or leave the default name of `cacerts`. Replace `/path/to/cert/certs.pem` with the path to the self-signed certificate. \n\n ```\n kubectl create secret generic cacerts -nkf --from-file /path/to/cert/certs.pem\n ```\n2. Make the secret immutable.\n\n ```\n kubectl patch -nkf secret cacerts \\\n --type='json' \\\n -p=\"[{'op':'add','path':'/immutable','value':true}]\"\n ```\n3. Update kfsystem to point to the secret.\n\n **Note:** This will cause the controller pod to be re-deployed with the certs mounted as a volume. \n\n ```\n kubectl patch \\\n kfsystem kfsystem \\\n --type='json' \\\n -p=\"[{'op':'add','path':'/spec/kf/config/secrets','value':{'controllerCACerts':{'name':'cacerts'}}}]\"\n ```"]]
