Merge pull request 'Istio 1.13.3 incl. new Helm Gateway charts' (#49) from istio into master
Reviewed-on: ZeroDownTime/kubezero#49
This commit is contained in:
commit
05bf415210
@ -1,8 +1,8 @@
|
||||
# clamav
|
||||
|
||||
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.104.0](https://img.shields.io/badge/AppVersion-0.104.0-informational?style=flat-square)
|
||||
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.104.0](https://img.shields.io/badge/AppVersion-0.104.0-informational?style=flat-square)
|
||||
|
||||
A Helm chart for deploying a Clamav on kubernetes
|
||||
Chart for deploying a ClamavD on kubernetes as statfulSet
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.18.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
|
||||
## Values
|
||||
|
||||
@ -32,11 +32,11 @@ Kubernetes: `>= 1.18.0`
|
||||
| clamav.limits.scanSize | int | `100` | The largest scan size permitted in clamav, in MB |
|
||||
| clamav.limits.sendBufTimeout | int | `500` | |
|
||||
| clamav.replicaCount | int | `1` | |
|
||||
| clamav.resources | object | `{"limits":{"cpu":"1500m","ephemeral-storage":"1000M","memory":"2000M"},"requests":{"cpu":"300m","ephemeral-storage":"500M","memory":"1300M"}}` | The resource requests and limits for the clamav service |
|
||||
| clamav.resources | object | `{"requests":{"cpu":"300m","memory":"1300M"}}` | The resource requests and limits for the clamav service |
|
||||
| clamav.version | string | `"unstable"` | The clamav docker image version - defaults to .Chart.appVersion |
|
||||
| fullnameOverride | string | `""` | override the full name of the clamav chart |
|
||||
| nameOverride | string | `""` | override the name of the clamav chart |
|
||||
| service.port | int | `3310` | The port to be used by the clamav service |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
|
||||
Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1)
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-addons
|
||||
|
||||
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.22.8](https://img.shields.io/badge/AppVersion-v1.22.8-informational?style=flat-square)
|
||||
|
||||
KubeZero umbrella chart for various optional cluster addons
|
||||
|
||||
@ -10,7 +10,7 @@ KubeZero umbrella chart for various optional cluster addons
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -18,7 +18,8 @@ Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | aws-node-termination-handler | 0.16.0 |
|
||||
| | aws-node-termination-handler | 0.18.0 |
|
||||
| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.7.1 |
|
||||
|
||||
# MetalLB
|
||||
|
||||
@ -67,9 +68,28 @@ Create secret with the IAM user credential for ecr-renew to use, using the crede
|
||||
| clusterBackup.enabled | bool | `false` | |
|
||||
| clusterBackup.extraEnv | list | `[]` | |
|
||||
| clusterBackup.image.name | string | `"public.ecr.aws/zero-downtime/kubezero-admin"` | |
|
||||
| clusterBackup.image.tag | string | `"v1.21.9"` | |
|
||||
| clusterBackup.password | string | `""` | |
|
||||
| clusterBackup.repository | string | `""` | |
|
||||
| external-dns.enabled | bool | `false` | |
|
||||
| external-dns.env[0] | object | `{"name":"AWS_ROLE_ARN","value":""}` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" |
|
||||
| external-dns.env[1].name | string | `"AWS_WEB_IDENTITY_TOKEN_FILE"` | |
|
||||
| external-dns.env[1].value | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/token"` | |
|
||||
| external-dns.env[2].name | string | `"AWS_STS_REGIONAL_ENDPOINTS"` | |
|
||||
| external-dns.env[2].value | string | `"regional"` | |
|
||||
| external-dns.extraVolumeMounts[0].mountPath | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/"` | |
|
||||
| external-dns.extraVolumeMounts[0].name | string | `"aws-token"` | |
|
||||
| external-dns.extraVolumeMounts[0].readOnly | bool | `true` | |
|
||||
| external-dns.extraVolumes[0].name | string | `"aws-token"` | |
|
||||
| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.audience | string | `"sts.amazonaws.com"` | |
|
||||
| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | |
|
||||
| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | |
|
||||
| external-dns.interval | string | `"3m"` | |
|
||||
| external-dns.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||
| external-dns.provider | string | `"inmemory"` | |
|
||||
| external-dns.sources[0] | string | `"service"` | |
|
||||
| external-dns.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| external-dns.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| external-dns.triggerLoopOnEvent | bool | `true` | |
|
||||
| forseti.aws.iamRoleArn | string | `""` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" |
|
||||
| forseti.aws.region | string | `""` | |
|
||||
| forseti.enabled | bool | `false` | |
|
||||
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v2
|
||||
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
name: kubezero-argocd
|
||||
version: 0.9.6
|
||||
version: 0.10.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -16,6 +16,6 @@ dependencies:
|
||||
version: ">= 0.1.4"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: argo-cd
|
||||
version: 3.33.8
|
||||
version: 4.5.4
|
||||
repository: https://argoproj.github.io/argo-helm
|
||||
kubeVersion: ">= 1.20.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-argocd
|
||||
|
||||
![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square)
|
||||
![Version: 0.10.1](https://img.shields.io/badge/Version-0.10.1-informational?style=flat-square)
|
||||
|
||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
|
||||
@ -10,7 +10,7 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -18,13 +18,14 @@ Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 3.32.1 |
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 4.5.4 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| argo-cd.applicationSet.enabled | bool | `false` | |
|
||||
| argo-cd.configs.knownHosts.data.ssh_known_hosts | string | `"bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\ngitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=\ngitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf\ngitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9\ngit.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ==\n"` | |
|
||||
| argo-cd.configs.secret.createSecret | bool | `false` | |
|
||||
| argo-cd.controller.args.appResyncPeriod | string | `"300"` | |
|
||||
@ -38,6 +39,7 @@ Kubernetes: `>= 1.20.0`
|
||||
| argo-cd.dex.enabled | bool | `false` | |
|
||||
| argo-cd.global | string | `nil` | |
|
||||
| argo-cd.installCRDs | bool | `false` | |
|
||||
| argo-cd.notifications.enabled | bool | `false` | |
|
||||
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
||||
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
|
@ -1,4 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
helm dep update
|
||||
|
||||
# Create ZDT dashboard configmap
|
||||
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
|
||||
|
@ -116,3 +116,9 @@ argo-cd:
|
||||
|
||||
dex:
|
||||
enabled: false
|
||||
|
||||
applicationSet:
|
||||
enabled: false
|
||||
|
||||
notifications:
|
||||
enabled: false
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-cert-manager
|
||||
|
||||
![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square)
|
||||
![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for cert-manager
|
||||
|
||||
@ -10,7 +10,7 @@ KubeZero Umbrella Chart for cert-manager
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -19,7 +19,7 @@ Kubernetes: `>= 1.20.0`
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
| https://charts.jetstack.io | cert-manager | 1.6.1 |
|
||||
| https://charts.jetstack.io | cert-manager | 1.8.0 |
|
||||
|
||||
## AWS - OIDC IAM roles
|
||||
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-ci
|
||||
description: KubeZero umbrella chart for all things CI
|
||||
type: application
|
||||
version: 0.4.44
|
||||
version: 0.4.45
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -22,7 +22,7 @@ dependencies:
|
||||
repository: https://gocd.github.io/helm-chart
|
||||
condition: gocd.enabled
|
||||
- name: gitea
|
||||
version: 5.0.3
|
||||
version: 5.0.5
|
||||
repository: https://dl.gitea.io/charts/
|
||||
condition: gitea.enabled
|
||||
- name: jenkins
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-ci
|
||||
|
||||
![Version: 0.4.24](https://img.shields.io/badge/Version-0.4.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.4.45](https://img.shields.io/badge/Version-0.4.45-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero umbrella chart for all things CI
|
||||
|
||||
@ -10,7 +10,7 @@ KubeZero umbrella chart for all things CI
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -18,11 +18,11 @@ Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.9 |
|
||||
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.12 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 |
|
||||
| https://charts.jenkins.io | jenkins | 3.11.3 |
|
||||
| https://dl.gitea.io/charts/ | gitea | 5.0.0 |
|
||||
| https://gocd.github.io/helm-chart | gocd | 1.39.4 |
|
||||
| https://charts.jenkins.io | jenkins | 3.11.10 |
|
||||
| https://dl.gitea.io/charts/ | gitea | 5.0.5 |
|
||||
| https://gocd.github.io/helm-chart | gocd | 1.40.8 |
|
||||
|
||||
# Jenkins
|
||||
- default build retention 10 builds, 32days
|
||||
@ -39,6 +39,9 @@ Kubernetes: `>= 1.20.0`
|
||||
|
||||
## Resources
|
||||
|
||||
### JVM tuning in containers
|
||||
- https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers?extIdCarryOver=true&sc_cid=701f2000001Css5AAC
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
@ -51,7 +54,7 @@ Kubernetes: `>= 1.20.0`
|
||||
| gitea.gitea.metrics.enabled | bool | `false` | |
|
||||
| gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | |
|
||||
| gitea.image.rootless | bool | `true` | |
|
||||
