feat: First draft new Istio 13 helm charts
This commit is contained in:
parent
4c91dc6ca4
commit
09bb5d427e
@ -2,8 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.7.6
|
version: 0.8.0
|
||||||
appVersion: 1.11.5
|
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -17,9 +16,11 @@ dependencies:
|
|||||||
version: ">= 0.1.4"
|
version: ">= 0.1.4"
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
- name: base
|
- name: base
|
||||||
version: 1.11.5
|
version: 1.13.3
|
||||||
- name: istio-discovery
|
repository: https://istio-release.storage.googleapis.com/charts
|
||||||
version: 1.11.5
|
- name: istiod
|
||||||
|
version: 1.13.3
|
||||||
|
repository: https://istio-release.storage.googleapis.com/charts
|
||||||
- name: kiali-server
|
- name: kiali-server
|
||||||
version: 1.38.1
|
version: 1.38.1
|
||||||
# repository: https://github.com/kiali/helm-charts/tree/master/docs
|
# repository: https://github.com/kiali/helm-charts/tree/master/docs
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-istio
|
# kubezero-istio
|
||||||
|
|
||||||
![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square)
|
![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for Istio
|
KubeZero Umbrella Chart for Istio
|
||||||
|
|
||||||
@ -12,18 +12,18 @@ Installs the Istio control plane
|
|||||||
|
|
||||||
| Name | Email | Url |
|
| Name | Email | Url |
|
||||||
| ---- | ------ | --- |
|
| ---- | ------ | --- |
|
||||||
| Quarky9 | | |
|
| Stefan Reimer | stefan@zero-downtime.net | |
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Kubernetes: `>= 1.18.0`
|
Kubernetes: `>= 1.20.0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | base | 1.11.3 |
|
|
||||||
| | istio-discovery | 1.11.3 |
|
|
||||||
| | kiali-server | 1.38.1 |
|
| | kiali-server | 1.38.1 |
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
|
||||||
|
| https://istio-release.storage.googleapis.com/charts | base | 1.13.3 |
|
||||||
|
| https://istio-release.storage.googleapis.com/charts | istiod | 1.13.3 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
|
|
||||||
@ -32,12 +32,13 @@ Kubernetes: `>= 1.18.0`
|
|||||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
| global.logAsJson | bool | `true` | |
|
| global.logAsJson | bool | `true` | |
|
||||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
|
| global.tag | string | `"1.11.5-distroless"` | |
|
||||||
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||||
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||||
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
|
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
|
||||||
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | |
|
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | |
|
||||||
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||||
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| istio-discovery.pilot.replicaCount | int | `1` | |
|
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||||
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||||
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
name: base
|
|
||||||
version: 1.11.5
|
|
||||||
tillerVersion: ">=2.7.2"
|
|
||||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
|
||||||
keywords:
|
|
||||||
- istio
|
|
||||||
sources:
|
|
||||||
- http://github.com/istio/istio
|
|
||||||
engine: gotpl
|
|
||||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
|
@ -1 +0,0 @@
|
|||||||
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.
|
|
File diff suppressed because it is too large
Load Diff
@ -1,48 +0,0 @@
|
|||||||
# SYNC WITH manifests/charts/istio-operator/templates
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
name: istiooperators.install.istio.io
|
|
||||||
labels:
|
|
||||||
release: istio
|
|
||||||
spec:
|
|
||||||
conversion:
|
|
||||||
strategy: None
|
|
||||||
group: install.istio.io
|
|
||||||
names:
|
|
||||||
kind: IstioOperator
|
|
||||||
listKind: IstioOperatorList
|
|
||||||
plural: istiooperators
|
|
||||||
singular: istiooperator
|
|
||||||
shortNames:
|
|
||||||
- iop
|
|
||||||
- io
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- description: Istio control plane revision
|
|
||||||
jsonPath: .spec.revision
|
|
||||||
name: Revision
|
|
||||||
type: string
|
|
||||||
- description: IOP current state
|
|
||||||
jsonPath: .status.status
|
|
||||||
name: Status
|
|
||||||
type: string
|
|
||||||
- description: 'CreationTimestamp is a timestamp representing the server time
|
|
||||||
when this object was created. It is not guaranteed to be set in happens-before
|
|
||||||
order across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
||||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
||||||
jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
type: object
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
---
|
|
File diff suppressed because it is too large
Load Diff
@ -1,5 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- files/gen-istio-cluster.yaml
|
|
@ -1,171 +0,0 @@
|
|||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
# DO NOT EDIT!
|
|
||||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
|
||||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
|
||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
# sidecar injection controller
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
|
|
||||||
# configuration validation webhook controller
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["validatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
|
|
||||||
# istio configuration
|
|
||||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
|
||||||
# please proceed with caution
|
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
resources: ["*"]
|
|
||||||
{{- if .Values.global.istiod.enableAnalysis }}
|
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
|
||||||
verbs: ["update"]
|
|
||||||
# TODO: should be on just */status but wildcard is not supported
|
|
||||||
resources: ["*"]
|
|
||||||
{{- end }}
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
||||||
resources: [ "workloadentries" ]
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
||||||
resources: [ "workloadentries/status" ]
|
|
||||||
|
|
||||||
# auto-detect installed CRD definitions
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
|
|
||||||
# discovery and routing
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
|
||||||
resources: ["endpointslices"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
|
|
||||||
# ingress controller
|
|
||||||
{{- if .Values.global.istiod.enableAnalysis }}
|
|
||||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
||||||
resources: ["ingresses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
||||||
resources: ["ingresses/status"]
|
|
||||||
verbs: ["*"]
|
|
||||||
{{- end}}
|
|
||||||
- apiGroups: ["networking.k8s.io"]
|
|
||||||
resources: ["ingresses", "ingressclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["networking.k8s.io"]
|
|
||||||
resources: ["ingresses/status"]
|
|
||||||
verbs: ["*"]
|
|
||||||
|
|
||||||
# required for CA's namespace controller
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update"]
|
|
||||||
|
|
||||||
# Istiod and bootstrap.
|
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
|
||||||
resources:
|
|
||||||
- "certificatesigningrequests"
|
|
||||||
- "certificatesigningrequests/approval"
|
|
||||||
- "certificatesigningrequests/status"
|
|
||||||
verbs: ["update", "create", "get", "delete", "watch"]
|
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
|
||||||
resources:
|
|
||||||
- "signers"
|
|
||||||
resourceNames:
|
|
||||||
- "kubernetes.io/legacy-unknown"
|
|
||||||
verbs: ["approve"]
|
|
||||||
|
|
||||||
# Used by Istiod to verify the JWT tokens
|
|
||||||
- apiGroups: ["authentication.k8s.io"]
|
|
||||||
resources: ["tokenreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
|
|
||||||
# Used by Istiod to verify gateway SDS
|
|
||||||
- apiGroups: ["authorization.k8s.io"]
|
|
||||||
resources: ["subjectaccessreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
|
|
||||||
# Use for Kubernetes Service APIs
|
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
|
||||||
resources: ["*"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
|
||||||
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
|
||||||
verbs: ["update"]
|
|
||||||
|
|
||||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
|
|
||||||
# Used for MCS serviceexport management
|
|
||||||
- apiGroups: ["multicluster.x-k8s.io"]
|
|
||||||
resources: ["serviceexports"]
|
|
||||||
verbs: ["get", "watch", "list", "create", "delete"]
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istio-reader
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- "config.istio.io"
|
|
||||||
- "security.istio.io"
|
|
||||||
- "networking.istio.io"
|
|
||||||
- "authentication.istio.io"
|
|
||||||
- "rbac.istio.io"
|
|
||||||
resources: ["*"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list" ]
|
|
||||||
resources: [ "workloadentries" ]
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
|
||||||
resources: ["endpointslices"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["replicasets"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["authentication.k8s.io"]
|
|
||||||
resources: ["tokenreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: ["authorization.k8s.io"]
|
|
||||||
resources: ["subjectaccessreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: ["multicluster.x-k8s.io"]
|
|
||||||
resources: ["serviceexports"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
{{- if or .Values.global.externalIstiod }}
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["validatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
{{- end}}
|
|
||||||
---
|
|
@ -1,37 +0,0 @@
|
|||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
# DO NOT EDIT!
|
|
||||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
|
||||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
|
||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istio-reader
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istio-reader-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istiod-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
---
|
|
@ -1,4 +0,0 @@
|
|||||||
{{- if .Values.base.enableCRDTemplates }}
|
|
||||||
{{ .Files.Get "crds/crd-all.gen.yaml" }}
|
|
||||||
{{ .Files.Get "crds/crd-operator.yaml" }}
|
|
||||||
{{- end }}
|
|
@ -1,30 +0,0 @@
|
|||||||
{{- if .Values.global.remotePilotAddress }}
|
|
||||||
{{- if not .Values.global.externalIstiod }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Endpoints
|
|
||||||
metadata:
|
|
||||||
name: istiod-remote
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
subsets:
|
|
||||||
- addresses:
|
|
||||||
- ip: {{ .Values.global.remotePilotAddress }}
|
|
||||||
ports:
|
|
||||||
- port: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Endpoints
|
|
||||||
metadata:
|
|
||||||
name: istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
subsets:
|
|
||||||
- addresses:
|
|
||||||
- ip: {{ .Values.global.remotePilotAddress }}
|
|
||||||
ports:
|
|
||||||
- port: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,16 +0,0 @@
|
|||||||
# This service account aggregates reader permissions for the revisions in a given cluster
|
|
||||||
# Should be used for remote secret creation.
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
|
||||||
- name: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
metadata:
|
|
||||||
name: istio-reader-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istio-reader
