feat: First draft new Istio 13 helm charts

This commit is contained in:
Stefan Reimer 2022-04-20 15:36:08 +02:00
parent 4c91dc6ca4
commit 09bb5d427e
50 changed files with 19 additions and 18616 deletions

View File

@ -2,8 +2,7 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.7.6 version: 0.8.0
appVersion: 1.11.5
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -17,9 +16,11 @@ dependencies:
version: ">= 0.1.4" version: ">= 0.1.4"
repository: https://cdn.zero-downtime.net/charts/ repository: https://cdn.zero-downtime.net/charts/
- name: base - name: base
version: 1.11.5 version: 1.13.3
- name: istio-discovery repository: https://istio-release.storage.googleapis.com/charts
version: 1.11.5 - name: istiod
version: 1.13.3
repository: https://istio-release.storage.googleapis.com/charts
- name: kiali-server - name: kiali-server
version: 1.38.1 version: 1.38.1
# repository: https://github.com/kiali/helm-charts/tree/master/docs # repository: https://github.com/kiali/helm-charts/tree/master/docs

View File

@ -1,6 +1,6 @@
# kubezero-istio # kubezero-istio
![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) ![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Istio KubeZero Umbrella Chart for Istio
@ -12,18 +12,18 @@ Installs the Istio control plane
| Name | Email | Url | | Name | Email | Url |
| ---- | ------ | --- | | ---- | ------ | --- |
| Quarky9 | | | | Stefan Reimer | stefan@zero-downtime.net | |
## Requirements ## Requirements
Kubernetes: `>= 1.18.0` Kubernetes: `>= 1.20.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | base | 1.11.3 |
| | istio-discovery | 1.11.3 |
| | kiali-server | 1.38.1 | | | kiali-server | 1.38.1 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 |
| https://istio-release.storage.googleapis.com/charts | base | 1.13.3 |
| https://istio-release.storage.googleapis.com/charts | istiod | 1.13.3 |
## Values ## Values
@ -32,12 +32,13 @@ Kubernetes: `>= 1.18.0`
| global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.logAsJson | bool | `true` | | | global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | | | global.priorityClassName | string | `"system-cluster-critical"` | |
| global.tag | string | `"1.11.5-distroless"` | |
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | | | istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | | | istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | | | istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | |
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | | | istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
| istio-discovery.pilot.replicaCount | int | `1` | | | istio-discovery.pilot.replicaCount | int | `1` | |
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | | | istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | | | istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |

View File

@ -1,11 +0,0 @@
apiVersion: v1
name: base
version: 1.11.5
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs
keywords:
- istio
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

View File

@ -1 +0,0 @@
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.

File diff suppressed because it is too large Load Diff

View File

@ -1,48 +0,0 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
name: v1alpha1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- files/gen-istio-cluster.yaml

View File

@ -1,171 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list"]
{{- if or .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}
---

View File

@ -1,37 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
---

View File

@ -1,4 +0,0 @@
{{- if .Values.base.enableCRDTemplates }}
{{ .Files.Get "crds/crd-all.gen.yaml" }}
{{ .Files.Get "crds/crd-operator.yaml" }}
{{- end }}

View File

@ -1,30 +0,0 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- end }}
---
{{- end }}

View File

@ -1,16 +0,0 @@
# This service account aggregates reader permissions for the revisions in a given cluster
# Should be used for remote secret creation.
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}

View File

@ -1,25 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

View File

@ -1,21 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}

View File

@ -1,19 +0,0 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}

View File

@ -1,37 +0,0 @@
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
# when istiod is enabled in remote cluster, we can't use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
clusterIP: None
{{- else }}
# when istiod isn't enabled in remote cluster, we can use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
# if the remotePilotAddress is IP addr, we use clusterIP: None.
# else, we use externalName
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
clusterIP: None
{{- else }}
type: ExternalName
externalName: {{ .Values.global.remotePilotAddress }}
{{- end }}
{{- end }}
---
{{- end }}

View File

@ -1,27 +0,0 @@
global:
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# Used to locate istiod.
istioNamespace: istio-system
istiod:
enableAnalysis: false
configValidation: true
externalIstiod: false
remotePilotAddress: ""
base:
# Used for helm2 to add the CRDs to templates.
enableCRDTemplates: false
# Validation webhook configuration url
# For example: https://$remotePilotAddress:15017/validate
validationURL: ""
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

View File

@ -1,13 +0,0 @@
apiVersion: v1
name: istio-discovery
version: 1.11.5
tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane
keywords:
- istio
- istiod
- istio-discovery
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

View File

@ -1,8 +0,0 @@
Minimal control plane for Istio. Pilot and mesh config are included.
MCP and injector should optionally be installed in the same namespace. Alternatively remote
address of an MCP server can be set.
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/kWULBRjUv7hHci7T6