| gitea.image.tag | string | `"1.15.10"` | |
|
||||
| gitea.image.tag | string | `"1.16.6"` | |
|
||||
| gitea.istio.enabled | bool | `false` | |
|
||||
| gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||
| gitea.istio.url | string | `"git.example.com"` | |
|
||||
@ -70,20 +73,19 @@ Kubernetes: `>= 1.20.0`
|
||||
| gocd.istio.url | string | `""` | |
|
||||
| gocd.server.ingress.enabled | bool | `false` | |
|
||||
| gocd.server.service.type | string | `"ClusterIP"` | |
|
||||
| jenkins.agent.alwaysPullImage | bool | `true` | |
|
||||
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
|
||||
| jenkins.agent.containerCap | int | `4` | |
|
||||
| jenkins.agent.containerCap | int | `2` | |
|
||||
| jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | |
|
||||
| jenkins.agent.idleMinutes | int | `10` | |
|
||||
| jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | |
|
||||
| jenkins.agent.podName | string | `"podman-aws"` | |
|
||||
| jenkins.agent.podRetention | string | `"Default"` | |
|
||||
| jenkins.agent.resources.limits.cpu | string | `"1"` | |
|
||||
| jenkins.agent.resources.limits.memory | string | `"2048Mi"` | |
|
||||
| jenkins.agent.resources.limits.cpu | string | `"4"` | |
|
||||
| jenkins.agent.resources.limits.memory | string | `"6144Mi"` | |
|
||||
| jenkins.agent.resources.requests.cpu | string | `"512m"` | |
|
||||
| jenkins.agent.resources.requests.memory | string | `"512Mi"` | |
|
||||
| jenkins.agent.resources.requests.memory | string | `"1024Mi"` | |
|
||||
| jenkins.agent.showRawYaml | bool | `false` | |
|
||||
| jenkins.agent.tag | string | `"v0.2.4-5"` | |
|
||||
| jenkins.agent.tag | string | `"v0.2.4-21"` | |
|
||||
| jenkins.agent.yamlMergeStrategy | string | `"merge"` | |
|
||||
| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\""` | |
|
||||
| jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | |
|
||||
@ -93,22 +95,23 @@ Kubernetes: `>= 1.20.0`
|
||||
| jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | |
|
||||
| jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | |
|
||||
| jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | |
|
||||
| jenkins.controller.installPlugins[0] | string | `"kubernetes:1.31.3"` | |
|
||||
| jenkins.controller.installPlugins[0] | string | `"kubernetes:3580.v78271e5631dc"` | |
|
||||
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:2.6"` | |
|
||||
| jenkins.controller.installPlugins[2] | string | `"git:4.10.3"` | |
|
||||
| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1.55.1"` | |
|
||||
| jenkins.controller.installPlugins[2] | string | `"git:4.11.0"` | |
|
||||
| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1414.v878271fc496f"` | |
|
||||
| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | |
|
||||
| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.10"` | |
|
||||
| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.28"` | |
|
||||
| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.11"` | |
|
||||
| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.29"` | |
|
||||
| jenkins.controller.installPlugins[7] | string | `"build-discarder:60.v1747b0eb632a"` | |
|
||||
| jenkins.controller.javaOpts | string | `"-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
||||
| jenkins.controller.installPlugins[8] | string | `"dark-theme:156.v6cf16af6f9ef"` | |
|
||||
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
||||
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=180 --sessionEviction=3600"` | |
|
||||
| jenkins.controller.prometheus.enabled | bool | `false` | |
|
||||
| jenkins.controller.resources.limits.cpu | string | `"2000m"` | |
|
||||
| jenkins.controller.resources.limits.memory | string | `"4096Mi"` | |
|
||||
| jenkins.controller.resources.requests.cpu | string | `"250m"` | |
|
||||
| jenkins.controller.resources.requests.memory | string | `"1280Mi"` | |
|
||||
| jenkins.controller.tagLabel | string | `"alpine"` | |
|
||||
| jenkins.controller.tag | string | `"2.332.2-lts-jdk17-preview"` | |
|
||||
| jenkins.controller.testEnabled | bool | `false` | |
|
||||
| jenkins.enabled | bool | `false` | |
|
||||
| jenkins.istio.enabled | bool | `false` | |
|
||||
|
@ -1,4 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
helm dep update
|
||||
|
||||
# Create ZDT dashboard configmap
|
||||
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
|
||||
|
@ -17,7 +17,7 @@ gitea:
|
||||
enabled: false
|
||||
|
||||
image:
|
||||
tag: 1.16.5
|
||||
tag: 1.16.6
|
||||
rootless: true
|
||||
|
||||
securityContext:
|
||||
|
@ -1,9 +1,8 @@
|
||||
apiVersion: v2
|
||||
name: kubezero-istio-ingress
|
||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||
name: kubezero-istio-gateway
|
||||
description: KubeZero Umbrella Chart for Istio gateways
|
||||
type: application
|
||||
version: 0.7.6
|
||||
appVersion: 1.11.5
|
||||
version: 0.8.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -17,10 +16,7 @@ dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.4"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: istio-ingress
|
||||
version: 1.11.5
|
||||
condition: istio-ingress.enabled
|
||||
- name: istio-private-ingress
|
||||
version: 1.11.5
|
||||
condition: istio-private-ingress.enabled
|
||||
- name: gateway
|
||||
version: 1.13.3
|
||||
repository: https://istio-release.storage.googleapis.com/charts
|
||||
kubeVersion: ">= 1.20.0"
|
49
charts/kubezero-istio-gateway/README.md
Normal file
49
charts/kubezero-istio-gateway/README.md
Normal file
@ -0,0 +1,49 @@
|
||||
# kubezero-istio-gateway
|
||||
|
||||
![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio gateways
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
| https://istio-release.storage.googleapis.com/charts | gateway | 1.13.3 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| certificates | list | `[]` | |
|
||||
| gateway.autoscaling.enabled | bool | `false` | |
|
||||
| gateway.autoscaling.maxReplicas | int | `4` | |
|
||||
| gateway.autoscaling.minReplicas | int | `1` | |
|
||||
| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
|
||||
| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| gateway.replicaCount | int | `1` | |
|
||||
| gateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| gateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| gateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| gateway.service.externalTrafficPolicy | string | `"Local"` | |
|
||||
| gateway.service.type | string | `"NodePort"` | |
|
||||
| proxyProtocol | bool | `true` | |
|
||||
| telemetry.enabled | string | `"falser"` | |
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
12
charts/kubezero-istio-gateway/charts/gateway/Chart.yaml
Normal file
12
charts/kubezero-istio-gateway/charts/gateway/Chart.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: v2
|
||||
appVersion: 1.13.3
|
||||
description: Helm chart for deploying Istio gateways
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
||||
keywords:
|
||||
- istio
|
||||
- gateways
|
||||
name: gateway
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
type: application
|
||||
version: 1.13.3
|
148
charts/kubezero-istio-gateway/charts/gateway/README.md
Normal file
148
charts/kubezero-istio-gateway/charts/gateway/README.md
Normal file
@ -0,0 +1,148 @@
|
||||
# Istio Gateway Helm Chart
|
||||
|
||||
This chart installs an Istio gateway deployment.
|
||||
|
||||
## Setup Repo Info
|
||||
|
||||
```console
|
||||
helm repo add istio https://istio-release.storage.googleapis.com/charts
|
||||
helm repo update
|
||||
```
|
||||
|
||||
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
|
||||
|
||||
## Installing the Chart
|
||||
|
||||
To install the chart with the release name `istio-ingressgateway`:
|
||||
|
||||
```console
|
||||
helm install istio-ingressgateway istio/gateway
|
||||
```
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `istio-ingressgateway` deployment:
|
||||
|
||||
```console
|
||||
helm delete istio-ingressgateway
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
To view support configuration options and documentation, run:
|
||||
|
||||
```console
|
||||
helm show values istio/gateway
|
||||
```
|
||||
|
||||
### `image: auto` Information
|
||||
|
||||
The image used by the chart, `auto`, may be unintuitive.
|
||||
This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection).
|
||||
This allows the same configurations and lifecycle to apply to gateways as sidecars.
|
||||
|
||||
Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label.
|
||||
See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info.
|
||||
|
||||
### Examples
|
||||
|
||||
#### Egress Gateway
|
||||
|
||||
Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/):
|
||||
|
||||
```yaml
|
||||
service:
|
||||
# Egress gateways do not need an external LoadBalancer IP
|
||||
type: ClusterIP
|
||||
```
|
||||
|
||||
#### Multi-network/VM Gateway
|
||||
|
||||
Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`:
|
||||
|
||||
```yaml
|
||||
networkGateway: network-1
|
||||
```
|
||||
|
||||
### Migrating from other installation methods
|
||||
|
||||
Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts
|
||||
following the guidance below.
|
||||
If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging.
|
||||
|
||||
WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results.
|
||||
|
||||
#### Legacy Gateway Helm charts
|
||||
|
||||
Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`.
|
||||
These are replaced by this chart.
|
||||
While not required, it is recommended all new users use this chart, and existing users migrate when possible.
|
||||
|
||||
This chart has the following benefits and differences:
|
||||
* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc).
|
||||
* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways.
|
||||
* Published to official Istio Helm repository.