|
|
||||||
release: {{ .Release.Name }}
|
|
@ -1,25 +0,0 @@
|
|||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
# DO NOT EDIT!
|
|
||||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
|
||||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
|
||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
# permissions to verify the webhook is ready and rejecting
|
|
||||||
# invalid config. We use --server-dry-run so no config is persisted.
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: ["create"]
|
|
||||||
resources: ["gateways"]
|
|
||||||
|
|
||||||
# For storing CA secret
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
|
||||||
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
|
@ -1,21 +0,0 @@
|
|||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
# DO NOT EDIT!
|
|
||||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
|
||||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
|
||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istiod-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
@ -1,19 +0,0 @@
|
|||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
# DO NOT EDIT!
|
|
||||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
|
||||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
|
||||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
|
||||||
- name: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
metadata:
|
|
||||||
name: istiod-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
@ -1,37 +0,0 @@
|
|||||||
{{- if .Values.global.remotePilotAddress }}
|
|
||||||
{{- if not .Values.global.externalIstiod }}
|
|
||||||
# when istiod is enabled in remote cluster, we can't use istiod service name
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: istiod-remote
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
clusterIP: None
|
|
||||||
{{- else }}
|
|
||||||
# when istiod isn't enabled in remote cluster, we can use istiod service name
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
# if the remotePilotAddress is IP addr, we use clusterIP: None.
|
|
||||||
# else, we use externalName
|
|
||||||
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
|
||||||
clusterIP: None
|
|
||||||
{{- else }}
|
|
||||||
type: ExternalName
|
|
||||||
externalName: {{ .Values.global.remotePilotAddress }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,27 +0,0 @@
|
|||||||
global:
|
|
||||||
|
|
||||||
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
|
|
||||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
|
||||||
# Must be set for any cluster configured with private docker registry.
|
|
||||||
imagePullSecrets: []
|
|
||||||
|
|
||||||
# Used to locate istiod.
|
|
||||||
istioNamespace: istio-system
|
|
||||||
|
|
||||||
istiod:
|
|
||||||
enableAnalysis: false
|
|
||||||
|
|
||||||
configValidation: true
|
|
||||||
externalIstiod: false
|
|
||||||
remotePilotAddress: ""
|
|
||||||
|
|
||||||
base:
|
|
||||||
# Used for helm2 to add the CRDs to templates.
|
|
||||||
enableCRDTemplates: false
|
|
||||||
|
|
||||||
# Validation webhook configuration url
|
|
||||||
# For example: https://$remotePilotAddress:15017/validate
|
|
||||||
validationURL: ""
|
|
||||||
|
|
||||||
# For istioctl usage to disable istio config crds in base
|
|
||||||
enableIstioConfigCRDs: true
|
|
@ -1,13 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
name: istio-discovery
|
|
||||||
version: 1.11.5
|
|
||||||
tillerVersion: ">=2.7.2"
|
|
||||||
description: Helm chart for istio control plane
|
|
||||||
keywords:
|
|
||||||
- istio
|
|
||||||
- istiod
|
|
||||||
- istio-discovery
|
|
||||||
sources:
|
|
||||||
- http://github.com/istio/istio
|
|
||||||
engine: gotpl
|
|
||||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
|
@ -1,8 +0,0 @@
|
|||||||
Minimal control plane for Istio. Pilot and mesh config are included.
|
|
||||||
|
|
||||||
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
|
||||||
address of an MCP server can be set.
|
|
||||||
|
|
||||||
|
|
||||||
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience!
|
|
||||||
https://forms.gle/kWULBRjUv7hHci7T6
|
|
@ -1,205 +0,0 @@
|
|||||||
{{- $containers := list }}
|
|
||||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
|
||||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
|
||||||
istio.io/rev: {{ .Revision | default "default" | quote }}
|
|
||||||
annotations: {
|
|
||||||
{{- if eq (len $containers) 1 }}
|
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
|
||||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
|
||||||
{{ end }}
|
|
||||||
}
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: istio-proxy
|
|
||||||
{{- if contains "/" .Values.global.proxy.image }}
|
|
||||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: 15090
|
|
||||||
protocol: TCP
|
|
||||||
name: http-envoy-prom
|
|
||||||
args:
|
|
||||||
- proxy
|
|
||||||
- router
|
|
||||||
- --domain
|
|
||||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
|
||||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
|
||||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
|
||||||
{{- if .Values.global.sts.servicePort }}
|
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.logAsJson }}
|
|
||||||
- --log_as_json
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.proxy.lifecycle }}
|
|
||||||
lifecycle:
|
|
||||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: JWT_POLICY
|
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
|
||||||
- name: PILOT_CERT_PROVIDER
|
|
||||||
value: {{ .Values.global.pilotCertProvider }}
|
|
||||||
- name: CA_ADDR
|
|
||||||
{{- if .Values.global.caAddress }}
|
|
||||||
value: {{ .Values.global.caAddress }}
|
|
||||||
{{- else }}
|
|
||||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
|
||||||
{{- end }}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: INSTANCE_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.podIP
|
|
||||||
- name: SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: HOST_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.hostIP
|
|
||||||
- name: PROXY_CONFIG
|
|
||||||
value: |
|
|
||||||
{{ protoToJSON .ProxyConfig }}
|
|
||||||
- name: ISTIO_META_POD_PORTS
|
|
||||||
value: |-
|
|
||||||
[
|
|
||||||
{{- $first := true }}
|
|
||||||
{{- range $index1, $c := .Spec.Containers }}
|
|
||||||
{{- range $index2, $p := $c.Ports }}
|
|
||||||
{{- if (structToJSON $p) }}
|
|
||||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
|
||||||
{{- $first = false }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end}}
|
|
||||||
{{- end}}
|
|
||||||
]
|
|
||||||
- name: ISTIO_META_APP_CONTAINERS
|
|
||||||
value: "{{ $containers | join "," }}"
|
|
||||||
- name: ISTIO_META_CLUSTER_ID
|
|
||||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
|
||||||
- name: ISTIO_META_INTERCEPTION_MODE
|
|
||||||
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
|
||||||
{{- if .Values.global.network }}
|
|
||||||
- name: ISTIO_META_NETWORK
|
|
||||||
value: "{{ .Values.global.network }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_WORKLOAD_NAME
|
|
||||||
value: "{{ .DeploymentMeta.Name }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_OWNER
|
|
||||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
|
||||||
{{- end}}
|
|
||||||
{{- if .Values.global.meshID }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ .Values.global.meshID }}"
|
|
||||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: TRUST_DOMAIN
|
|
||||||
value: "{{ . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz/ready
|
|
||||||
port: 15021
|
|
||||||
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
|
||||||
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
|
||||||
timeoutSeconds: 3
|
|
||||||
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
|
||||||
volumeMounts:
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- mountPath: /var/run/secrets/istio
|
|
||||||
name: istiod-ca-cert
|
|
||||||
{{- end }}
|
|
||||||
- mountPath: /var/lib/istio/data
|
|
||||||
name: istio-data
|
|
||||||
# SDS channel between istioagent and Envoy
|
|
||||||
- mountPath: /etc/istio/proxy
|
|
||||||
name: istio-envoy
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- mountPath: /var/run/secrets/tokens
|
|
||||||
name: istio-token
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
|
||||||
- mountPath: /etc/certs/
|
|
||||||
name: istio-certs
|
|
||||||
readOnly: true
|
|
||||||
{{- end }}
|
|
||||||
- name: istio-podinfo
|
|
||||||
mountPath: /etc/istio/pod
|
|
||||||
volumes:
|
|
||||||
# SDS channel between istioagent and Envoy
|
|
||||||
- emptyDir:
|
|
||||||
medium: Memory
|
|
||||||
name: istio-envoy
|
|
||||||
- name: istio-data
|
|
||||||
emptyDir: {}
|
|
||||||
- name: istio-podinfo
|
|
||||||
downwardAPI:
|
|
||||||
items:
|
|
||||||
- path: "labels"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.labels
|
|
||||||
- path: "annotations"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.annotations
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- name: istio-token
|
|
||||||
projected:
|
|
||||||
sources:
|
|
||||||
- serviceAccountToken:
|
|
||||||
path: istio-token
|
|
||||||
expirationSeconds: 43200
|
|
||||||
audience: {{ .Values.global.sds.token.aud }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- name: istiod-ca-cert
|
|
||||||
configMap:
|
|
||||||
name: istio-ca-root-cert
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
|
||||||
- name: istio-certs
|
|
||||||
secret:
|
|
||||||
optional: true
|
|
||||||
{{ if eq .Spec.ServiceAccountName "" }}
|
|
||||||
secretName: istio.default
|
|
||||||
{{ else -}}
|
|
||||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
|
||||||
{{ end -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
|
||||||
- name: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 1337
|
|
||||||
{{- end }}
|
|
File diff suppressed because it is too large
Load Diff
@ -1,234 +0,0 @@
|
|||||||
{{- $containers := list }}
|
|
||||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
|
||||||
metadata:
|
|
||||||
annotations: {
|
|
||||||
{{- if eq (len $containers) 1 }}
|
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
|
||||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
|
||||||
{{ end }}
|
|
||||||
}
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
{{- range $index, $container := .Spec.Containers }}
|
|
||||||
{{ if not (eq $container.Name "istio-proxy") }}
|
|
||||||
- name: {{ $container.Name }}
|
|
||||||
env:
|
|
||||||
- name: "GRPC_XDS_BOOTSTRAP"
|
|
||||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
|
||||||
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
|
|
||||||
value: "true"
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /var/lib/istio/data
|
|
||||||
name: istio-data
|
|
||||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
|
||||||
- mountPath: /etc/istio/proxy
|
|
||||||
name: istio-xds
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
- name: istio-proxy
|
|
||||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
|
||||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
args:
|
|
||||||
- proxy
|
|
||||||
- sidecar
|
|
||||||
- --domain
|
|
||||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
|
||||||
{{- if .Values.global.sts.servicePort }}
|
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.logAsJson }}
|
|
||||||
- --log_as_json
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
- name: "GRPC_XDS_BOOTSTRAP"
|
|
||||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
|
||||||
- name: ISTIO_META_GENERATOR
|
|
||||||
value: grpc
|
|
||||||
- name: OUTPUT_CERTS
|
|
||||||
value: /var/lib/istio/data
|
|
||||||
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
|
||||||
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
|
||||||
value: "true"
|
|
||||||
{{- end }}
|
|
||||||
- name: JWT_POLICY
|
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
|
||||||
- name: PILOT_CERT_PROVIDER
|
|
||||||
value: {{ .Values.global.pilotCertProvider }}
|
|
||||||
- name: CA_ADDR
|
|
||||||
{{- if .Values.global.caAddress }}
|
|
||||||
value: {{ .Values.global.caAddress }}
|
|
||||||
{{- else }}
|
|
||||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
|
||||||
{{- end }}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: INSTANCE_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.podIP
|
|
||||||
- name: SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: HOST_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.hostIP
|
|
||||||
- name: PROXY_CONFIG
|
|
||||||
value: |
|
|
||||||
{{ protoToJSON .ProxyConfig }}