View File

@ -1,205 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

View File

@ -1,234 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
{{- range $index, $container := .Spec.Containers }}
{{ if not (eq $container.Name "istio-proxy") }}
- name: {{ $container.Name }}
env:
- name: "GRPC_XDS_BOOTSTRAP"
value: "/var/lib/istio/data/grpc-bootstrap.json"
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
value: "true"
volumeMounts:
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- end }}
{{- end }}
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
env:
- name: "GRPC_XDS_BOOTSTRAP"
value: "/var/lib/istio/data/grpc-bootstrap.json"
- name: ISTIO_META_GENERATOR
value: grpc
- name: OUTPUT_CERTS
value: /var/lib/istio/data
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
# grpc uses xds:/// to resolve no need to resolve VIP
- name: ISTIO_META_DNS_CAPTURE
value: "false"
- name: DISABLE_ENVOY
value: "true"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
# UDS channel between istioagent and gRPC client for XDS/SDS
- emptyDir:
medium: Memory
name: istio-xds
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}

View File

@ -1,58 +0,0 @@
spec:
initContainers:
- name: grpc-bootstrap-init
image: busybox:1.28
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
env:
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
command:
- sh
- "-c"
- |-
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
echo '
{
"xds_servers": [
{
"server_uri": "dns:///istiod.istio-system.svc:15010",
"channel_creds": [{"type": "insecure"}],
"server_features" : ["xds_v3"]
}
],
"node": {
"id": "'${NODE_ID}'",
"metadata": {
"GENERATOR": "grpc"
}
}
}' > /var/lib/grpc/data/bootstrap.json
containers:
{{- range $index, $container := .Spec.Containers }}
- name: {{ $container.Name }}
env:
- name: GRPC_XDS_BOOTSTRAP
value: /var/lib/grpc/data/bootstrap.json
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
value: "99"
- name: GRPC_GO_LOG_SEVERITY_LEVEL
value: info
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
{{- end }}
volumes:
- name: grpc-io-proxyless-bootstrap
emptyDir: {}

View File

@ -1,466 +0,0 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
{{- end }}
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
{{- end }}
}
spec:
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- istio-iptables
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .EstimatedConcurrency 0 }}
- --concurrency
- "{{ .EstimatedConcurrency }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- files/gen-istio.yaml

View File

@ -1,26 +0,0 @@
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
---
{{- end }}

View File

@ -1,112 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]

View File

@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

View File

@ -1,14 +0,0 @@
{{- if .Values.pilot.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
data:
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
{{- end }}

View File

@ -1,100 +0,0 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
{{- if $.Values.global.tracer.stackdriver.debug }}
debug: {{ $.Values.global.tracer.stackdriver.debug }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- else }}
{}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if not .Values.global.externalIstiod }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
{{- end }}
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.pilot.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

View File

@ -1,222 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
{{- range $key, $val := .Values.pilot.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.pilot.autoscaleEnabled }}
{{- if .Values.pilot.replicaCount }}
replicas: {{ .Values.pilot.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if .Values.pilot.podAnnotations }}
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
{{- if .Values.pilot.nodeSelector }}
nodeSelector:
{{ toYaml .Values.pilot.nodeSelector | indent 8 }}
{{- end }}
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
securityContext:
fsGroup: 1337
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if .Values.pilot.plugins }}
- --plugins={{ .Values.pilot.plugins }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
- name: ISTIOD_ADDR
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
{{- if not .Values.telemetry.v2.enabled }}
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
value: "false"
{{- end }}
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
---

View File

@ -1,67 +0,0 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
defaultTemplates:
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
- {{ . }}
{{- end }}
{{- else }}
defaultTemplates: [sidecar]
{{- end }}
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": "{{ $val }}"
{{- end }}
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
This should make it obvious that their installation is broken.
*/}}
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
templates:
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}
{{- end }}

View File

@ -1,144 +0,0 @@
{{- /* Core defines the common configuration used by all webhook segments */}}
{{- define "core" }}
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
port: 443
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
{{- /* Special case 3: no labels at all */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,25 +0,0 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}

View File

@ -1,48 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

View File

@ -1,15 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

View File

@ -1,113 +0,0 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- define "core" }}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "{{ .Values.istiodRemote.injectionPath }}"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}

View File

@ -1,20 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

View File

@ -1,16 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

View File

@ -1,37 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
---

View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
---

View File

@ -1,783 +0,0 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
# Note: metadata exchange filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
{{- end }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener: {}
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
cluster: {}
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
cluster: {}
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.11.*'
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

View File

@ -1,86 +0,0 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
# Webhook handling default validation
- name: validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
apiVersions:
- "*"
resources:
- "*"
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
---
{{- end }}