|
||||
* Single chart for all gateways (Ingress, Egress, East West).
|
||||
|
||||
#### General concerns
|
||||
|
||||
For a smooth migration, the resource names and `Deployment.spec.selector` labels must match.
|
||||
|
||||
If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to:
|
||||
|
||||
```yaml
|
||||
app: istio-gateway
|
||||
istio: gateway # the release name with leading istio- prefix stripped
|
||||
```
|
||||
|
||||
If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels
|
||||
`foo=bar,istio=ingressgateway`:
|
||||
|
||||
```yaml
|
||||
name: my-custom-gateway # Override the name to match existing resources
|
||||
labels:
|
||||
app: "" # Unset default app selector label
|
||||
istio: ingressgateway # override default istio selector label
|
||||
foo: bar # Add the existing custom selector label
|
||||
```
|
||||
|
||||
#### Migrating an existing Helm release
|
||||
|
||||
An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous
|
||||
installation was done like:
|
||||
|
||||
```console
|
||||
helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system
|
||||
```
|
||||
|
||||
It could be upgraded with
|
||||
|
||||
```console
|
||||
helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway
|
||||
```
|
||||
|
||||
Note the name and labels are overridden to match the names of the existing installation.
|
||||
|
||||
Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443.
|
||||
If you have AuthorizationPolicies that reference port these ports, you should update them during this process,
|
||||
or customize the ports to match the old defaults.
|
||||
See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information.
|
||||
|
||||
#### Other migrations
|
||||
|
||||
If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership.
|
||||
|
||||
The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release:
|
||||
|
||||
```console
|
||||
KINDS=(service deployment)
|
||||
RELEASE=istio-ingressgateway
|
||||
NAMESPACE=istio-system
|
||||
for KIND in "${KINDS[@]}"; do
|
||||
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE
|
||||
kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE
|
||||
kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm
|
||||
done
|
||||
```
|
||||
|
||||
You may ignore errors about resources not being found.
|
@ -0,0 +1,9 @@
|
||||
"{{ include "gateway.name" . }}" successfully installed!
|
||||
|
||||
To learn more about the release, try:
|
||||
$ helm status {{ .Release.Name }}
|
||||
$ helm get all {{ .Release.Name }}
|
||||
|
||||
Next steps:
|
||||
* Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/
|
||||
* Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
|
@ -0,0 +1,52 @@
|
||||
{{- define "gateway.name" -}}
|
||||
{{- if eq .Release.Name "RELEASE-NAME" -}}
|
||||
{{- .Values.name | default "istio-ingressgateway" -}}
|
||||
{{- else -}}
|
||||
{{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "gateway.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "gateway.labels" -}}
|
||||
helm.sh/chart: {{ include "gateway.chart" . }}
|
||||
{{ include "gateway.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/name: {{ include "gateway.name" . }}
|
||||
{{- range $key, $val := .Values.labels }}
|
||||
{{- if not (or (eq $key "app") (eq $key "istio")) }}
|
||||
{{ $key | quote }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "gateway.selectorLabels" -}}
|
||||
{{- if hasKey .Values.labels "app" }}
|
||||
{{- with .Values.labels.app }}app: {{.|quote}}
|
||||
{{- end}}
|
||||
{{- else }}app: {{ include "gateway.name" . }}
|
||||
{{- end }}
|
||||
{{- if hasKey .Values.labels "istio" }}
|
||||
{{- with .Values.labels.istio }}
|
||||
istio: {{.|quote}}
|
||||
{{- end}}
|
||||
{{- else }}
|
||||
istio: {{ include "gateway.name" . | trimPrefix "istio-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "gateway.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- .Values.serviceAccount.name | default (include "gateway.name" .) }}
|
||||
{{- else }}
|
||||
{{- .Values.serviceAccount.name | default "default" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,112 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "gateway.name" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gateway.labels" . | nindent 4}}
|
||||
annotations:
|
||||
{{- .Values.annotations | toYaml | nindent 4 }}
|
||||
spec:
|
||||
{{- if not .Values.autoscaling.enabled }}
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- end }}
|
||||
# Give the LB 120s to detect and take into service
|
||||
# should only be 40s by we are on AWS so ...
|
||||
minReadySeconds: 120
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "gateway.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
sidecar.istio.io/inject: "true"
|
||||
{{- with .Values.revision }}
|
||||
istio.io/rev: {{ . }}
|
||||
{{- end }}
|
||||
{{- include "gateway.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- if .Values.securityContext }}
|
||||
{{- toYaml .Values.securityContext | nindent 8 }}
|
||||
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
|
||||
sysctls:
|
||||
- name: net.ipv4.ip_unprivileged_port_start
|
||||
value: "0"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
|
||||
image: auto
|
||||
securityContext:
|
||||
{{- if .Values.containerSecurityContext }}
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
{{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
# Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
{{- else }}
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
runAsUser: 0
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: false
|
||||
allowPrivilegeEscalation: true
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with .Values.networkGateway }}
|
||||
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
|
||||
value: "{{.}}"
|
||||
{{- end }}
|
||||
{{- range $key, $val := .Values.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val | quote }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml .Values.volumeMounts | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
@ -0,0 +1,28 @@
|
||||
{{- if .Values.autoscaling.enabled }}
|
||||
apiVersion: autoscaling/v2beta2
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ include "gateway.name" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gateway.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- .Values.annotations | toYaml | nindent 4 }}
|
||||
spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ include "gateway.name" . }}
|
||||
minReplicas: {{ .Values.autoscaling.minReplicas }}
|
||||
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
|
||||
metrics:
|
||||
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
target:
|
||||
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
|
||||
type: Utilization
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,25 @@
|
||||
{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}}
|
||||
{{- if .Values.rbac.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "gateway.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "gateway.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "gateway.serviceAccountName" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "gateway.serviceAccountName" . }}
|
||||
{{- end }}
|
@ -0,0 +1,52 @@
|
||||
{{- if not (eq .Values.service.type "None") }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "gateway.name" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gateway.labels" . | nindent 4 }}
|
||||
{{- with .Values.networkGateway }}
|
||||
topology.istio.io/network: "{{.}}"
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }}
|
||||
spec:
|
||||
{{- with .Values.service.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- with .Values.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.service.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: "{{ . }}"
|
||||
{{- end }}
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
{{- if .Values.networkGateway }}
|
||||
- name: status-port
|
||||
port: 15021
|
||||
targetPort: 15021
|
||||
- name: tls
|
||||
port: 15443
|
||||
targetPort: 15443
|
||||
- name: tls-istiod
|
||||
port: 15012
|
||||
targetPort: 15012
|
||||
- name: tls-webhook
|
||||
port: 15017
|
||||
targetPort: 15017
|
||||
{{- else }}
|
||||
{{- range $key, $val := .Values.service.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "gateway.selectorLabels" . | nindent 4 }}
|
||||
{{- end }}
|
@ -0,0 +1,13 @@
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "gateway.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "gateway.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
199
charts/kubezero-istio-gateway/charts/gateway/values.schema.json
Normal file
199
charts/kubezero-istio-gateway/charts/gateway/values.schema.json
Normal file
@ -0,0 +1,199 @@
|
||||
{
|
||||
"$schema": "http://json-schema.org/schema#",
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"properties": {
|
||||
"global": {
|
||||
"type": "object"
|
||||
},
|
||||
"affinity": {
|
||||
"type": "object"
|
||||
},
|
||||
"securityContext": {
|
||||
"type": ["object", "null"]
|
||||
},
|
||||
"containerSecurityContext": {
|
||||
"type": ["object", "null"]
|
||||
},
|
||||
"annotations": {
|
||||
"additionalProperties": {
|
||||
"type": [
|
||||
"string",
|
||||
"integer"
|
||||
]
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"autoscaling": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"maxReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"minReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"targetCPUUtilizationPercentage": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
},
|
||||
"env": {
|
||||
"type": "object"
|
||||
},
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
"volumes": {
|
||||
"type": "array"
|
||||
},
|
||||
"volumeMounts": {
|
||||
"type": "array"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"nodeSelector": {
|
||||
"type": "object"
|
||||
},
|
||||
"podAnnotations": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inject.istio.io/templates": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/path": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/port": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/scrape": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"replicaCount": {
|
||||
"type": "integer"
|
||||
},
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"limits": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"revision": {
|
||||
"type": "string"
|
||||
},
|
||||
"runAsRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"unprivilegedPort": {
|
||||
"type": ["string", "boolean"],
|
||||
"enum": [true, false, "auto"]
|
||||
},
|
||||
"service": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"externalTrafficPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerIP": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerSourceRanges": {
|
||||
"type": "array"
|
||||
},
|
||||
"ports": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
},
|
||||
"protocol": {
|
||||
"type": "string"
|
||||
},
|
||||
"targetPort": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"serviceAccount": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rbac": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
},
|
||||
"networkGateway": {
|
||||
"type": "string"
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
88
charts/kubezero-istio-gateway/charts/gateway/values.yaml
Normal file
88
charts/kubezero-istio-gateway/charts/gateway/values.yaml
Normal file
@ -0,0 +1,88 @@
|
||||
# Name allows overriding the release name. Generally this should not be set
|
||||
name: ""
|
||||
# revision declares which revision this gateway is a part of
|
||||
revision: ""
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
rbac:
|
||||
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
|
||||
# when using http://gateway-api.org/.
|
||||
enabled: true
|
||||
|
||||
serviceAccount:
|
||||
# If set, a service account will be created. Otherwise, the default is used
|
||||
create: true
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set, the release name is used
|
||||
name: ""
|
||||
|
||||
podAnnotations:
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
inject.istio.io/templates: "gateway"
|
||||
sidecar.istio.io/inject: "true"
|
||||
|
||||
# Define the security context for the pod.
|
||||
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
|
||||
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
|
||||
securityContext: ~
|
||||
containerSecurityContext: ~
|
||||
|
||||
service:
|
||||
# Type of service. Set to "None" to disable the service entirely
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
protocol: TCP
|
||||
targetPort: 15021
|
||||
- name: http2
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: 443
|
||||
annotations: {}
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 1
|
||||
maxReplicas: 5
|
||||
targetCPUUtilizationPercentage: 80
|
||||
|
||||
# Pod environment variables
|
||||
env: {}
|
||||
|
||||
# Labels to apply to all resources
|
||||
labels: {}
|
||||
|
||||
# Annotations to apply to all resources
|
||||
annotations: {}
|
||||
|
||||
nodeSelector: {}
|
||||
|
||||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If specified, the gateway will act as a network gateway for the given network.
|
||||
networkGateway: ""
|
||||
|
||||
imagePullSecrets: []
|
@ -40,3 +40,14 @@
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- define "gatewayName" -}}
|
||||
{{ .Values.gateway.name | default .Release.Name | default "istio-ingressgateway" }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- define "gatewaySelectorLabels" -}}
|
||||
app: {{ include "gatewayName" . }}
|
||||
istio: {{ include "gatewayName" . | trimPrefix "istio-" }}
|
||||
{{- end }}
|
@ -1,10 +1,9 @@
|
||||
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
||||
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
|
||||
# https://github.com/istio/istio/issues/24715
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: istio-gateway-bootstrap-config
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-bootstrap-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
@ -41,7 +40,7 @@ data:
|
||||
{
|
||||
"name": "envoy.resource_monitors.fixed_heap",
|
||||
"typed_config": {
|
||||
"@type": "type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig",
|
||||
"@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig",
|
||||
"max_heap_size_bytes": 536870912
|
||||
}
|
||||
}
|
||||
@ -58,4 +57,3 @@ data:
|
||||
]
|
||||
}
|
||||
}
|
||||
{{- end }}
|
@ -1,12 +1,14 @@
|
||||
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-hardening
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{ include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
{{- include "gatewaySelectorLabels" . | nindent 6 }}
|
||||
configPatches:
|
||||
- applyTo: CLUSTER
|
||||
patch:
|
||||
@ -35,4 +37,3 @@ spec:
|
||||
initial_connection_window_size: 1048576 # 1 MiB
|
||||
#stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|
||||
#request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests
|
||||
{{- end }}
|
@ -0,0 +1,29 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-listener-tcp-keepalive
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
{{- include "gatewaySelectorLabels" . | nindent 6 }}
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
socket_options:
|
||||
- level: 1 # SOL_SOCKET = 1
|
||||
name: 9 # SO_KEEPALIVE = 9
|
||||
int_value: 1
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 4 # TCP_KEEPIDLE = 4
|
||||
int_value: 120
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 5 # TCP_KEEPINTVL = 5
|
||||
int_value: 60
|
||||
state: STATE_PREBIND
|
@ -0,0 +1,21 @@
|
||||
{{- if .Values.proxyProtocol }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-proxy-protocol
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
{{- include "gatewaySelectorLabels" . | nindent 6 }}
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
listener_filters:
|
||||
- name: envoy.filters.listener.proxy_protocol
|
||||
- name: envoy.filters.listener.tls_inspector
|
||||
{{- end }}
|
@ -0,0 +1,19 @@
|
||||
{{- range $cert := .Values.certificates }}
|
||||
{{- if $cert.dnsNames }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ $cert.name }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" $ | indent 4 }}
|
||||
spec:
|
||||
secretName: {{ $cert.name }}
|
||||
issuerRef:
|
||||
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml $cert.dnsNames | indent 4 }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,19 +1,15 @@
|
||||
# Public Ingress Gateway
|
||||
{{- $gateway := index .Values "istio-ingress" }}
|
||||
|
||||
{{- if and $gateway.enabled $gateway.certificates }}
|
||||
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
||||
|
||||
{{- if .Values.certificates }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
{{- include "gatewaySelectorLabels" . | nindent 4 }}
|
||||
servers:
|
||||
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
|
||||
{{- include "gatewayServers" (dict "certificates" .Values.certificates "ports" .Values.gateway.service.ports ) | nindent 2 }}
|
||||
{{- end }}
|
@ -1,8 +1,8 @@
|
||||
{{- if or ( index .Values "istio-ingress" "telemetry" "enabled" ) ( index .Values "istio-private-ingress" "telemetry" "enabled" )}}
|
||||
{{- if .Values.telemetry.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: envoy-stats-monitor
|
||||
name: {{ include "gatewayName" . | trimPrefix "istio-" }}-envoy-stats-monitor
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
@ -10,6 +10,8 @@ spec:
|
||||
selector:
|
||||
matchExpressions:
|
||||
- {key: istio-prometheus-ignore, operator: DoesNotExist}
|
||||
matchLabels:
|
||||
{{- include "gatewaySelectorLabels" . | nindent 6 }}
|
||||
jobLabel: envoy-stats
|
||||
podMetricsEndpoints:
|
||||
- path: /stats/prometheus
|
11
charts/kubezero-istio-gateway/update.sh
Executable file
11
charts/kubezero-istio-gateway/update.sh
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="gateway") | .version' Chart.yaml)
|
||||
|
||||
helm dep update
|
||||
|
||||
# Patch
|
||||
tar xf charts/gateway-$ISTIO_VERSION.tgz -C charts && rm -f charts/gateway-$ISTIO_VERSION.tgz
|
||||
#diff -tubr charts/gateway.orig charts/gateway
|
||||
patch -p0 -i zdt.patch --no-backup-if-mismatch
|
38
charts/kubezero-istio-gateway/values.yaml
Normal file
38
charts/kubezero-istio-gateway/values.yaml
Normal file
@ -0,0 +1,38 @@
|
||||
gateway:
|
||||
autoscaling:
|
||||
enabled: false
|
||||
minReplicas: 1
|
||||
maxReplicas: 4
|
||||
targetCPUUtilizationPercentage: 80
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 512Mi
|
||||
|
||||
service:
|
||||
type: NodePort
|
||||
externalTrafficPolicy: Local
|
||||
# Map port 80/443 to 8080/8443 so we don't need to root
|
||||
|
||||
# ports is extended as follows:
|
||||
# noGateway: true -> this port does NOT get mapped to a Gateway port
|
||||
# tls: optional gateway port setting
|
||||
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
|
||||
|
||||
podAnnotations:
|
||||
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
||||
|
||||
certificates: []
|
||||
#- name: ingress-cert
|
||||
# dnsNames: []
|
||||
|
||||
telemetry:
|
||||
enabled: falser
|
||||
|
||||
proxyProtocol: true
|
75
charts/kubezero-istio-gateway/zdt.patch
Normal file
75
charts/kubezero-istio-gateway/zdt.patch
Normal file
@ -0,0 +1,75 @@
|
||||
diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml
|
||||
--- charts/gateway.orig/templates/deployment.yaml 2022-04-21 17:33:30.042035869 +0200
|
||||
+++ charts/gateway/templates/deployment.yaml 2022-04-21 18:17:15.130605952 +0200
|
||||
@@ -11,6 +11,9 @@
|
||||
{{- if not .Values.autoscaling.enabled }}
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- end }}
|
||||
+ # Give the LB 120s to detect and take into service
|
||||
+ # should only be 40s by we are on AWS so ...