|
|
||||||
- name: ISTIO_META_POD_PORTS
|
|
||||||
value: |-
|
|
||||||
[
|
|
||||||
{{- $first := true }}
|
|
||||||
{{- range $index1, $c := .Spec.Containers }}
|
|
||||||
{{- range $index2, $p := $c.Ports }}
|
|
||||||
{{- if (structToJSON $p) }}
|
|
||||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
|
||||||
{{- $first = false }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end}}
|
|
||||||
{{- end}}
|
|
||||||
]
|
|
||||||
- name: ISTIO_META_APP_CONTAINERS
|
|
||||||
value: "{{ $containers | join "," }}"
|
|
||||||
- name: ISTIO_META_CLUSTER_ID
|
|
||||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
|
||||||
- name: ISTIO_META_INTERCEPTION_MODE
|
|
||||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
|
||||||
{{- if .Values.global.network }}
|
|
||||||
- name: ISTIO_META_NETWORK
|
|
||||||
value: "{{ .Values.global.network }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_WORKLOAD_NAME
|
|
||||||
value: "{{ .DeploymentMeta.Name }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_OWNER
|
|
||||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
|
||||||
{{- end}}
|
|
||||||
{{- if .Values.global.meshID }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ .Values.global.meshID }}"
|
|
||||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: TRUST_DOMAIN
|
|
||||||
value: "{{ . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
# grpc uses xds:/// to resolve – no need to resolve VIP
|
|
||||||
- name: ISTIO_META_DNS_CAPTURE
|
|
||||||
value: "false"
|
|
||||||
- name: DISABLE_ENVOY
|
|
||||||
value: "true"
|
|
||||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
|
||||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz/ready
|
|
||||||
port: {{ .Values.global.proxy.statusPort }}
|
|
||||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
|
||||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
|
||||||
timeoutSeconds: 3
|
|
||||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
|
||||||
{{ end -}}
|
|
||||||
resources:
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
|
||||||
requests:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
limits:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
{{- if .Values.global.proxy.resources }}
|
|
||||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
volumeMounts:
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- mountPath: /var/run/secrets/istio
|
|
||||||
name: istiod-ca-cert
|
|
||||||
{{- end }}
|
|
||||||
- mountPath: /var/lib/istio/data
|
|
||||||
name: istio-data
|
|
||||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
|
||||||
- mountPath: /etc/istio/proxy
|
|
||||||
name: istio-xds
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- mountPath: /var/run/secrets/tokens
|
|
||||||
name: istio-token
|
|
||||||
{{- end }}
|
|
||||||
- name: istio-podinfo
|
|
||||||
mountPath: /etc/istio/pod
|
|
||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
|
||||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
|
||||||
- name: "{{ $index }}"
|
|
||||||
{{ toYaml $value | indent 6 }}
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
|
||||||
- emptyDir:
|
|
||||||
medium: Memory
|
|
||||||
name: istio-xds
|
|
||||||
- name: istio-data
|
|
||||||
emptyDir: {}
|
|
||||||
- name: istio-podinfo
|
|
||||||
downwardAPI:
|
|
||||||
items:
|
|
||||||
- path: "labels"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.labels
|
|
||||||
- path: "annotations"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.annotations
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- name: istio-token
|
|
||||||
projected:
|
|
||||||
sources:
|
|
||||||
- serviceAccountToken:
|
|
||||||
path: istio-token
|
|
||||||
expirationSeconds: 43200
|
|
||||||
audience: {{ .Values.global.sds.token.aud }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- name: istiod-ca-cert
|
|
||||||
configMap:
|
|
||||||
name: istio-ca-root-cert
|
|
||||||
{{- end }}
|
|
||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
|
||||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
|
||||||
- name: "{{ $index }}"
|
|
||||||
{{ toYaml $value | indent 4 }}
|
|
||||||
{{ end }}
|
|
||||||
{{ end }}
|
|
@ -1,58 +0,0 @@
|
|||||||
spec:
|
|
||||||
initContainers:
|
|
||||||
- name: grpc-bootstrap-init
|
|
||||||
image: busybox:1.28
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /var/lib/grpc/data/
|
|
||||||
name: grpc-io-proxyless-bootstrap
|
|
||||||
env:
|
|
||||||
- name: INSTANCE_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.podIP
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- "-c"
|
|
||||||
- |-
|
|
||||||
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
|
|
||||||
echo '
|
|
||||||
{
|
|
||||||
"xds_servers": [
|
|
||||||
{
|
|
||||||
"server_uri": "dns:///istiod.istio-system.svc:15010",
|
|
||||||
"channel_creds": [{"type": "insecure"}],
|
|
||||||
"server_features" : ["xds_v3"]
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"node": {
|
|
||||||
"id": "'${NODE_ID}'",
|
|
||||||
"metadata": {
|
|
||||||
"GENERATOR": "grpc"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}' > /var/lib/grpc/data/bootstrap.json
|
|
||||||
containers:
|
|
||||||
{{- range $index, $container := .Spec.Containers }}
|
|
||||||
- name: {{ $container.Name }}
|
|
||||||
env:
|
|
||||||
- name: GRPC_XDS_BOOTSTRAP
|
|
||||||
value: /var/lib/grpc/data/bootstrap.json
|
|
||||||
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
|
|
||||||
value: "99"
|
|
||||||
- name: GRPC_GO_LOG_SEVERITY_LEVEL
|
|
||||||
value: info
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /var/lib/grpc/data/
|
|
||||||
name: grpc-io-proxyless-bootstrap
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: grpc-io-proxyless-bootstrap
|
|
||||||
emptyDir: {}
|
|
@ -1,466 +0,0 @@
|
|||||||
{{- $containers := list }}
|
|
||||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
|
|
||||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
|
||||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
|
||||||
annotations: {
|
|
||||||
{{- if eq (len $containers) 1 }}
|
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
|
||||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
|
||||||
{{ end }}
|
|
||||||
{{- if .Values.istio_cni.enabled }}
|
|
||||||
{{- if not .Values.istio_cni.chained }}
|
|
||||||
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
|
|
||||||
{{- end }}
|
|
||||||
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
|
|
||||||
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
|
|
||||||
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
|
|
||||||
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
|
|
||||||
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
|
||||||
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
|
|
||||||
{{- end }}
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
|
||||||
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
|
|
||||||
{{- end }}
|
|
||||||
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
}
|
|
||||||
spec:
|
|
||||||
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
|
||||||
initContainers:
|
|
||||||
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
|
||||||
{{ if .Values.istio_cni.enabled -}}
|
|
||||||
- name: istio-validation
|
|
||||||
{{ else -}}
|
|
||||||
- name: istio-init
|
|
||||||
{{ end -}}
|
|
||||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
|
||||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
args:
|
|
||||||
- istio-iptables
|
|
||||||
- "-p"
|
|
||||||
- "15001"
|
|
||||||
- "-z"
|
|
||||||
- "15006"
|
|
||||||
- "-u"
|
|
||||||
- "1337"
|
|
||||||
- "-m"
|
|
||||||
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
|
||||||
- "-i"
|
|
||||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
|
||||||
- "-x"
|
|
||||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
|
||||||
- "-b"
|
|
||||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
|
|
||||||
- "-d"
|
|
||||||
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
|
|
||||||
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
|
||||||
{{- else }}
|
|
||||||
- "15090,15021"
|
|
||||||
{{- end }}
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
|
|
||||||
- "-q"
|
|
||||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
|
||||||
{{ end -}}
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
|
|
||||||
- "-o"
|
|
||||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
|
||||||
{{ end -}}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
|
|
||||||
- "-k"
|
|
||||||
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
|
||||||
{{ end -}}
|
|
||||||
{{ if .Values.istio_cni.enabled -}}
|
|
||||||
- "--run-validation"
|
|
||||||
- "--skip-rule-apply"
|
|
||||||
{{ end -}}
|
|
||||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
|
||||||
{{- if .ProxyConfig.ProxyMetadata }}
|
|
||||||
env:
|
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
|
||||||
requests:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
limits:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
{{- if .Values.global.proxy.resources }}
|
|
||||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
|
||||||
privileged: {{ .Values.global.proxy.privileged }}
|
|
||||||
capabilities:
|
|
||||||
{{- if not .Values.istio_cni.enabled }}
|
|
||||||
add:
|
|
||||||
- NET_ADMIN
|
|
||||||
- NET_RAW
|
|
||||||
{{- end }}
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
{{- if not .Values.istio_cni.enabled }}
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
runAsGroup: 0
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
{{- else }}
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
runAsGroup: 1337
|
|
||||||
runAsUser: 1337
|
|
||||||
runAsNonRoot: true
|
|
||||||
{{- end }}
|
|
||||||
restartPolicy: Always
|
|
||||||
{{ end -}}
|
|
||||||
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
|
||||||
- name: enable-core-dump
|
|
||||||
args:
|
|
||||||
- -c
|
|
||||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
|
||||||
command:
|
|
||||||
- /bin/sh
|
|
||||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
|
||||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
|
||||||
resources: {}
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- SYS_ADMIN
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
privileged: true
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
runAsGroup: 0
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
{{ end }}
|
|
||||||
containers:
|
|
||||||
- name: istio-proxy
|
|
||||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
|
||||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- containerPort: 15090
|
|
||||||
protocol: TCP
|
|
||||||
name: http-envoy-prom
|
|
||||||
args:
|
|
||||||
- proxy
|
|
||||||
- sidecar
|
|
||||||
- --domain
|
|
||||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
|
||||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
|
||||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
|
||||||
{{- if .Values.global.sts.servicePort }}
|
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.logAsJson }}
|
|
||||||
- --log_as_json
|
|
||||||
{{- end }}
|
|
||||||
{{- if gt .EstimatedConcurrency 0 }}
|
|
||||||
- --concurrency
|
|
||||||
- "{{ .EstimatedConcurrency }}"
|
|
||||||
{{- end -}}
|
|
||||||
{{- if .Values.global.proxy.lifecycle }}
|
|
||||||
lifecycle:
|
|
||||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
|
||||||
{{- else if $holdProxy }}
|
|
||||||
lifecycle:
|
|
||||||
postStart:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- pilot-agent
|
|
||||||
- wait
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
|
||||||
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
|
||||||
value: "true"
|
|
||||||
{{- end }}
|
|
||||||
- name: JWT_POLICY
|
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
|
||||||
- name: PILOT_CERT_PROVIDER
|
|
||||||
value: {{ .Values.global.pilotCertProvider }}
|
|
||||||
- name: CA_ADDR
|
|
||||||
{{- if .Values.global.caAddress }}
|
|
||||||
value: {{ .Values.global.caAddress }}
|
|
||||||
{{- else }}
|
|
||||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
|
||||||
{{- end }}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: INSTANCE_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.podIP
|
|
||||||
- name: SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: HOST_IP
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: status.hostIP
|
|
||||||
- name: PROXY_CONFIG
|
|
||||||
value: |
|
|
||||||
{{ protoToJSON .ProxyConfig }}
|
|
||||||
- name: ISTIO_META_POD_PORTS
|
|
||||||
value: |-
|
|
||||||