View File

@ -1,525 +0,0 @@
#.Values.pilot for discovery and mesh wide config
## Discovery Settings
pilot:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
hub: ""
tag: ""
# Can be a full hub/image:tag
image: pilot
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env: {}
cpu:
targetAverageUtilization: 80
# if protocol sniffing is enabled for outbound
enableProtocolSniffingForOutbound: true
# if protocol sniffing is enabled for inbound
enableProtocolSniffingForInbound: true
nodeSelector: {}
podAnnotations: {}
# You can use jwksResolverExtraRootCA to provide a root certificate
# in PEM format. This will then be trusted by pilot when resolving
# JWKS URIs.
jwksResolverExtraRootCA: ""
# This is used to set the source of configuration for
# the associated address in configSource, if nothing is specificed
# the default MCP is assumed.
configSource:
subscribedResources: []
plugins: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# Additional labels to apply to the deployment.
deploymentLabels: {}
## Mesh config settings
# Install the mesh config map, generated from values.yaml.
# If false, pilot wil use default values (by default) or user-supplied values.
configMap: true
sidecarInjectorWebhook:
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
# This enables injection of sidecar in all namespaces,
# with the exception of namespaces with "istio-injection:disabled" annotation
# Only one environment should have this enabled.
enableNamespacesByDefault: false
# Enable objectSelector to filter out pods with no need for sidecar before calling istiod.
# It is enabled by default as the minimum supported Kubernetes version is 1.15+
objectSelector:
enabled: true
autoInject: true
rewriteAppHTTPProbe: true
# Templates defines a set of custom injection templates that can be used. For example, defining:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
# being injected with the hello=world labels.
# This is intended for advanced configuration only; most users should use the built in template
templates: {}
# Default templates specifies a set of default templates that are used in sidecar injection.
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# the default templates list.
# For example:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# defaultTemplates: ["sidecar", "hello"]
defaultTemplates: []
istiodRemote:
# Sidecar injector mutating webhook configuration clientConfig.url value.
# For example: https://$remotePilotAddress:15017/inject
# The host should not refer to a service running in the cluster; use a service reference by specifying
# the clientConfig.service field instead.
injectionURL: ""
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
injectionPath: "/inject"
telemetry:
enabled: true
v2:
# For Null VM case now.
# This also enables metadata exchange.
enabled: true
metadataExchange:
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
wasmEnabled: false
# Indicate if prometheus stats filter is enabled or not
prometheus:
enabled: true
# Indicates whether to enable WebAssembly runtime for stats filter.
wasmEnabled: false
# overrides stats EnvoyFilter configuration.
configOverride:
gateway: {}
inboundSidecar: {}
outboundSidecar: {}
# stackdriver filter settings.
stackdriver:
enabled: false
logging: false
monitoring: false
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
# e.g.
# disable_server_access_logging: false
# disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy:
enabled: false
# To reduce the number of successful logs, default log window duration is
# set to 12 hours.
logWindowDuration: "43200s"
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility.
ownerName: ""
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
meshConfig:
enablePrometheusMerge: true
# Config for the default ProxyConfig.
# Initially using directly the proxy metadata - can also be activated using annotations
# on the pod. This is an unsupported low-level API, pending review and decisions on
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
# and gradual adoption by setting capture only on specific workloads. It also allows
# VMs to use other DNS options, like dnsmasq or unbound.
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace:
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term
# stable API.
# What we may configure in mesh config is the ".global" - and use of other suffixes.
# No hurry to do this in 1.6, we're trying to prove the code.
global:
# Used to locate istiod.
istioNamespace: istio-system
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.11.5
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# Enabled by default in master for maximising testing.
istiod:
enableAnalysis: false
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
omitSidecarInjectorConfigMap: false
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Configure whether Operator manages webhook configurations. The current behavior
# of Istiod is to manage its own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio ingress capture allowlist
# examples:
# Redirect only selected ports: --includeInboundPorts="80,8080"
excludeInboundPorts: ""
# istio egress capture allowlist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
holdApplicationUntilProxyStarts: false
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
# configure remote pilot and istiod service and endpoint
remotePilotAddress: ""
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
# If not set explicitly, default to the Istio discovery address.
caAddress: ""
# Configure a remote cluster data plane controlled by an external istiod.
# When set to true, istiod is not deployed locally and only a subset of the other
# discovery charts are enabled.
externalIstiod: false
# Configure a remote cluster as the config cluster for an external istiod.
configCluster: false
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
#
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# Determines whether this istiod performs resource validation.
configValidation: true
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

View File

@ -1,4 +1,4 @@
{{- if index .Values "istio-discovery" "telemetry" "enabled" }} {{- if .Values.istiod.telemetry.enabled }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }} {{- if and .Values.istiod.telemetry.enabled .Values.rateLimiting.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if index .Values "istio-discovery" "telemetry" "enabled" }} {{- if .Values.istiod.telemetry.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:

View File

@ -7,13 +7,9 @@ set -ex
export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="base") | .version' Chart.yaml) export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="base") | .version' Chart.yaml)
export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") | .version' Chart.yaml) export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") | .version' Chart.yaml)
rm -rf istio helm dep update
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
mv istio-${ISTIO_VERSION} istio
# remove unused old telemetry filters exit 0
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml
# Patch # Patch
#exit 0 #exit 0

View File

@ -9,7 +9,7 @@ global:
priorityClassName: "system-cluster-critical" priorityClassName: "system-cluster-critical"
istio-discovery: istiod:
pilot: pilot:
autoscaleEnabled: false autoscaleEnabled: false
replicaCount: 1 replicaCount: 1