|
||||
+ minReadySeconds: 120
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "gateway.selectorLabels" . | nindent 6 }}
|
||||
@@ -31,6 +34,7 @@
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
+ terminationGracePeriodSeconds: 120
|
||||
serviceAccountName: {{ include "gateway.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- if .Values.securityContext }}
|
||||
@@ -86,6 +90,10 @@
|
||||
name: http-envoy-prom
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
+ {{- if .Values.volumeMounts }}
|
||||
+ volumeMounts:
|
||||
+ {{- toYaml .Values.volumeMounts | nindent 12 }}
|
||||
+ {{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@@ -98,3 +106,7 @@
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
+ {{- with .Values.volumes }}
|
||||
+ volumes:
|
||||
+ {{- toYaml . | nindent 8 }}
|
||||
+ {{- end }}
|
||||
diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml
|
||||
--- charts/gateway.orig/templates/service.yaml 2022-04-21 17:33:30.042035869 +0200
|
||||
+++ charts/gateway/templates/service.yaml 2022-04-21 17:33:41.801806959 +0200
|
||||
@@ -38,7 +38,14 @@
|
||||
port: 15017
|
||||
targetPort: 15017
|
||||
{{- else }}
|
||||
-{{ .Values.service.ports | toYaml | indent 4 }}
|
||||
+ {{- range $key, $val := .Values.service.ports }}
|
||||
+ -
|
||||
+ {{- range $pkey, $pval := $val }}
|
||||
+ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
+ {{ $pkey}}: {{ $pval }}
|
||||
+ {{- end }}
|
||||
+ {{- end }}
|
||||
+ {{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "gateway.selectorLabels" . | nindent 4 }}
|
||||
diff -tubr charts/gateway.orig/values.schema.json charts/gateway/values.schema.json
|
||||
--- charts/gateway.orig/values.schema.json 2022-04-21 17:33:30.042035869 +0200
|
||||
+++ charts/gateway/values.schema.json 2022-04-21 17:52:51.007536238 +0200
|
||||
@@ -47,6 +47,12 @@
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
+ "volumes": {
|
||||
+ "type": "array"
|
||||
+ },
|
||||
+ "volumeMounts": {
|
||||
+ "type": "array"
|
||||
+ },
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
@ -1 +0,0 @@
|
||||
../kubezero-istio/.helmignore
|
@ -1,125 +0,0 @@
|
||||
# kubezero-istio-ingress
|
||||
|
||||
![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio based Ingress
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.18.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-ingress | 1.11.3 |
|
||||
| | istio-private-ingress | 1.11.3 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.arch.amd64 | int | `2` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| istio-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | |
|
||||
| istio-ingress.enabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-ingress.telemetry.enabled | bool | `false` | |
|
||||
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
|
||||
| istio-private-ingress.enabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-private-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-private-ingress.telemetry.enabled | bool | `false` | |
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
@ -1,13 +0,0 @@
|
||||
apiVersion: v1
|
||||
name: istio-ingress
|
||||
version: 1.11.5
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -1,43 +0,0 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -1,105 +0,0 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{ define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
{{- if eq $val "Exists" }}
|
||||
- key: {{ $key }}
|
||||
operator: Exists
|
||||
{{- else }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- if $item.namespaces }}
|
||||
namespaces:
|
||||
{{- $ns := split "," $item.namespaces }}
|
||||
{{- range $i, $n := $ns }}
|
||||
- {{ $n | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,27 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -1,335 +0,0 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if eq $gateway.injectionTemplate "" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
# Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
|
||||
minReadySeconds: 120
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "false"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
#This needs kube-proxy support coming with 1.22 hopefully, cilium ?
|
||||
#lifecycle:
|
||||
# preStop:
|
||||
# exec:
|
||||
# command: ["/bin/sh","-c","sleep 30"]
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if .Values.meshConfig.trustDomain }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||
{{- end }}
|
||||
{{- if .Values.meshConfig.trustDomain }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $val }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,143 +0,0 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
{{/* This provides a minimal gateway, ready to be injected.
|
||||
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "true"
|
||||
{{- with .Values.revision }}
|
||||
istio.io/rev: {{ . }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "true"
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
image: auto
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,19 +0,0 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -1,16 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -1,19 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name }}-service-account
|
||||
---
|
@ -1,49 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -1,22 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
{{- with $gateway.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
@ -1,326 +0,0 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tuning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
serviceAccount:
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "standard"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||
injectionTemplate: ""
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# Default node selector to be applied to all deployments so that all pods can be
|
||||
# constrained to run a particular nodes. Each component can overwrite these default
|
||||
# values by adding its node selector block in the relevant section below and setting
|
||||
# the desired values.
|
||||
defaultNodeSelector: {}
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.11.5
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
|
||||
# The trust domain corresponds to the trust root of a system
|
||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||
trustDomain: "cluster.local"
|
||||
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -1,13 +0,0 @@
|
||||
apiVersion: v1
|
||||
name: istio-private-ingress
|
||||
version: 1.11.5
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -1,43 +0,0 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -1,105 +0,0 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{ define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
{{- if eq $val "Exists" }}
|
||||
- key: {{ $key }}
|
||||
operator: Exists
|
||||
{{- else }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- if $item.namespaces }}
|
||||
namespaces:
|
||||
{{- $ns := split "," $item.namespaces }}
|
||||
{{- range $i, $n := $ns }}
|
||||
- {{ $n | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,27 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -1,335 +0,0 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if eq $gateway.injectionTemplate "" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
# Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ??
|
||||
minReadySeconds: 120
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "false"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
terminationGracePeriodSeconds: 120
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
#This needs kube-proxy support coming with 1.22 hopefully, cilium ?
|
||||
#lifecycle:
|
||||
# preStop:
|
||||
# exec:
|
||||
# command: ["/bin/sh","-c","sleep 30"]
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if .Values.meshConfig.trustDomain }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||
{{- end }}
|
||||
{{- if .Values.meshConfig.trustDomain }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $val }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,143 +0,0 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
{{/* This provides a minimal gateway, ready to be injected.
|
||||
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "true"
|
||||
{{- with .Values.revision }}
|
||||
istio.io/rev: {{ . }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "true"
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
image: auto
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,19 +0,0 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -1,16 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -1,19 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name }}-service-account
|
||||
---
|
@ -1,49 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -1,22 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
{{- with $gateway.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
@ -1,326 +0,0 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tuning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
serviceAccount:
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "standard"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||
injectionTemplate: ""
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# Default node selector to be applied to all deployments so that all pods can be
|
||||
# constrained to run a particular nodes. Each component can overwrite these default
|
||||
# values by adding its node selector block in the relevant section below and setting
|
||||
# the desired values.
|
||||
defaultNodeSelector: {}
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.11.5
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
|
||||
# The trust domain corresponds to the trust root of a system
|
||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||
trustDomain: "cluster.local"
|
||||
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -1,64 +0,0 @@
|
||||
{{- if index .Values "istio-ingress" "enabled" }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-listener-tcp-keepalive
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
socket_options:
|
||||
- level: 1 # SOL_SOCKET = 1
|
||||
name: 9 # SO_KEEPALIVE = 9
|
||||
int_value: 1
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 4 # TCP_KEEPIDLE = 4
|
||||
int_value: 120
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 5 # TCP_KEEPINTVL = 5
|
||||
int_value: 60
|
||||
state: STATE_PREBIND
|
||||
{{- end }}
|
||||
|
||||
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: private-ingressgateway-listener-tcp-keepalive
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: private-ingressgateway
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
socket_options:
|
||||
- level: 1 # SOL_SOCKET = 1
|
||||
name: 9 # SO_KEEPALIVE = 9
|
||||
int_value: 1
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 4 # TCP_KEEPIDLE = 4
|
||||
int_value: 120
|
||||
state: STATE_PREBIND
|
||||
- level: 6 # IPPROTO_TCP = 6
|
||||
name: 5 # TCP_KEEPINTVL = 5
|
||||
int_value: 60
|
||||
state: STATE_PREBIND
|
||||
{{- end }}
|
@ -1,44 +0,0 @@
|
||||
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-proxy-protocol
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
listener_filters:
|
||||
- name: envoy.listener.proxy_protocol
|
||||
- name: envoy.listener.tls_inspector
|
||||
{{- end }}
|
||||
|
||||
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: private-ingressgateway-proxy-protocol
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: private-ingressgateway
|
||||
configPatches:
|
||||
- applyTo: LISTENER
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
listener_filters:
|
||||
- name: envoy.listener.proxy_protocol
|
||||
- name: envoy.listener.tls_inspector
|
||||
{{- end }}
|
@ -1,39 +0,0 @@
|
||||
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||
{{- if $cert.dnsNames }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ $cert.name }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" $ | indent 4 }}
|
||||
spec:
|
||||
secretName: {{ $cert.name }}
|
||||
issuerRef:
|
||||
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml $cert.dnsNames | indent 4 }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- if $cert.dnsNames }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ $cert.name }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" $ | indent 4 }}
|
||||
spec:
|
||||
secretName: private-ingress-cert
|
||||
issuerRef:
|
||||
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml $cert.dnsNames | indent 4 }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,19 +0,0 @@
|
||||
# Private Ingress Gateway
|
||||
{{- $gateway := index .Values "istio-private-ingress" }}
|
||||
|
||||
{{- if and $gateway.enabled $gateway.certificates }}
|
||||
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
||||
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
istio: private-ingressgateway
|
||||
servers:
|
||||
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
|
||||
{{- end }}
|
@ -1,203 +0,0 @@
|
||||
# Make sure these values match kuberzero-istio !!!
|
||||
global:
|
||||
#hub: docker.io/istio
|
||||
tag: 1.11.5-distroless
|
||||
|
||||
logAsJson: true
|
||||
|
||||
priorityClassName: "system-cluster-critical"
|
||||
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
arch:
|
||||
amd64: 2
|
||||
|
||||
istio-ingress:
|
||||
enabled: false
|
||||
|
||||
telemetry:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
rollingMaxSurge: 1
|
||||
rollingMaxUnavailable: 0
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 512Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
type: NodePort
|
||||
podAnnotations:
|
||||
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
||||
|
||||
# custom hardened bootstrap config
|
||||
env:
|
||||
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
||||
configVolumes:
|
||||
- name: custom-bootstrap-volume
|
||||
mountPath: /etc/istio/custom-bootstrap
|
||||
configMapName: istio-gateway-bootstrap-config
|
||||
|
||||
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "Exists"
|
||||
# Only nodes who are fronted with matching NLB
|
||||
#affintiy:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: node.kubernetes.io/ingress.public
|
||||
# operator: Exists
|
||||
|
||||
# Map port 80/443 to 8080/8443 so we don't need to root
|
||||
|
||||
# ports is extended as follows:
|
||||
# noGateway: true -> this port does NOT get mapped to a Gateway port
|
||||
# tls: optional gateway port setting
|
||||
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
nodePort: 30021
|
||||
noGateway: true
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 30080
|
||||
gatewayProtocol: HTTP2
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 30443
|
||||
gatewayProtocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
|
||||
certificates:
|
||||
- name: ingress-cert
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
||||
proxyProtocol: true
|
||||
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
proxyMetadata:
|
||||
# ISTIO_META_HTTP10: 1
|
||||
|
||||
istio-private-ingress:
|
||||
enabled: false
|
||||
|
||||
telemetry:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
# name and labels make the ingress private
|
||||
name: istio-private-ingressgateway
|
||||
labels:
|
||||
app: istio-private-ingressgateway
|
||||
istio: private-ingressgateway
|
||||
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
rollingMaxSurge: 1
|
||||
rollingMaxUnavailable: 0
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 512Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-private-ingressgateway
|
||||
type: NodePort
|
||||
podAnnotations:
|
||||
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
||||
|
||||
# custom hardened bootstrap config
|
||||
env:
|
||||
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
||||
configVolumes:
|
||||
- name: custom-bootstrap-volume
|
||||
mountPath: /etc/istio/custom-bootstrap
|
||||
configMapName: istio-gateway-bootstrap-config
|
||||
|
||||
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "Exists"
|
||||
# Only nodes who are fronted with matching NLB
|
||||
#affintiy:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: node.kubernetes.io/ingress.private
|
||||
# operator: Exists
|
||||
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
nodePort: 31021
|
||||
noGateway: true
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 31080
|
||||
gatewayProtocol: HTTP2
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 31443
|
||||
gatewayProtocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
#- name: fluentd-forward
|
||||
# port: 24224
|
||||
# nodePort: 31224
|
||||
# gatewayProtocol: TLS
|
||||
# tls:
|
||||
# mode: SIMPLE
|
||||
#- name: amqps
|
||||
# port: 5671
|
||||
# nodePort: 31671
|
||||
#- name: amqp
|
||||
# port: 5672
|
||||
# nodePort: 31672
|
||||
#- name: redis
|
||||
# port: 6379
|
||||
# nodePort: 31379
|
||||
|
||||
certificates:
|
||||
- name: private-ingress-cert
|
||||
dnsNames: []
|
||||
#- '*.example.com'
|
||||
|
||||
proxyProtocol: true
|
||||
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
proxyMetadata:
|
||||
# ISTIO_META_HTTP10: 1
|
@ -2,8 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.7.6
|
||||
appVersion: 1.11.5
|
||||
version: 0.8.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -17,9 +16,11 @@ dependencies:
|
||||
version: ">= 0.1.4"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: base
|
||||
version: 1.11.5
|
||||
- name: istio-discovery
|
||||
version: 1.11.5
|
||||
version: 1.13.3
|
||||
repository: https://istio-release.storage.googleapis.com/charts
|
||||
- name: istiod
|
||||
version: 1.13.3
|
||||
repository: https://istio-release.storage.googleapis.com/charts
|
||||
- name: kiali-server
|
||||
version: 1.38.1
|
||||
# repository: https://github.com/kiali/helm-charts/tree/master/docs
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-istio
|
||||
|
||||
![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square)
|
||||
![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
@ -12,18 +12,18 @@ Installs the Istio control plane
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.18.0`
|
||||
Kubernetes: `>= 1.20.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | base | 1.11.3 |
|
||||
| | istio-discovery | 1.11.3 |
|
||||
| | kiali-server | 1.38.1 |
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||
| https://istio-release.storage.googleapis.com/charts | base | 1.13.3 |
|
||||
| https://istio-release.storage.googleapis.com/charts | istiod | 1.13.3 |
|
||||
|
||||
## Values
|
||||
|
||||
@ -32,18 +32,19 @@ Kubernetes: `>= 1.18.0`
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | |
|
||||
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||
| global.tag | string | `"1.13.3-distroless"` | |
|
||||
| istiod.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||
| istiod.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||
| istiod.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
|
||||
| istiod.meshConfig.tcpKeepalive.time | string | `"120s"` | |
|
||||
| istiod.pilot.autoscaleEnabled | bool | `false` | |
|
||||
| istiod.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||
| istiod.pilot.replicaCount | int | `1` | |
|
||||
| istiod.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||
| istiod.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||
| istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| istiod.telemetry.enabled | bool | `false` | |
|
||||
| kiali-server.auth.strategy | string | `"anonymous"` | |
|
||||
| kiali-server.deployment.ingress_enabled | bool | `false` | |
|
||||
| kiali-server.deployment.view_only_mode | bool | `true` | |
|
||||
|
@ -1,11 +0,0 @@
|
||||
apiVersion: v1
|
||||
name: base
|
||||
version: 1.11.5
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||
keywords:
|
||||
- istio
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -1 +0,0 @@
|
||||
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.
|
File diff suppressed because it is too large
Load Diff
@ -1,48 +0,0 @@
|
||||
# SYNC WITH manifests/charts/istio-operator/templates
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: istiooperators.install.istio.io
|
||||
labels:
|
||||
release: istio
|
||||
spec:
|
||||
conversion:
|
||||
strategy: None
|
||||
group: install.istio.io
|
||||
names:
|
||||
kind: IstioOperator
|
||||
listKind: IstioOperatorList
|
||||
plural: istiooperators
|
||||
singular: istiooperator
|
||||
shortNames:
|
||||
- iop
|
||||
- io
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Istio control plane revision
|
||||
jsonPath: .spec.revision
|
||||
name: Revision
|
||||
type: string
|
||||
- description: IOP current state
|
||||
jsonPath: .status.status
|
||||
name: Status
|
||||
type: string
|
||||
- description: 'CreationTimestamp is a timestamp representing the server time
|
||||
when this object was created. It is not guaranteed to be set in happens-before
|
||||
order across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||
jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
subresources:
|
||||
status: {}
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
served: true
|
||||
storage: true
|
||||
---
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- files/gen-istio-cluster.yaml
|
@ -1,171 +0,0 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# sidecar injection controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
|
||||
# configuration validation webhook controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
|
||||
# istio configuration
|
||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
||||
# please proceed with caution
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
resources: ["*"]
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["update"]
|
||||
# TODO: should be on just */status but wildcard is not supported
|
||||
resources: ["*"]
|
||||
{{- end }}
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries/status" ]
|
||||
|
||||
# auto-detect installed CRD definitions
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# discovery and routing
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# ingress controller
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
{{- end}}
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses", "ingressclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
|
||||
# required for CA's namespace controller
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
|
||||
# Istiod and bootstrap.
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "certificatesigningrequests"
|
||||
- "certificatesigningrequests/approval"
|
||||
- "certificatesigningrequests/status"
|
||||
verbs: ["update", "create", "get", "delete", "watch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "signers"
|
||||
resourceNames:
|
||||
- "kubernetes.io/legacy-unknown"
|
||||
verbs: ["approve"]
|
||||
|
||||
# Used by Istiod to verify the JWT tokens
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Used by Istiod to verify gateway SDS
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Use for Kubernetes Service APIs
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
||||
verbs: ["update"]
|
||||
|
||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
# Used for MCS serviceexport management
|
||||
- apiGroups: ["multicluster.x-k8s.io"]
|
||||
resources: ["serviceexports"]
|
||||
verbs: ["get", "watch", "list", "create", "delete"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "config.istio.io"
|
||||
- "security.istio.io"
|
||||
- "networking.istio.io"
|
||||
- "authentication.istio.io"
|
||||
- "rbac.istio.io"
|
||||
resources: ["*"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["replicasets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["multicluster.x-k8s.io"]
|
||||
resources: ["serviceexports"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
{{- if or .Values.global.externalIstiod }}
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
{{- end}}
|
||||
---
|
@ -1,37 +0,0 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
---
|
@ -1,4 +0,0 @@
|
||||
{{- if .Values.base.enableCRDTemplates }}
|
||||
{{ .Files.Get "crds/crd-all.gen.yaml" }}
|
||||
{{ .Files.Get "crds/crd-operator.yaml" }}
|
||||
{{- end }}
|
@ -1,30 +0,0 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
name: istiod-remote
|
||||
namespace: {{ .Release.Namespace }}
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: {{ .Values.global.remotePilotAddress }}
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
name: istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: {{ .Values.global.remotePilotAddress }}
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -1,16 +0,0 @@
|
||||
# This service account aggregates reader permissions for the revisions in a given cluster
|
||||
# Should be used for remote secret creation.
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
@ -1,25 +0,0 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# permissions to verify the webhook is ready and rejecting