[
|
|
||||||
{{- $first := true }}
|
|
||||||
{{- range $index1, $c := .Spec.Containers }}
|
|
||||||
{{- range $index2, $p := $c.Ports }}
|
|
||||||
{{- if (structToJSON $p) }}
|
|
||||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
|
||||||
{{- $first = false }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end}}
|
|
||||||
{{- end}}
|
|
||||||
]
|
|
||||||
- name: ISTIO_META_APP_CONTAINERS
|
|
||||||
value: "{{ $containers | join "," }}"
|
|
||||||
- name: ISTIO_META_CLUSTER_ID
|
|
||||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
|
||||||
- name: ISTIO_META_INTERCEPTION_MODE
|
|
||||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
|
||||||
{{- if .Values.global.network }}
|
|
||||||
- name: ISTIO_META_NETWORK
|
|
||||||
value: "{{ .Values.global.network }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_WORKLOAD_NAME
|
|
||||||
value: "{{ .DeploymentMeta.Name }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
|
||||||
- name: ISTIO_META_OWNER
|
|
||||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
|
||||||
{{- end}}
|
|
||||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
|
||||||
- name: ISTIO_BOOTSTRAP_OVERRIDE
|
|
||||||
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.meshID }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ .Values.global.meshID }}"
|
|
||||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: ISTIO_META_MESH_ID
|
|
||||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
|
||||||
- name: TRUST_DOMAIN
|
|
||||||
value: "{{ . }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
|
||||||
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $value }}"
|
|
||||||
{{- end }}
|
|
||||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
|
||||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz/ready
|
|
||||||
port: 15021
|
|
||||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
|
||||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
|
||||||
timeoutSeconds: 3
|
|
||||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
|
||||||
{{ end -}}
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
|
||||||
capabilities:
|
|
||||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
|
||||||
add:
|
|
||||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
|
|
||||||
- NET_ADMIN
|
|
||||||
{{- end }}
|
|
||||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
|
|
||||||
- NET_BIND_SERVICE
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
privileged: {{ .Values.global.proxy.privileged }}
|
|
||||||
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
|
||||||
runAsGroup: 1337
|
|
||||||
fsGroup: 1337
|
|
||||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
{{- else -}}
|
|
||||||
runAsNonRoot: true
|
|
||||||
runAsUser: 1337
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
|
||||||
requests:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
|
||||||
limits:
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
|
||||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
|
||||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
{{- if .Values.global.proxy.resources }}
|
|
||||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
volumeMounts:
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- mountPath: /var/run/secrets/istio
|
|
||||||
name: istiod-ca-cert
|
|
||||||
{{- end }}
|
|
||||||
- mountPath: /var/lib/istio/data
|
|
||||||
name: istio-data
|
|
||||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
|
||||||
- mountPath: /etc/istio/custom-bootstrap
|
|
||||||
name: custom-bootstrap-volume
|
|
||||||
{{- end }}
|
|
||||||
# SDS channel between istioagent and Envoy
|
|
||||||
- mountPath: /etc/istio/proxy
|
|
||||||
name: istio-envoy
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- mountPath: /var/run/secrets/tokens
|
|
||||||
name: istio-token
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
|
||||||
- mountPath: /etc/certs/
|
|
||||||
name: istio-certs
|
|
||||||
readOnly: true
|
|
||||||
{{- end }}
|
|
||||||
- name: istio-podinfo
|
|
||||||
mountPath: /etc/istio/pod
|
|
||||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
|
||||||
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
|
|
||||||
name: lightstep-certs
|
|
||||||
readOnly: true
|
|
||||||
{{- end }}
|
|
||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
|
||||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
|
||||||
- name: "{{ $index }}"
|
|
||||||
{{ toYaml $value | indent 6 }}
|
|
||||||
{{ end }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
|
||||||
- name: custom-bootstrap-volume
|
|
||||||
configMap:
|
|
||||||
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
|
|
||||||
{{- end }}
|
|
||||||
# SDS channel between istioagent and Envoy
|
|
||||||
- emptyDir:
|
|
||||||
medium: Memory
|
|
||||||
name: istio-envoy
|
|
||||||
- name: istio-data
|
|
||||||
emptyDir: {}
|
|
||||||
- name: istio-podinfo
|
|
||||||
downwardAPI:
|
|
||||||
items:
|
|
||||||
- path: "labels"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.labels
|
|
||||||
- path: "annotations"
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.annotations
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- name: istio-token
|
|
||||||
projected:
|
|
||||||
sources:
|
|
||||||
- serviceAccountToken:
|
|
||||||
path: istio-token
|
|
||||||
expirationSeconds: 43200
|
|
||||||
audience: {{ .Values.global.sds.token.aud }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
|
||||||
- name: istiod-ca-cert
|
|
||||||
configMap:
|
|
||||||
name: istio-ca-root-cert
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
|
||||||
- name: istio-certs
|
|
||||||
secret:
|
|
||||||
optional: true
|
|
||||||
{{ if eq .Spec.ServiceAccountName "" }}
|
|
||||||
secretName: istio.default
|
|
||||||
{{ else -}}
|
|
||||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
|
||||||
{{ end -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
|
||||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
|
||||||
- name: "{{ $index }}"
|
|
||||||
{{ toYaml $value | indent 4 }}
|
|
||||||
{{ end }}
|
|
||||||
{{ end }}
|
|
||||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
|
||||||
- name: lightstep-certs
|
|
||||||
secret:
|
|
||||||
optional: true
|
|
||||||
secretName: lightstep.cacert
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
|
||||||
- name: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 1337
|
|
||||||
{{- end }}
|
|
@ -1,5 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- files/gen-istio.yaml
|
|
@ -1,26 +0,0 @@
|
|||||||
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
|
|
||||||
apiVersion: autoscaling/v2beta1
|
|
||||||
kind: HorizontalPodAutoscaler
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
spec:
|
|
||||||
maxReplicas: {{ .Values.pilot.autoscaleMax }}
|
|
||||||
minReplicas: {{ .Values.pilot.autoscaleMin }}
|
|
||||||
scaleTargetRef:
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
metrics:
|
|
||||||
- type: Resource
|
|
||||||
resource:
|
|
||||||
name: cpu
|
|
||||||
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,112 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
# sidecar injection controller
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
|
|
||||||
# configuration validation webhook controller
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["validatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
|
|
||||||
# istio configuration
|
|
||||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
|
||||||
# please proceed with caution
|
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
resources: ["*"]
|
|
||||||
{{- if .Values.global.istiod.enableAnalysis }}
|
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
|
||||||
verbs: ["update"]
|
|
||||||
# TODO: should be on just */status but wildcard is not supported
|
|
||||||
resources: ["*"]
|
|
||||||
{{- end }}
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
||||||
resources: [ "workloadentries" ]
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
|
||||||
resources: [ "workloadentries/status" ]
|
|
||||||
|
|
||||||
# auto-detect installed CRD definitions
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
|
|
||||||
# discovery and routing
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
|
||||||
resources: ["endpointslices"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
|
|
||||||
# ingress controller
|
|
||||||
{{- if .Values.global.istiod.enableAnalysis }}
|
|
||||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
||||||
resources: ["ingresses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
||||||
resources: ["ingresses/status"]
|
|
||||||
verbs: ["*"]
|
|
||||||
{{- end}}
|
|
||||||
- apiGroups: ["networking.k8s.io"]
|
|
||||||
resources: ["ingresses", "ingressclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["networking.k8s.io"]
|
|
||||||
resources: ["ingresses/status"]
|
|
||||||
verbs: ["*"]
|
|
||||||
|
|
||||||
# required for CA's namespace controller
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update"]
|
|
||||||
|
|
||||||
# Istiod and bootstrap.
|
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
|
||||||
resources:
|
|
||||||
- "certificatesigningrequests"
|
|
||||||
- "certificatesigningrequests/approval"
|
|
||||||
- "certificatesigningrequests/status"
|
|
||||||
verbs: ["update", "create", "get", "delete", "watch"]
|
|
||||||
- apiGroups: ["certificates.k8s.io"]
|
|
||||||
resources:
|
|
||||||
- "signers"
|
|
||||||
resourceNames:
|
|
||||||
- "kubernetes.io/legacy-unknown"
|
|
||||||
verbs: ["approve"]
|
|
||||||
|
|
||||||
# Used by Istiod to verify the JWT tokens
|
|
||||||
- apiGroups: ["authentication.k8s.io"]
|
|
||||||
resources: ["tokenreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
|
|
||||||
# Used by Istiod to verify gateway SDS
|
|
||||||
- apiGroups: ["authorization.k8s.io"]
|
|
||||||
resources: ["subjectaccessreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
|
|
||||||
# Use for Kubernetes Service APIs
|
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
|
||||||
resources: ["*"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
- apiGroups: ["networking.x-k8s.io"]
|
|
||||||
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
|
||||||
verbs: ["update"]
|
|
||||||
|
|
||||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
verbs: ["get", "watch", "list"]
|
|
||||||
|
|
||||||
# Used for MCS serviceexport management
|
|
||||||
- apiGroups: ["multicluster.x-k8s.io"]
|
|
||||||
resources: ["serviceexports"]
|
|
||||||
verbs: ["get", "watch", "list", "create", "delete"]
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
@ -1,14 +0,0 @@
|
|||||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
data:
|
|
||||||
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
|
|
||||||
{{- end }}
|
|
@ -1,100 +0,0 @@
|
|||||||
{{- define "mesh" }}
|
|
||||||
# The trust domain corresponds to the trust root of a system.
|
|
||||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
|
||||||
trustDomain: "cluster.local"
|
|
||||||
|
|
||||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
|
||||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
|
||||||
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
|
||||||
# is processed as if it were declared in the leaf namespace.
|
|
||||||
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
|
|
||||||
|
|
||||||
defaultConfig:
|
|
||||||
{{- if .Values.global.meshID }}
|
|
||||||
meshId: {{ .Values.global.meshID }}
|
|
||||||
{{- end }}
|
|
||||||
tracing:
|
|
||||||
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
|
||||||
lightstep:
|
|
||||||
# Address of the LightStep Satellite pool
|
|
||||||
address: {{ .Values.global.tracer.lightstep.address }}
|
|
||||||
# Access Token used to communicate with the Satellite pool
|
|
||||||
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
|
|
||||||
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
|
|
||||||
zipkin:
|
|
||||||
# Address of the Zipkin collector
|
|
||||||
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
|
|
||||||
{{- else if eq .Values.global.proxy.tracer "datadog" }}
|
|
||||||
datadog:
|
|
||||||
# Address of the Datadog Agent
|
|
||||||
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
|
|
||||||
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
|
|
||||||
stackdriver:
|
|
||||||
# enables trace output to stdout.
|
|
||||||
{{- if $.Values.global.tracer.stackdriver.debug }}
|
|
||||||
debug: {{ $.Values.global.tracer.stackdriver.debug }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