|
||||
# invalid config. We use --server-dry-run so no config is persisted.
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: ["create"]
|
||||
resources: ["gateways"]
|
||||
|
||||
# For storing CA secret
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
||||
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
@ -1,21 +0,0 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -1,19 +0,0 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
@ -1,37 +0,0 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
# when istiod is enabled in remote cluster, we can't use istiod service name
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: istiod-remote
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
clusterIP: None
|
||||
{{- else }}
|
||||
# when istiod isn't enabled in remote cluster, we can use istiod service name
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
# if the remotePilotAddress is IP addr, we use clusterIP: None.
|
||||
# else, we use externalName
|
||||
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||
clusterIP: None
|
||||
{{- else }}
|
||||
type: ExternalName
|
||||
externalName: {{ .Values.global.remotePilotAddress }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -1,27 +0,0 @@
|
||||
global:
|
||||
|
||||
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
istiod:
|
||||
enableAnalysis: false
|
||||
|
||||
configValidation: true
|
||||
externalIstiod: false
|
||||
remotePilotAddress: ""
|
||||
|
||||
base:
|
||||
# Used for helm2 to add the CRDs to templates.
|
||||
enableCRDTemplates: false
|
||||
|
||||
# Validation webhook configuration url
|
||||
# For example: https://$remotePilotAddress:15017/validate
|
||||
validationURL: ""
|
||||
|
||||
# For istioctl usage to disable istio config crds in base
|
||||
enableIstioConfigCRDs: true
|
@ -1,13 +0,0 @@
|
||||
apiVersion: v1
|
||||
name: istio-discovery
|
||||
version: 1.11.5
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for istio control plane
|
||||
keywords:
|
||||
- istio
|
||||
- istiod
|
||||
- istio-discovery
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -1,8 +0,0 @@
|
||||
Minimal control plane for Istio. Pilot and mesh config are included.
|
||||
|
||||
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
||||
address of an MCP server can be set.
|
||||
|
||||
|
||||
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience!
|
||||
https://forms.gle/kWULBRjUv7hHci7T6
|
@ -1,205 +0,0 @@
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
labels:
|
||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
}
|
||||
spec:
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# SDS channel between istioagent and Envoy
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-envoy
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- mountPath: /etc/certs/
|
||||
name: istio-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
volumes:
|
||||
# SDS channel between istioagent and Envoy
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-envoy
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
optional: true
|
||||
{{ if eq .Spec.ServiceAccountName "" }}
|
||||
secretName: istio.default
|
||||
{{ else -}}
|
||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
File diff suppressed because it is too large
Load Diff
@ -1,234 +0,0 @@
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
}
|
||||
spec:
|
||||
containers:
|
||||
{{- range $index, $container := .Spec.Containers }}
|
||||
{{ if not (eq $container.Name "istio-proxy") }}
|
||||
- name: {{ $container.Name }}
|
||||
env:
|
||||
- name: "GRPC_XDS_BOOTSTRAP"
|
||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
||||
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
|
||||
value: "true"
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-xds
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
args:
|
||||
- proxy
|
||||
- sidecar
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
env:
|
||||
- name: "GRPC_XDS_BOOTSTRAP"
|
||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
||||
- name: ISTIO_META_GENERATOR
|
||||
value: grpc
|
||||
- name: OUTPUT_CERTS
|
||||
value: /var/lib/istio/data
|
||||
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
||||
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
||||
value: "true"
|
||||
{{- end }}
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
# grpc uses xds:/// to resolve – no need to resolve VIP
|
||||
- name: ISTIO_META_DNS_CAPTURE
|
||||
value: "false"
|
||||
- name: DISABLE_ENVOY
|
||||
value: "true"
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: {{ .Values.global.proxy.statusPort }}
|
||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
||||
{{ end -}}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-xds
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 6 }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-xds
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 4 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
@ -1,58 +0,0 @@
|
||||
spec:
|
||||
initContainers:
|
||||
- name: grpc-bootstrap-init
|
||||
image: busybox:1.28
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/grpc/data/
|
||||
name: grpc-io-proxyless-bootstrap
|
||||
env:
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
command:
|
||||
- sh
|
||||
- "-c"
|
||||
- |-
|
||||
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
|
||||
echo '
|
||||
{
|
||||
"xds_servers": [
|
||||
{
|
||||
"server_uri": "dns:///istiod.istio-system.svc:15010",
|
||||
"channel_creds": [{"type": "insecure"}],
|
||||
"server_features" : ["xds_v3"]
|
||||
}
|
||||
],
|
||||
"node": {
|
||||
"id": "'${NODE_ID}'",
|
||||
"metadata": {
|
||||
"GENERATOR": "grpc"
|
||||
}
|
||||
}
|
||||
}' > /var/lib/grpc/data/bootstrap.json
|
||||
containers:
|
||||
{{- range $index, $container := .Spec.Containers }}
|
||||
- name: {{ $container.Name }}
|
||||
env:
|
||||
- name: GRPC_XDS_BOOTSTRAP
|
||||
value: /var/lib/grpc/data/bootstrap.json
|
||||
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
|
||||
value: "99"
|
||||
- name: GRPC_GO_LOG_SEVERITY_LEVEL
|
||||
value: info
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/grpc/data/
|
||||
name: grpc-io-proxyless-bootstrap
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: grpc-io-proxyless-bootstrap
|
||||
emptyDir: {}
|
@ -1,466 +0,0 @@
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
labels:
|
||||
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
|
||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
{{- if .Values.istio_cni.enabled }}
|
||||
{{- if not .Values.istio_cni.chained }}
|
||||
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
|
||||
{{- end }}
|
||||
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
|
||||
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
|
||||
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
|
||||
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
|
||||
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
||||
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
|
||||
{{- end }}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
||||
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
|
||||
{{- end }}
|
||||
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
|
||||
{{- end }}
|
||||
}
|
||||
spec:
|
||||
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
||||
initContainers:
|
||||
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
||||
{{ if .Values.istio_cni.enabled -}}
|
||||
- name: istio-validation
|
||||
{{ else -}}
|
||||
- name: istio-init
|
||||
{{ end -}}
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
args:
|
||||
- istio-iptables
|
||||
- "-p"
|
||||
- "15001"
|
||||
- "-z"
|
||||
- "15006"
|
||||
- "-u"
|
||||
- "1337"
|
||||
- "-m"
|
||||
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
||||
- "-i"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
||||
- "-x"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
||||
- "-b"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
|
||||
- "-d"
|
||||
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
|
||||
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
||||
{{- else }}
|
||||
- "15090,15021"
|
||||
{{- end }}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
|
||||
- "-q"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
||||
{{ end -}}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
|
||||
- "-o"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
||||
{{ end -}}
|
||||
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
|
||||
- "-k"
|
||||
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
||||
{{ end -}}
|
||||
{{ if .Values.istio_cni.enabled -}}
|
||||
- "--run-validation"
|
||||
- "--skip-rule-apply"
|
||||
{{ end -}}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
{{- if .ProxyConfig.ProxyMetadata }}
|
||||
env:
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||
privileged: {{ .Values.global.proxy.privileged }}
|
||||
capabilities:
|
||||
{{- if not .Values.istio_cni.enabled }}
|
||||
add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
{{- end }}
|
||||
drop:
|
||||
- ALL
|
||||
{{- if not .Values.istio_cni.enabled }}
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{- else }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1337
|
||||
runAsUser: 1337
|
||||
runAsNonRoot: true
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
{{ end -}}
|
||||
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
||||
- name: enable-core-dump
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
command:
|
||||
- /bin/sh
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
drop:
|
||||
- ALL
|
||||
privileged: true
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- sidecar
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if gt .EstimatedConcurrency 0 }}
|
||||
- --concurrency
|
||||
- "{{ .EstimatedConcurrency }}"
|
||||
{{- end -}}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||
{{- else if $holdProxy }}
|
||||
lifecycle:
|
||||
postStart:
|
||||
exec:
|
||||
command:
|
||||
- pilot-agent
|
||||
- wait
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
||||
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
||||
value: "true"
|
||||
{{- end }}
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- name: ISTIO_BOOTSTRAP_OVERRIDE
|
||||
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
|
||||
{{- end }}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
||||
{{ end -}}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||
capabilities:
|
||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||
add:
|
||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
|
||||
- NET_ADMIN
|
||||
{{- end }}
|
||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
|
||||
- NET_BIND_SERVICE
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
drop:
|
||||
- ALL
|
||||
privileged: {{ .Values.global.proxy.privileged }}
|
||||
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
||||
runAsGroup: 1337
|
||||
fsGroup: 1337
|
||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{- else -}}
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1337
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- mountPath: /etc/istio/custom-bootstrap
|
||||
name: custom-bootstrap-volume
|
||||
{{- end }}
|
||||
# SDS channel between istioagent and Envoy
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-envoy
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- mountPath: /etc/certs/
|
||||
name: istio-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
|
||||
name: lightstep-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 6 }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- name: custom-bootstrap-volume
|
||||
configMap:
|
||||
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
|
||||
{{- end }}
|
||||
# SDS channel between istioagent and Envoy
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-envoy
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
optional: true
|
||||
{{ if eq .Spec.ServiceAccountName "" }}
|
||||
secretName: istio.default
|
||||
{{ else -}}
|
||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 4 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||
- name: lightstep-certs
|
||||
secret:
|
||||
optional: true
|
||||
secretName: lightstep.cacert
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
@ -1,5 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- files/gen-istio.yaml
|
@ -1,26 +0,0 @@
|
||||
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
spec:
|
||||
maxReplicas: {{ .Values.pilot.autoscaleMax }}
|
||||
minReplicas: {{ .Values.pilot.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -1,112 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# sidecar injection controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
|
||||
# configuration validation webhook controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
|
||||
# istio configuration
|
||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
||||
# please proceed with caution
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
resources: ["*"]
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["update"]
|
||||
# TODO: should be on just */status but wildcard is not supported
|
||||
resources: ["*"]
|
||||
{{- end }}
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries/status" ]
|
||||
|
||||
# auto-detect installed CRD definitions
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# discovery and routing
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# ingress controller
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
{{- end}}
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses", "ingressclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
|
||||
# required for CA's namespace controller
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
|
||||
# Istiod and bootstrap.
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "certificatesigningrequests"
|
||||
- "certificatesigningrequests/approval"
|
||||
- "certificatesigningrequests/status"
|
||||
verbs: ["update", "create", "get", "delete", "watch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "signers"
|
||||
resourceNames:
|
||||
- "kubernetes.io/legacy-unknown"
|
||||
verbs: ["approve"]
|
||||
|
||||
# Used by Istiod to verify the JWT tokens
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Used by Istiod to verify gateway SDS
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Use for Kubernetes Service APIs
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
||||
verbs: ["update"]
|
||||
|
||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
# Used for MCS serviceexport management
|
||||
- apiGroups: ["multicluster.x-k8s.io"]
|
||||
resources: ["serviceexports"]
|
||||
verbs: ["get", "watch", "list", "create", "delete"]
|
@ -1,15 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -1,14 +0,0 @@
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
data:
|
||||
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
|
||||
{{- end }}
|
@ -1,100 +0,0 @@
|
||||
{{- define "mesh" }}
|
||||
# The trust domain corresponds to the trust root of a system.
|
||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||
trustDomain: "cluster.local"
|
||||
|
||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
||||
# is processed as if it were declared in the leaf namespace.
|
||||
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
|
||||
|
||||
defaultConfig:
|
||||
{{- if .Values.global.meshID }}
|
||||
meshId: {{ .Values.global.meshID }}
|
||||
{{- end }}
|
||||
tracing:
|
||||
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
||||
lightstep:
|
||||
# Address of the LightStep Satellite pool
|
||||
address: {{ .Values.global.tracer.lightstep.address }}
|
||||
# Access Token used to communicate with the Satellite pool
|
||||
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
|
||||
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
|
||||
zipkin:
|
||||
# Address of the Zipkin collector
|
||||
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
|
||||
{{- else if eq .Values.global.proxy.tracer "datadog" }}
|
||||
datadog:
|
||||
# Address of the Datadog Agent
|
||||
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
|
||||
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
|
||||
stackdriver:
|
||||
# enables trace output to stdout.
|
||||
{{- if $.Values.global.tracer.stackdriver.debug }}
|
||||
debug: {{ $.Values.global.tracer.stackdriver.debug }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
|
||||
# The global default max number of attributes per span.
|
||||
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
|
||||
# The global default max number of annotation events per span.
|
||||
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
|
||||
# The global default max number of message events per span.
|
||||
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
||||
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
|
||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
|
||||
{{- else }}
|
||||
{}
|
||||
{{- end }}
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
||||
{{- else }}
|
||||
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
|
||||
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
|
||||
{{- $originalMesh := include "mesh" . | fromYaml }}
|
||||
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
|
||||
|
||||
{{- if .Values.pilot.configMap }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
release: {{ .Release.Name }}
|
||||
data:
|
||||
|
||||
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
|
||||
meshNetworks: |-
|
||||
{{- if .Values.global.meshNetworks }}
|
||||
networks:
|
||||
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
|
||||
{{- else }}
|
||||
networks: {}
|
||||
{{- end }}
|
||||
|
||||
mesh: |-
|
||||
{{- if .Values.meshConfig }}
|
||||
{{ $mesh | toYaml | indent 4 }}
|
||||
{{- else }}
|
||||
{{- include "mesh" . }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -1,222 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
istio: pilot
|
||||
release: {{ .Release.Name }}
|
||||
{{- range $key, $val := .Values.pilot.deploymentLabels }}
|
||||
{{ $key }}: "{{ $val }}"
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.pilot.autoscaleEnabled }}
|
||||
{{- if .Values.pilot.replicaCount }}
|
||||
replicas: {{ .Values.pilot.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
|
||||
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- if ne .Values.revision "" }}
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
{{- else }}
|
||||
istio: pilot
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
operator.istio.io/component: "Pilot"
|
||||
{{- if ne .Values.revision "" }}
|
||||
istio: istiod
|
||||
{{- else }}
|
||||
istio: pilot
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15014"
|
||||
prometheus.io/scrape: "true"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if .Values.pilot.podAnnotations }}
|
||||
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.pilot.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
containers:
|
||||
- name: discovery
|
||||
{{- if contains "/" .Values.pilot.image }}
|
||||
image: "{{ .Values.pilot.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
args:
|
||||
- "discovery"
|
||||
- --monitoringAddr=:15014
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --domain
|
||||
- {{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.oneNamespace }}
|
||||
- "-a"
|
||||
- {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- if .Values.pilot.plugins }}
|
||||
- --plugins={{ .Values.pilot.plugins }}
|
||||
{{- end }}
|
||||
- --keepaliveMaxServerConnectionAge
|
||||
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
- containerPort: 15010
|
||||
protocol: TCP
|
||||
- containerPort: 15017
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: 8080
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 3
|
||||
timeoutSeconds: 5
|
||||
env:
|
||||
- name: REVISION
|
||||
value: "{{ .Values.revision | default `default` }}"
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: KUBECONFIG
|
||||
value: /var/run/secrets/remote/config
|
||||
{{- if .Values.pilot.env }}
|
||||
{{- range $key, $val := .Values.pilot.env }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $val }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.pilot.traceSampling }}
|
||||
- name: PILOT_TRACE_SAMPLING
|
||||
value: "{{ .Values.pilot.traceSampling }}"
|
||||
{{- end }}
|
||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
|
||||
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
||||
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
||||
- name: ISTIOD_ADDR
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
||||
- name: PILOT_ENABLE_ANALYSIS
|
||||
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
||||
- name: CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
{{- if not .Values.telemetry.v2.enabled }}
|
||||
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
||||
value: "false"
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if .Values.pilot.resources }}
|
||||
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: local-certs
|
||||
mountPath: /var/run/secrets/istio-dns
|
||||
- name: cacerts
|
||||
mountPath: /etc/cacerts
|
||||
readOnly: true
|
||||
- name: istio-kubeconfig
|
||||
mountPath: /var/run/secrets/remote
|
||||
readOnly: true
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
- name: extracacerts
|
||||
mountPath: /cacerts
|
||||
{{- end }}
|
||||
volumes:
|
||||
# Technically not needed on this pod - but it helps debugging/testing SDS
|
||||
# Should be removed after everything works.
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: local-certs
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
expirationSeconds: 43200
|
||||
path: istio-token
|
||||
{{- end }}
|
||||
# Optional: user-generated root
|
||||
- name: cacerts
|
||||
secret:
|
||||
secretName: cacerts
|
||||
optional: true
|
||||
- name: istio-kubeconfig
|
||||
secret:
|
||||
secretName: istio-kubeconfig
|
||||
optional: true
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
- name: extracacerts
|
||||
configMap:
|
||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- end }}
|
||||
---
|
@ -1,67 +0,0 @@
|
||||
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
release: {{ .Release.Name }}
|
||||
data:
|
||||
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
|
||||
values: |-
|
||||
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
|
||||
|
||||
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
|
||||
# and istiod webhook functionality.
|
||||
#
|
||||
# New fields should not use Values - it is a 'primary' config object, users should be able
|
||||
# to fine tune it or use it with kube-inject.
|
||||
config: |-
|
||||
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
|
||||
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
|
||||
defaultTemplates:
|
||||
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
defaultTemplates: [sidecar]
|
||||
{{- end }}
|
||||
policy: {{ .Values.global.proxy.autoInject }}
|
||||
alwaysInjectSelector:
|
||||
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
||||
neverInjectSelector:
|
||||
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
|
||||
injectedAnnotations:
|
||||
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
||||
"{{ $key }}": "{{ $val }}"
|
||||
{{- end }}
|
||||
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
|
||||
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
|
||||
This should make it obvious that their installation is broken.
|
||||
*/}}
|
||||
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
|
||||
templates:
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
|
||||
sidecar: |
|
||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
|
||||
gateway: |
|
||||
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
|
||||
grpc-simple: |
|
||||
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
|
||||
grpc-agent: |
|
||||
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.sidecarInjectorWebhook.templates }}
|
||||
{{ toYaml . | trim | indent 6 }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user