|
|
||||||
# The global default max number of attributes per span.
|
|
||||||
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
|
|
||||||
# The global default max number of annotation events per span.
|
|
||||||
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
|
|
||||||
# The global default max number of message events per span.
|
|
||||||
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
|
||||||
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
|
|
||||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
|
|
||||||
{{- else }}
|
|
||||||
{}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.remotePilotAddress }}
|
|
||||||
{{- if not .Values.global.externalIstiod }}
|
|
||||||
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
|
||||||
{{- else }}
|
|
||||||
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
|
|
||||||
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
|
|
||||||
{{- $originalMesh := include "mesh" . | fromYaml }}
|
|
||||||
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
|
|
||||||
|
|
||||||
{{- if .Values.pilot.configMap }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
data:
|
|
||||||
|
|
||||||
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
|
|
||||||
meshNetworks: |-
|
|
||||||
{{- if .Values.global.meshNetworks }}
|
|
||||||
networks:
|
|
||||||
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
|
|
||||||
{{- else }}
|
|
||||||
networks: {}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
mesh: |-
|
|
||||||
{{- if .Values.meshConfig }}
|
|
||||||
{{ $mesh | toYaml | indent 4 }}
|
|
||||||
{{- else }}
|
|
||||||
{{- include "mesh" . }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,222 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
istio: pilot
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
{{- range $key, $val := .Values.pilot.deploymentLabels }}
|
|
||||||
{{ $key }}: "{{ $val }}"
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if not .Values.pilot.autoscaleEnabled }}
|
|
||||||
{{- if .Values.pilot.replicaCount }}
|
|
||||||
replicas: {{ .Values.pilot.replicaCount }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
strategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
|
|
||||||
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- if ne .Values.revision "" }}
|
|
||||||
app: istiod
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
{{- else }}
|
|
||||||
istio: pilot
|
|
||||||
{{- end }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
sidecar.istio.io/inject: "false"
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
{{- if ne .Values.revision "" }}
|
|
||||||
istio: istiod
|
|
||||||
{{- else }}
|
|
||||||
istio: pilot
|
|
||||||
{{- end }}
|
|
||||||
annotations:
|
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
|
||||||
prometheus.io/port: "15014"
|
|
||||||
prometheus.io/scrape: "true"
|
|
||||||
{{- end }}
|
|
||||||
sidecar.istio.io/inject: "false"
|
|
||||||
{{- if .Values.pilot.podAnnotations }}
|
|
||||||
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if .Values.pilot.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.global.priorityClassName }}
|
|
||||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 1337
|
|
||||||
tolerations:
|
|
||||||
- effect: NoSchedule
|
|
||||||
key: node-role.kubernetes.io/master
|
|
||||||
containers:
|
|
||||||
- name: discovery
|
|
||||||
{{- if contains "/" .Values.pilot.image }}
|
|
||||||
image: "{{ .Values.pilot.image }}"
|
|
||||||
{{- else }}
|
|
||||||
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.imagePullPolicy }}
|
|
||||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
|
||||||
{{- end }}
|
|
||||||
args:
|
|
||||||
- "discovery"
|
|
||||||
- --monitoringAddr=:15014
|
|
||||||
{{- if .Values.global.logging.level }}
|
|
||||||
- --log_output_level={{ .Values.global.logging.level }}
|
|
||||||
{{- end}}
|
|
||||||
{{- if .Values.global.logAsJson }}
|
|
||||||
- --log_as_json
|
|
||||||
{{- end }}
|
|
||||||
- --domain
|
|
||||||
- {{ .Values.global.proxy.clusterDomain }}
|
|
||||||
{{- if .Values.global.oneNamespace }}
|
|
||||||
- "-a"
|
|
||||||
- {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.pilot.plugins }}
|
|
||||||
- --plugins={{ .Values.pilot.plugins }}
|
|
||||||
{{- end }}
|
|
||||||
- --keepaliveMaxServerConnectionAge
|
|
||||||
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
|
|
||||||
ports:
|
|
||||||
- containerPort: 8080
|
|
||||||
protocol: TCP
|
|
||||||
- containerPort: 15010
|
|
||||||
protocol: TCP
|
|
||||||
- containerPort: 15017
|
|
||||||
protocol: TCP
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /ready
|
|
||||||
port: 8080
|
|
||||||
initialDelaySeconds: 1
|
|
||||||
periodSeconds: 3
|
|
||||||
timeoutSeconds: 5
|
|
||||||
env:
|
|
||||||
- name: REVISION
|
|
||||||
value: "{{ .Values.revision | default `default` }}"
|
|
||||||
- name: JWT_POLICY
|
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
|
||||||
- name: PILOT_CERT_PROVIDER
|
|
||||||
value: {{ .Values.global.pilotCertProvider }}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
apiVersion: v1
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
apiVersion: v1
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
apiVersion: v1
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: KUBECONFIG
|
|
||||||
value: /var/run/secrets/remote/config
|
|
||||||
{{- if .Values.pilot.env }}
|
|
||||||
{{- range $key, $val := .Values.pilot.env }}
|
|
||||||
- name: {{ $key }}
|
|
||||||
value: "{{ $val }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.pilot.traceSampling }}
|
|
||||||
- name: PILOT_TRACE_SAMPLING
|
|
||||||
value: "{{ .Values.pilot.traceSampling }}"
|
|
||||||
{{- end }}
|
|
||||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
|
|
||||||
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
|
||||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
|
||||||
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
|
||||||
- name: ISTIOD_ADDR
|
|
||||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
|
||||||
- name: PILOT_ENABLE_ANALYSIS
|
|
||||||
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
|
||||||
- name: CLUSTER_ID
|
|
||||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
|
||||||
{{- if not .Values.telemetry.v2.enabled }}
|
|
||||||
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
|
||||||
value: "false"
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
{{- if .Values.pilot.resources }}
|
|
||||||
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
|
|
||||||
{{- else }}
|
|
||||||
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 1337
|
|
||||||
runAsGroup: 1337
|
|
||||||
runAsNonRoot: true
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
volumeMounts:
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- name: istio-token
|
|
||||||
mountPath: /var/run/secrets/tokens
|
|
||||||
readOnly: true
|
|
||||||
{{- end }}
|
|
||||||
- name: local-certs
|
|
||||||
mountPath: /var/run/secrets/istio-dns
|
|
||||||
- name: cacerts
|
|
||||||
mountPath: /etc/cacerts
|
|
||||||
readOnly: true
|
|
||||||
- name: istio-kubeconfig
|
|
||||||
mountPath: /var/run/secrets/remote
|
|
||||||
readOnly: true
|
|
||||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
|
||||||
- name: extracacerts
|
|
||||||
mountPath: /cacerts
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
# Technically not needed on this pod - but it helps debugging/testing SDS
|
|
||||||
# Should be removed after everything works.
|
|
||||||
- emptyDir:
|
|
||||||
medium: Memory
|
|
||||||
name: local-certs
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
|
||||||
- name: istio-token
|
|
||||||
projected:
|
|
||||||
sources:
|
|
||||||
- serviceAccountToken:
|
|
||||||
audience: {{ .Values.global.sds.token.aud }}
|
|
||||||
expirationSeconds: 43200
|
|
||||||
path: istio-token
|
|
||||||
{{- end }}
|
|
||||||
# Optional: user-generated root
|
|
||||||
- name: cacerts
|
|
||||||
secret:
|
|
||||||
secretName: cacerts
|
|
||||||
optional: true
|
|
||||||
- name: istio-kubeconfig
|
|
||||||
secret:
|
|
||||||
secretName: istio-kubeconfig
|
|
||||||
optional: true
|
|
||||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
|
||||||
- name: extracacerts
|
|
||||||
configMap:
|
|
||||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
@ -1,67 +0,0 @@
|
|||||||
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
data:
|
|
||||||
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
|
|
||||||
values: |-
|
|
||||||
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
|
|
||||||
|
|
||||||
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
|
|
||||||
# and istiod webhook functionality.
|
|
||||||
#
|
|
||||||
# New fields should not use Values - it is a 'primary' config object, users should be able
|
|
||||||
# to fine tune it or use it with kube-inject.
|
|
||||||
config: |-
|
|
||||||
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
|
|
||||||
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
|
|
||||||
defaultTemplates:
|
|
||||||
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
|
|
||||||
- {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
defaultTemplates: [sidecar]
|
|
||||||
{{- end }}
|
|
||||||
policy: {{ .Values.global.proxy.autoInject }}
|
|
||||||
alwaysInjectSelector:
|
|
||||||
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
|
||||||
neverInjectSelector:
|
|
||||||
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
|
|
||||||
injectedAnnotations:
|
|
||||||
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
|
||||||
"{{ $key }}": "{{ $val }}"
|
|
||||||
{{- end }}
|
|
||||||
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
|
|
||||||
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
|
|
||||||
This should make it obvious that their installation is broken.
|
|
||||||
*/}}
|
|
||||||
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
|
|
||||||
templates:
|
|
||||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
|
|
||||||
sidecar: |
|
|
||||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
|
|
||||||
gateway: |
|
|
||||||
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
|
|
||||||
grpc-simple: |
|
|
||||||
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
|
|
||||||
grpc-agent: |
|
|
||||||
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.sidecarInjectorWebhook.templates }}
|
|
||||||
{{ toYaml . | trim | indent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,144 +0,0 @@
|
|||||||
{{- /* Core defines the common configuration used by all webhook segments */}}
|
|
||||||
{{- define "core" }}
|
|
||||||
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
|
|
||||||
a unique prefix to each. */}}
|
|
||||||
- name: {{.Prefix}}sidecar-injector.istio.io
|
|
||||||
clientConfig:
|
|
||||||
{{- if .Values.istiodRemote.injectionURL }}
|
|
||||||
url: "{{ .Values.istiodRemote.injectionURL }}"
|
|
||||||
{{- else }}
|
|
||||||
service:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
path: "{{ .Values.istiodRemote.injectionPath }}"
|
|
||||||
port: 443
|
|
||||||
{{- end }}
|
|
||||||
caBundle: ""
|
|
||||||
sideEffects: None
|
|
||||||
rules:
|
|
||||||
- operations: [ "CREATE" ]
|
|
||||||
apiGroups: [""]
|
|
||||||
apiVersions: ["v1"]
|
|
||||||
resources: ["pods"]
|
|
||||||
failurePolicy: Fail
|
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
|
||||||
{{- end }}
|
|
||||||
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
|
|
||||||
{{- if not .Values.global.operatorManageWebhooks }}
|
|
||||||
apiVersion: admissionregistration.k8s.io/v1
|
|
||||||
kind: MutatingWebhookConfiguration
|
|
||||||
metadata:
|
|
||||||
{{- if eq .Release.Namespace "istio-system"}}
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
app: sidecar-injector
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
webhooks:
|
|
||||||
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
|
||||||
|
|
||||||
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
|
|
||||||
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
{{- if (eq .Values.revision "") }}
|
|
||||||
- "default"
|
|
||||||
{{- else }}
|
|
||||||
- "{{ .Values.revision }}"
|
|
||||||
{{- end }}
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
|
|
||||||
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
{{- if (eq .Values.revision "") }}
|
|
||||||
- "default"
|
|
||||||
{{- else }}
|
|
||||||
- "{{ .Values.revision }}"
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
|
|
||||||
{{- /* Webhooks for default revision */}}
|
|
||||||
{{- if (eq .Values.revision "") }}
|
|
||||||
|
|
||||||
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio-injection
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- enabled
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
|
|
||||||
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- "true"
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
|
|
||||||
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
|
||||||
{{- /* Special case 3: no labels at all */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,25 +0,0 @@
|
|||||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
|
||||||
apiVersion: policy/v1beta1
|
|
||||||
kind: PodDisruptionBudget
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio: pilot
|
|
||||||
spec:
|
|
||||||
minAvailable: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: istiod
|
|
||||||
{{- if ne .Values.revision "" }}
|
|
||||||
istio.io/rev: {{ .Values.revision }}
|
|
||||||
{{- else }}
|
|
||||||
istio: pilot
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,48 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istio-reader
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- "config.istio.io"
|
|
||||||
- "security.istio.io"
|
|
||||||
- "networking.istio.io"
|
|
||||||
- "authentication.istio.io"
|
|
||||||
- "rbac.istio.io"
|
|
||||||
resources: ["*"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: [ "get", "watch", "list" ]
|
|
||||||
resources: [ "workloadentries" ]
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
|
||||||
resources: ["endpointslices"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["replicasets"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["authentication.k8s.io"]
|
|
||||||
resources: ["tokenreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
- apiGroups: ["authorization.k8s.io"]
|
|
||||||
resources: ["subjectaccessreviews"]
|
|
||||||
verbs: ["create"]
|
|
||||||
{{- if .Values.global.externalIstiod }}
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["configmaps"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["validatingwebhookconfigurations"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
{{- end}}
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: istio-reader
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istio-reader-service-account
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
@ -1,113 +0,0 @@
|
|||||||
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
|
|
||||||
# Removed paths for legacy and default selectors since a revision tag
|
|
||||||
# is inherently created from a specific revision
|
|
||||||
{{- define "core" }}
|
|
||||||
- name: {{.Prefix}}sidecar-injector.istio.io
|
|
||||||
clientConfig:
|
|
||||||
{{- if .Values.istiodRemote.injectionURL }}
|
|
||||||
url: "{{ .Values.istiodRemote.injectionURL }}"
|
|
||||||
{{- else }}
|
|
||||||
service:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
path: "{{ .Values.istiodRemote.injectionPath }}"
|
|
||||||
{{- end }}
|
|
||||||
caBundle: ""
|
|
||||||
sideEffects: None
|
|
||||||
rules:
|
|
||||||
- operations: [ "CREATE" ]
|
|
||||||
apiGroups: [""]
|
|
||||||
apiVersions: ["v1"]
|
|
||||||
resources: ["pods"]
|
|
||||||
failurePolicy: Fail
|
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- range $tagName := $.Values.revisionTags }}
|
|
||||||
apiVersion: admissionregistration.k8s.io/v1
|
|
||||||
kind: MutatingWebhookConfiguration
|
|
||||||
metadata:
|
|
||||||
{{- if eq $.Release.Namespace "istio-system"}}
|
|
||||||
name: istio-revision-tag-{{ $tagName }}
|
|
||||||
{{- else }}
|
|
||||||
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/tag: {{ $tagName }}
|
|
||||||
istio.io/rev: {{ $.Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
app: sidecar-injector
|
|
||||||
release: {{ $.Release.Name }}
|
|
||||||
webhooks:
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- "{{ $tagName }}"
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- "{{ $tagName }}"
|
|
||||||
|
|
||||||
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
|
|
||||||
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
|
|
||||||
{{- if (eq $tagName "default") }}
|
|
||||||
|
|
||||||
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio-injection
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- enabled
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: NotIn
|
|
||||||
values:
|
|
||||||
- "false"
|
|
||||||
|
|
||||||
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
|
|
||||||
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
|
|
||||||
namespaceSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio-injection
|
|
||||||
operator: DoesNotExist
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: sidecar.istio.io/inject
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- "true"
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,20 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
rules:
|
|
||||||
# permissions to verify the webhook is ready and rejecting
|
|
||||||
# invalid config. We use --server-dry-run so no config is persisted.
|
|
||||||
- apiGroups: ["networking.istio.io"]
|
|
||||||
verbs: ["create"]
|
|
||||||
resources: ["gateways"]
|
|
||||||
|
|
||||||
# For storing CA secret
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
|
||||||
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
@ -1,37 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
app: istiod
|
|
||||||
istio: pilot
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- port: 15010
|
|
||||||
name: grpc-xds # plaintext
|
|
||||||
protocol: TCP
|
|
||||||
- port: 15012
|
|
||||||
name: https-dns # mTLS with k8s-signed cert
|
|
||||||
protocol: TCP
|
|
||||||
- port: 443
|
|
||||||
name: https-webhook # validation and injection
|
|
||||||
targetPort: 15017
|
|
||||||
protocol: TCP
|
|
||||||
- port: 15014
|
|
||||||
name: http-monitoring # prometheus stats
|
|
||||||
protocol: TCP
|
|
||||||
selector:
|
|
||||||
app: istiod
|
|
||||||
{{- if ne .Values.revision "" }}
|
|
||||||
istio.io/rev: {{ .Values.revision }}
|
|
||||||
{{- else }}
|
|
||||||
# Label used by the 'default' service. For versioned deployments we match with app and version.
|
|
||||||
# This avoids default deployment picking the canary
|
|
||||||
istio: pilot
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
|
||||||
- name: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
metadata:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
---
|
|
@ -1,783 +0,0 @@
|
|||||||
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
|
|
||||||
# Note: metadata exchange filter is wasm enabled only in sidecars.
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{}
|
|
||||||
vm_config:
|
|
||||||
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.metadata_exchange
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{}
|
|
||||||
vm_config:
|
|
||||||
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.metadata_exchange
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{}
|
|
||||||
vm_config:
|
|
||||||
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.metadata_exchange
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener: {}
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
|
||||||
value:
|
|
||||||
protocol: istio-peer-exchange
|
|
||||||
- applyTo: CLUSTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
cluster: {}
|
|
||||||
patch:
|
|
||||||
operation: MERGE
|
|
||||||
value:
|
|
||||||
filters:
|
|
||||||
- name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
|
||||||
value:
|
|
||||||
protocol: istio-peer-exchange
|
|
||||||
- applyTo: CLUSTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
cluster: {}
|
|
||||||
patch:
|
|
||||||
operation: MERGE
|
|
||||||
value:
|
|
||||||
filters:
|
|
||||||
- name: istio.metadata_exchange
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
|
||||||
value:
|
|
||||||
protocol: istio-peer-exchange
|
|
||||||
---
|
|
||||||
# Note: http stats filter is wasm enabled only in sidecars.
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio"
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stats_outbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.stats
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_inbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio",
|
|
||||||
"disable_host_header_fallback": true,
|
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"source_cluster": "downstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stats_inbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.stats
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio",
|
|
||||||
"disable_host_header_fallback": true
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stats_outbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: envoy.wasm.stats
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
# Note: tcp stats filter is wasm enabled only in sidecars.
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_inbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio",
|
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"source_cluster": "downstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: tcp_stats_inbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: "envoy.wasm.stats"
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio"
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: tcp_stats_outbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: "envoy.wasm.stats"
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stats
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stats_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
|
||||||
{
|
|
||||||
"debug": "false",
|
|
||||||
"stat_prefix": "istio"
|
|
||||||
}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: tcp_stats_outbound
|
|
||||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
|
||||||
runtime: envoy.wasm.runtime.v8
|
|
||||||
allow_precompiled: true
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
|
||||||
{{- else }}
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local:
|
|
||||||
inline_string: "envoy.wasm.stats"
|
|
||||||
{{- end }}
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.telemetry.v2.stackdriver.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_outbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_inbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_inbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "envoy.filters.http.router"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_outbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
---
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_OUTBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_outbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
{{- end }}
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_inbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_inbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '^1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.tcp_proxy"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.stackdriver
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
root_id: stackdriver_outbound
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
|
||||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
|
||||||
{{- else }}
|
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
|
||||||
{{- end }}
|
|
||||||
vm_config:
|
|
||||||
vm_id: stackdriver_outbound
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
|
||||||
---
|
|
||||||
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
|
||||||
{{- else }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
spec:
|
|
||||||
configPatches:
|
|
||||||
- applyTo: HTTP_FILTER
|
|
||||||
match:
|
|
||||||
context: SIDECAR_INBOUND
|
|
||||||
proxy:
|
|
||||||
proxyVersion: '1\.11.*'
|
|
||||||
listener:
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.http_connection_manager"
|
|
||||||
subFilter:
|
|
||||||
name: "istio.stackdriver"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_BEFORE
|
|
||||||
value:
|
|
||||||
name: istio.access_log
|
|
||||||
typed_config:
|
|
||||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
|
||||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
|
||||||
value:
|
|
||||||
config:
|
|
||||||
configuration:
|
|
||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
|
||||||
value: |
|
|
||||||
{
|
|
||||||
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
|
|
||||||
}
|
|
||||||
vm_config:
|
|
||||||
runtime: envoy.wasm.runtime.null
|
|
||||||
code:
|
|
||||||
local: { inline_string: "envoy.wasm.access_log_policy" }
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
@ -1,86 +0,0 @@
|
|||||||
{{- if .Values.global.configValidation }}
|
|
||||||
apiVersion: admissionregistration.k8s.io/v1
|
|
||||||
kind: ValidatingWebhookConfiguration
|
|
||||||
metadata:
|
|
||||||
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
|
|
||||||
labels:
|
|
||||||
app: istiod
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio: istiod
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
webhooks:
|
|
||||||
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
|
|
||||||
# are rejecting invalid configs on a per-revision basis.
|
|
||||||
- name: rev.validation.istio.io
|
|
||||||
clientConfig:
|
|
||||||
# Should change from base but cannot for API compat
|
|
||||||
{{- if .Values.base.validationURL }}
|
|
||||||
url: {{ .Values.base.validationURL }}
|
|
||||||
{{- else }}
|
|
||||||
service:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
path: "/validate"
|
|
||||||
{{- end }}
|
|
||||||
caBundle: "" # patched at runtime when the webhook is ready.
|
|
||||||
rules:
|
|
||||||
- operations:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
apiGroups:
|
|
||||||
- security.istio.io
|
|
||||||
- networking.istio.io
|
|
||||||
apiVersions:
|
|
||||||
- "*"
|
|
||||||
resources:
|
|
||||||
- "*"
|
|
||||||
# Fail open until the validation webhook is ready. The webhook controller
|
|
||||||
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
|
||||||
# endpoint is ready.
|
|
||||||
failurePolicy: Ignore
|
|
||||||
sideEffects: None
|
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
{{- if (eq .Values.revision "") }}
|
|
||||||
- "default"
|
|
||||||
{{- else }}
|
|
||||||
- "{{ .Values.revision }}"
|
|
||||||
{{- end }}
|
|
||||||
# Webhook handling default validation
|
|
||||||
- name: validation.istio.io
|
|
||||||
clientConfig:
|
|
||||||
# Should change from base but cannot for API compat
|
|
||||||
{{- if .Values.base.validationURL }}
|
|
||||||
url: {{ .Values.base.validationURL }}
|
|
||||||
{{- else }}
|
|
||||||
service:
|
|
||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{ .Values.global.istioNamespace }}
|
|
||||||
path: "/validate"
|
|
||||||
{{- end }}
|
|
||||||
caBundle: ""
|
|
||||||
rules:
|
|
||||||
- operations:
|
|
||||||
- CREATE
|
|
||||||
- UPDATE
|
|
||||||
apiGroups:
|
|
||||||
- security.istio.io
|
|
||||||
- networking.istio.io
|
|
||||||
- telemetry.istio.io
|
|
||||||
apiVersions:
|
|
||||||
- "*"
|
|
||||||
resources:
|
|
||||||
- "*"
|
|
||||||
failurePolicy: Ignore
|
|
||||||
sideEffects: None
|
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
|
||||||
objectSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: istio.io/rev
|
|
||||||
operator: DoesNotExist
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -1,525 +0,0 @@
|
|||||||
#.Values.pilot for discovery and mesh wide config
|
|
||||||
|
|
||||||
## Discovery Settings
|
|
||||||
pilot:
|
|
||||||
autoscaleEnabled: true
|
|
||||||
autoscaleMin: 1
|
|
||||||
autoscaleMax: 5
|
|
||||||
replicaCount: 1
|
|
||||||
rollingMaxSurge: 100%
|
|
||||||
rollingMaxUnavailable: 25%
|
|
||||||
|
|
||||||
hub: ""
|
|
||||||
tag: ""
|
|
||||||
|
|
||||||
# Can be a full hub/image:tag
|
|
||||||
image: pilot
|
|
||||||
traceSampling: 1.0
|
|
||||||
|
|
||||||
# Resources for a small pilot install
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 500m
|
|
||||||
memory: 2048Mi
|
|
||||||
|
|
||||||
env: {}
|
|
||||||
|
|
||||||
cpu:
|
|
||||||
targetAverageUtilization: 80
|
|
||||||
|
|
||||||
# if protocol sniffing is enabled for outbound
|
|
||||||
enableProtocolSniffingForOutbound: true
|
|
||||||
# if protocol sniffing is enabled for inbound
|
|
||||||
enableProtocolSniffingForInbound: true
|
|
||||||
|
|
||||||
nodeSelector: {}
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
# You can use jwksResolverExtraRootCA to provide a root certificate
|
|
||||||
# in PEM format. This will then be trusted by pilot when resolving
|
|
||||||
# JWKS URIs.
|
|
||||||
jwksResolverExtraRootCA: ""
|
|
||||||
|
|
||||||
# This is used to set the source of configuration for
|
|
||||||
# the associated address in configSource, if nothing is specificed
|
|
||||||
# the default MCP is assumed.
|
|
||||||
configSource:
|
|
||||||
subscribedResources: []
|
|
||||||
|
|
||||||
plugins: []
|
|
||||||
|
|
||||||
# The following is used to limit how long a sidecar can be connected
|
|
||||||
# to a pilot. It balances out load across pilot instances at the cost of
|
|
||||||
# increasing system churn.
|
|
||||||
keepaliveMaxServerConnectionAge: 30m
|
|
||||||
|
|
||||||
# Additional labels to apply to the deployment.
|
|
||||||
deploymentLabels: {}
|
|
||||||
|
|
||||||
|
|
||||||
## Mesh config settings
|
|
||||||
|
|
||||||
# Install the mesh config map, generated from values.yaml.
|
|
||||||
# If false, pilot wil use default values (by default) or user-supplied values.
|
|
||||||
configMap: true
|
|
||||||
|
|
||||||
|
|
||||||
sidecarInjectorWebhook:
|
|
||||||
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
|
||||||
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
|
||||||
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
|
||||||
neverInjectSelector: []
|
|
||||||
alwaysInjectSelector: []
|
|
||||||
|
|
||||||
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
|
|
||||||
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
|
|
||||||
#
|
|
||||||
# annotations:
|
|
||||||
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
|
||||||
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
|
||||||
#
|
|
||||||
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
|
|
||||||
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
|
|
||||||
# injectedAnnotations:
|
|
||||||
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
|
|
||||||
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
|
|
||||||
injectedAnnotations: {}
|
|
||||||
|
|
||||||
# This enables injection of sidecar in all namespaces,
|
|
||||||
# with the exception of namespaces with "istio-injection:disabled" annotation
|
|
||||||
# Only one environment should have this enabled.
|
|
||||||
enableNamespacesByDefault: false
|
|
||||||
|
|
||||||
# Enable objectSelector to filter out pods with no need for sidecar before calling istiod.
|
|
||||||
# It is enabled by default as the minimum supported Kubernetes version is 1.15+
|
|
||||||
objectSelector:
|
|
||||||
enabled: true
|
|
||||||
autoInject: true
|
|
||||||
|
|
||||||
rewriteAppHTTPProbe: true
|
|
||||||
|
|
||||||
# Templates defines a set of custom injection templates that can be used. For example, defining:
|
|
||||||
#
|
|
||||||
# templates:
|
|
||||||
# hello: |
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# hello: world
|
|
||||||
#
|
|
||||||
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
|
|
||||||
# being injected with the hello=world labels.
|
|
||||||
# This is intended for advanced configuration only; most users should use the built in template
|
|
||||||
templates: {}
|
|
||||||
|
|
||||||
# Default templates specifies a set of default templates that are used in sidecar injection.
|
|
||||||
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
|
|
||||||
# To inject other additional templates, define it using the `templates` option, and add it to
|
|
||||||
# the default templates list.
|
|
||||||
# For example:
|
|
||||||
#
|
|
||||||
# templates:
|
|
||||||
# hello: |
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# hello: world
|
|
||||||
#
|
|
||||||
# defaultTemplates: ["sidecar", "hello"]
|
|
||||||
defaultTemplates: []
|
|
||||||
istiodRemote:
|
|
||||||
# Sidecar injector mutating webhook configuration clientConfig.url value.
|
|
||||||
# For example: https://$remotePilotAddress:15017/inject
|
|
||||||
# The host should not refer to a service running in the cluster; use a service reference by specifying
|
|
||||||
# the clientConfig.service field instead.
|
|
||||||
injectionURL: ""
|
|
||||||
|
|
||||||
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
|
|
||||||
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
|
|
||||||
injectionPath: "/inject"
|
|
||||||
telemetry:
|
|
||||||
enabled: true
|
|
||||||
v2:
|
|
||||||
# For Null VM case now.
|
|
||||||
# This also enables metadata exchange.
|
|
||||||
enabled: true
|
|
||||||
metadataExchange:
|
|
||||||
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
|
|
||||||
wasmEnabled: false
|
|
||||||
# Indicate if prometheus stats filter is enabled or not
|
|
||||||
prometheus:
|
|
||||||
enabled: true
|
|
||||||
# Indicates whether to enable WebAssembly runtime for stats filter.
|
|
||||||
wasmEnabled: false
|
|
||||||
# overrides stats EnvoyFilter configuration.
|
|
||||||
configOverride:
|
|
||||||
gateway: {}
|
|
||||||
inboundSidecar: {}
|
|
||||||
outboundSidecar: {}
|
|
||||||
# stackdriver filter settings.
|
|
||||||
stackdriver:
|
|
||||||
enabled: false
|
|
||||||
logging: false
|
|
||||||
monitoring: false
|
|
||||||
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
|
|
||||||
disableOutbound: false
|
|
||||||
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
|
|
||||||
|
|
||||||
configOverride: {}
|
|
||||||
# e.g.
|
|
||||||
# disable_server_access_logging: false
|
|
||||||
# disable_host_header_fallback: true
|
|
||||||
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
|
|
||||||
accessLogPolicy:
|
|
||||||
enabled: false
|
|
||||||
# To reduce the number of successful logs, default log window duration is
|
|
||||||
# set to 12 hours.
|
|
||||||
logWindowDuration: "43200s"
|
|
||||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
|
||||||
revision: ""
|
|
||||||
|
|
||||||
# Revision tags are aliases to Istio control plane revisions
|
|
||||||
revisionTags: []
|
|
||||||
|
|
||||||
# For Helm compatibility.
|
|
||||||
ownerName: ""
|
|
||||||
|
|
||||||
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
|
|
||||||
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
|
|
||||||
meshConfig:
|
|
||||||
enablePrometheusMerge: true
|
|
||||||
# Config for the default ProxyConfig.
|
|
||||||
# Initially using directly the proxy metadata - can also be activated using annotations
|
|
||||||
# on the pod. This is an unsupported low-level API, pending review and decisions on
|
|
||||||
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
|
|
||||||
# and gradual adoption by setting capture only on specific workloads. It also allows
|
|
||||||
# VMs to use other DNS options, like dnsmasq or unbound.
|
|
||||||
|
|
||||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
|
||||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
|
||||||
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
|
||||||
# is processed as if it were declared in the leaf namespace.
|
|
||||||
|
|
||||||
rootNamespace:
|
|
||||||
|
|
||||||
# The trust domain corresponds to the trust root of a system
|
|
||||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
|
||||||
trustDomain: "cluster.local"
|
|
||||||
|
|
||||||
# TODO: the intent is to eventually have this enabled by default when security is used.
|
|
||||||
# It is not clear if user should normally need to configure - the metadata is typically
|
|
||||||
# used as an escape and to control testing and rollout, but it is not intended as a long-term
|
|
||||||
# stable API.
|
|
||||||
|
|
||||||
# What we may configure in mesh config is the ".global" - and use of other suffixes.
|
|
||||||
# No hurry to do this in 1.6, we're trying to prove the code.
|
|
||||||
|
|
||||||
global:
|
|
||||||
# Used to locate istiod.
|
|
||||||
istioNamespace: istio-system
|
|
||||||
# enable pod disruption budget for the control plane, which is used to
|
|
||||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
|
||||||
defaultPodDisruptionBudget:
|
|
||||||
enabled: true
|
|
||||||
# The values aren't mutable due to a current PodDisruptionBudget limitation
|
|
||||||
# minAvailable: 1
|
|
||||||
|
|
||||||
# A minimal set of requested resources to applied to all deployments so that
|
|
||||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
|
||||||
# Each component can overwrite these default values by adding its own resources
|
|
||||||
# block in the relevant section below and setting the desired resources values.
|
|
||||||
defaultResources:
|
|
||||||
requests:
|
|
||||||
cpu: 10m
|
|
||||||
# memory: 128Mi
|
|
||||||
# limits:
|
|
||||||
# cpu: 100m
|
|
||||||
# memory: 128Mi
|
|
||||||
|
|
||||||
# Default hub for Istio images.
|
|
||||||
# Releases are published to docker hub under 'istio' project.
|
|
||||||
# Dev builds from prow are on gcr.io
|
|
||||||
hub: docker.io/istio
|
|
||||||
# Default tag for Istio images.
|
|
||||||
tag: 1.11.5
|
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
|
||||||
imagePullPolicy: ""
|
|
||||||
|
|
||||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
|
||||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
|
||||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
|
||||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
|
||||||
# Must be set for any cluster configured with private docker registry.
|
|
||||||
imagePullSecrets: []
|
|
||||||
# - private-registry-key
|
|
||||||
|
|
||||||
# Enabled by default in master for maximising testing.
|
|
||||||
istiod:
|
|
||||||
enableAnalysis: false
|
|
||||||
|
|
||||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
|
||||||
logAsJson: false
|
|
||||||
|
|
||||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
|
||||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
|
||||||
# If empty, default scope and level will be used as configured in code
|
|
||||||
logging:
|
|
||||||
level: "default:info"
|
|
||||||
|
|
||||||
omitSidecarInjectorConfigMap: false
|
|
||||||
|
|
||||||
# Whether to restrict the applications namespace the controller manages;
|
|
||||||
# If not set, controller watches all namespaces
|
|
||||||
oneNamespace: false
|
|
||||||
|
|
||||||
# Configure whether Operator manages webhook configurations. The current behavior
|
|
||||||
# of Istiod is to manage its own webhook configurations.
|
|
||||||
# When this option is set as true, Istio Operator, instead of webhooks, manages the
|
|
||||||
# webhook configurations. When this option is set as false, webhooks manage their
|
|
||||||
# own webhook configurations.
|
|
||||||
operatorManageWebhooks: false
|
|
||||||
|
|
||||||
# Custom DNS config for the pod to resolve names of services in other
|
|
||||||
# clusters. Use this to add additional search domains, and other settings.
|
|
||||||
# see
|
|
||||||
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
|
|
||||||
# This does not apply to gateway pods as they typically need a different
|
|
||||||
# set of DNS settings than the normal application pods (e.g., in
|
|
||||||
# multicluster scenarios).
|
|
||||||
# NOTE: If using templates, follow the pattern in the commented example below.
|
|
||||||
#podDNSSearchNamespaces:
|
|
||||||
#- global
|
|
||||||
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
|
|
||||||
|
|
||||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
|
||||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
|
||||||
# will not be killed because of low priority class.
|
|
||||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
|
||||||
# for more detail.
|
|
||||||
priorityClassName: ""
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
image: proxyv2
|
|
||||||
|
|
||||||
# This controls the 'policy' in the sidecar injector.
|
|
||||||
autoInject: enabled
|
|
||||||
|
|
||||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
|
||||||
# cluster domain. Default value is "cluster.local".
|
|
||||||
clusterDomain: "cluster.local"
|
|
||||||
|
|
||||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
|
||||||
# not set, then the global "logLevel" will be used.
|
|
||||||
componentLogLevel: "misc:error"
|
|
||||||
|
|
||||||
# If set, newly injected sidecars will have core dumps enabled.
|
|
||||||
enableCoreDump: false
|
|
||||||
|
|
||||||
# istio ingress capture allowlist
|
|
||||||
# examples:
|
|
||||||
# Redirect only selected ports: --includeInboundPorts="80,8080"
|
|
||||||
excludeInboundPorts: ""
|
|
||||||
|
|
||||||
# istio egress capture allowlist
|
|
||||||
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
|
|
||||||
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
|
|
||||||
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
|
|
||||||
# be allowed by the sidecar
|
|
||||||
includeIPRanges: "*"
|
|
||||||
excludeIPRanges: ""
|
|
||||||
excludeOutboundPorts: ""
|
|
||||||
|
|
||||||
# Log level for proxy, applies to gateways and sidecars.
|
|
||||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
|
||||||
logLevel: warning
|
|
||||||
|
|
||||||
#If set to true, istio-proxy container will have privileged securityContext
|
|
||||||
privileged: false
|
|
||||||
|
|
||||||
# The number of successive failed probes before indicating readiness failure.
|
|
||||||
readinessFailureThreshold: 30
|
|
||||||
|
|
||||||
# The initial delay for readiness probes in seconds.
|
|
||||||
readinessInitialDelaySeconds: 1
|
|
||||||
|
|
||||||
# The period between readiness probes.
|
|
||||||
readinessPeriodSeconds: 2
|
|
||||||
|
|
||||||
# Resources for the sidecar.
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 128Mi
|
|
||||||
limits:
|
|
||||||
cpu: 2000m
|
|
||||||
memory: 1024Mi
|
|
||||||
|
|
||||||
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
|
|
||||||
statusPort: 15020
|
|
||||||
|
|
||||||
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
|
|
||||||
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
|
|
||||||
tracer: "zipkin"
|
|
||||||
|
|
||||||
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
|
|
||||||
holdApplicationUntilProxyStarts: false
|
|
||||||
|
|
||||||
proxy_init:
|
|
||||||
# Base name for the proxy_init container, used to configure iptables.
|
|
||||||
image: proxyv2
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 2000m
|
|
||||||
memory: 1024Mi
|
|
||||||
requests:
|
|
||||||
cpu: 10m
|
|
||||||
memory: 10Mi
|
|
||||||
|
|
||||||
# configure remote pilot and istiod service and endpoint
|
|
||||||
remotePilotAddress: ""
|
|
||||||
|
|
||||||
##############################################################################################
|
|
||||||
# The following values are found in other charts. To effectively modify these values, make #
|
|
||||||
# make sure they are consistent across your Istio helm charts #
|
|
||||||
##############################################################################################
|
|
||||||
|
|
||||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
|
||||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
|
||||||
# If not set explicitly, default to the Istio discovery address.
|
|
||||||
caAddress: ""
|
|
||||||
|
|
||||||
# Configure a remote cluster data plane controlled by an external istiod.
|
|
||||||
# When set to true, istiod is not deployed locally and only a subset of the other
|
|
||||||
# discovery charts are enabled.
|
|
||||||
externalIstiod: false
|
|
||||||
|
|
||||||
# Configure a remote cluster as the config cluster for an external istiod.
|
|
||||||
configCluster: false
|
|
||||||
|
|
||||||
# Configure the policy for validating JWT.
|
|
||||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
|
||||||
jwtPolicy: "third-party-jwt"
|
|
||||||
|
|
||||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
|
||||||
# meshes will interact with each other, but it is not required to be
|
|
||||||
# globally/universally unique. For example, if any of the following are true,
|
|
||||||
# then two meshes must have different Mesh IDs:
|
|
||||||
# - Meshes will have their telemetry aggregated in one place
|
|
||||||
# - Meshes will be federated together
|
|
||||||
# - Policy will be written referencing one mesh from the other
|
|
||||||
#
|
|
||||||
# If an administrator expects that any of these conditions may become true in
|
|
||||||
# the future, they should ensure their meshes have different Mesh IDs
|
|
||||||
# assigned.
|
|
||||||
#
|
|
||||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
|
||||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
|
||||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
|
||||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
|
||||||
# ID post-install.
|
|
||||||
#
|
|
||||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
|
||||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
|
||||||
# value.
|
|
||||||
meshID: ""
|
|
||||||
|
|
||||||
# Configure the mesh networks to be used by the Split Horizon EDS.
|
|
||||||
#
|
|
||||||
# The following example defines two networks with different endpoints association methods.
|
|
||||||
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
|
|
||||||
# mapped to network1. The gateway for this network example is specified by its public IP
|
|
||||||
# address and port.
|
|
||||||
# The second network, `network2`, in this example is defined differently with all endpoints
|
|
||||||
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
|
|
||||||
# gateway is also defined differently with the name of the gateway service on the remote
|
|
||||||
# cluster. The public IP for the gateway will be determined from that remote service (only
|
|
||||||
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
|
|
||||||
# it still need to be configured manually).
|
|
||||||
#
|
|
||||||
# meshNetworks:
|
|
||||||
# network1:
|
|
||||||
# endpoints:
|
|
||||||
# - fromCidr: "192.168.0.1/24"
|
|
||||||
# gateways:
|
|
||||||
# - address: 1.1.1.1
|
|
||||||
# port: 80
|
|
||||||
# network2:
|
|
||||||
# endpoints:
|
|
||||||
# - fromRegistry: reg1
|
|
||||||
# gateways:
|
|
||||||
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
|
||||||
# port: 443
|
|
||||||
#
|
|
||||||
meshNetworks: {}
|
|
||||||
|
|
||||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
|
||||||
mountMtlsCerts: false
|
|
||||||
|
|
||||||
multiCluster:
|
|
||||||
# Set to true to connect two kubernetes clusters via their respective
|
|
||||||
# ingressgateway services when pods in each cluster cannot directly
|
|
||||||
# talk to one another. All clusters should be using Istio mTLS and must
|
|
||||||
# have a shared root CA for this model to work.
|
|
||||||
enabled: false
|
|
||||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
|
||||||
# to properly label proxies
|
|
||||||
clusterName: ""
|
|
||||||
|
|
||||||
# Network defines the network this cluster belong to. This name
|
|
||||||
# corresponds to the networks in the map of mesh networks.
|
|
||||||
network: ""
|
|
||||||
|
|
||||||
# Configure the certificate provider for control plane communication.
|
|
||||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
|
||||||
# As some platforms may not have kubernetes signing APIs,
|
|
||||||
# Istiod is the default
|
|
||||||
pilotCertProvider: istiod
|
|
||||||
|
|
||||||
sds:
|
|
||||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
|
||||||
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
|
|
||||||
# JWT is intended for the CA.
|
|
||||||
token:
|
|
||||||
aud: istio-ca
|
|
||||||
|
|
||||||
sts:
|
|
||||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
|
||||||
# Setting this port to a non-zero value enables STS server.
|
|
||||||
servicePort: 0
|
|
||||||
|
|
||||||
# Configuration for each of the supported tracers
|
|
||||||
tracer:
|
|
||||||
# Configuration for envoy to send trace data to LightStep.
|
|
||||||
# Disabled by default.
|
|
||||||
# address: the <host>:<port> of the satellite pool
|
|
||||||
# accessToken: required for sending data to the pool
|
|
||||||
#
|
|
||||||
datadog:
|
|
||||||
# Host:Port for submitting traces to the Datadog agent.
|
|
||||||
address: "$(HOST_IP):8126"
|
|
||||||
lightstep:
|
|
||||||
address: "" # example: lightstep-satellite:443
|
|
||||||
accessToken: "" # example: abcdefg1234567
|
|
||||||
stackdriver:
|
|
||||||
# enables trace output to stdout.
|
|
||||||
debug: false
|
|
||||||
# The global default max number of message events per span.
|
|
||||||
maxNumberOfMessageEvents: 200
|
|
||||||
# The global default max number of annotation events per span.
|
|
||||||
maxNumberOfAnnotations: 200
|
|
||||||
# The global default max number of attributes per span.
|
|
||||||
maxNumberOfAttributes: 200
|
|
||||||
zipkin:
|
|
||||||
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
|
|
||||||
# zipkin service (port 9411) in the same namespace as the other istio components.
|
|
||||||
address: ""
|
|
||||||
|
|
||||||
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
|
||||||
useMCP: false
|
|
||||||
|
|
||||||
# Determines whether this istiod performs resource validation.
|
|
||||||
configValidation: true
|
|
||||||
|
|
||||||
base:
|
|
||||||
# For istioctl usage to disable istio config crds in base
|
|
||||||
enableIstioConfigCRDs: true
|
|
@ -1,4 +1,4 @@
|
|||||||
{{- if index .Values "istio-discovery" "telemetry" "enabled" }}
|
{{- if .Values.istiod.telemetry.enabled }}
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }}
|
{{- if and .Values.istiod.telemetry.enabled .Values.rateLimiting.enabled }}
|
||||||
apiVersion: monitoring.coreos.com/v1
|
apiVersion: monitoring.coreos.com/v1
|
||||||
kind: ServiceMonitor
|
kind: ServiceMonitor
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{{- if index .Values "istio-discovery" "telemetry" "enabled" }}
|
{{- if .Values.istiod.telemetry.enabled }}
|
||||||
apiVersion: monitoring.coreos.com/v1
|
apiVersion: monitoring.coreos.com/v1
|
||||||
kind: ServiceMonitor
|
kind: ServiceMonitor
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -7,13 +7,9 @@ set -ex
|
|||||||
export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="base") | .version' Chart.yaml)
|
export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="base") | .version' Chart.yaml)
|
||||||
export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") | .version' Chart.yaml)
|
export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") | .version' Chart.yaml)
|
||||||
|
|
||||||
rm -rf istio
|
helm dep update
|
||||||
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
|
|
||||||
mv istio-${ISTIO_VERSION} istio
|
|
||||||
|
|
||||||
# remove unused old telemetry filters
|
exit 0
|
||||||
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
|
|
||||||
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml
|
|
||||||
|
|
||||||
# Patch
|
# Patch
|
||||||
#exit 0
|
#exit 0
|
||||||
|
@ -9,7 +9,7 @@ global:
|
|||||||
|
|
||||||
priorityClassName: "system-cluster-critical"
|
priorityClassName: "system-cluster-critical"
|
||||||
|
|
||||||
istio-discovery:
|
istiod:
|
||||||
pilot:
|
pilot:
|
||||||
autoscaleEnabled: false
|
autoscaleEnabled: false
|
||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
|
Loading…
Reference in New Issue
Block a user