chore: Bump Istio version from 1.9.1 to 1.9.2
This commit is contained in:
parent
bc6d5c45a8
commit
1a1f5e7cd6
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio-ingress
|
name: kubezero-istio-ingress
|
||||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||||
type: application
|
type: application
|
||||||
version: 0.5.0
|
version: 0.5.1
|
||||||
appVersion: 1.9.1
|
appVersion: 1.9.2
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,9 +16,9 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-ingress
|
- name: istio-ingress
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
condition: istio-ingress.enabled
|
condition: istio-ingress.enabled
|
||||||
- name: istio-private-ingress
|
- name: istio-private-ingress
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
condition: istio-private-ingress.enabled
|
condition: istio-private-ingress.enabled
|
||||||
kubeVersion: ">= 1.18.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-ingress
|
name: istio-ingress
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: autoscaling/v2beta1
|
apiVersion: autoscaling/v2beta1
|
||||||
kind: HorizontalPodAutoscaler
|
kind: HorizontalPodAutoscaler
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
@ -17,7 +17,7 @@ spec:
|
|||||||
scaleTargetRef:
|
scaleTargetRef:
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
metrics:
|
metrics:
|
||||||
- type: Resource
|
- type: Resource
|
||||||
resource:
|
resource:
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
|
|
||||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if eq $gateway.injectionTemplate "" }}
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
@ -32,7 +34,7 @@ spec:
|
|||||||
release: istio
|
release: istio
|
||||||
chart: gateways
|
chart: gateways
|
||||||
{{- end }}
|
{{- end }}
|
||||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||||
{{- if not (eq .Values.revision "") }}
|
{{- if not (eq .Values.revision "") }}
|
||||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
{{- else}}
|
{{- else}}
|
||||||
@ -41,14 +43,17 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
sidecar.istio.io/inject: "false"
|
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
prometheus.io/path: "/stats/prometheus"
|
prometheus.io/path: "/stats/prometheus"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
sidecar.istio.io/inject: "false"
|
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||||
|
{{- if ne $gateway.injectionTemplate "" }}
|
||||||
|
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||||
|
{{- end}}
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
@ -60,7 +65,7 @@ spec:
|
|||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
fsGroup: 1337
|
fsGroup: 1337
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
serviceAccountName: {{ $gateway.name }}-service-account
|
||||||
{{- if .Values.global.priorityClassName }}
|
{{- if .Values.global.priorityClassName }}
|
||||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -123,7 +128,7 @@ spec:
|
|||||||
- --log_as_json
|
- --log_as_json
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- --serviceCluster
|
- --serviceCluster
|
||||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
- {{ $gateway.name }}
|
||||||
{{- if .Values.global.sts.servicePort }}
|
{{- if .Values.global.sts.servicePort }}
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -201,9 +206,9 @@ spec:
|
|||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
- name: ISTIO_META_WORKLOAD_NAME
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
value: {{ $gateway.name }}
|
||||||
- name: ISTIO_META_OWNER
|
- name: ISTIO_META_OWNER
|
||||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||||
{{- if $.Values.global.meshID }}
|
{{- if $.Values.global.meshID }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.meshID }}"
|
value: "{{ $.Values.global.meshID }}"
|
||||||
@ -349,3 +354,4 @@ spec:
|
|||||||
tolerations:
|
tolerations:
|
||||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
@ -0,0 +1,143 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if ne $gateway.injectionTemplate "" }}
|
||||||
|
{{/* This provides a minimal gateway, ready to be injected.
|
||||||
|
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||||
|
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||||
|
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
sidecar.istio.io/inject: "true"
|
||||||
|
{{- with .Values.revision }}
|
||||||
|
istio.io/rev: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "true"
|
||||||
|
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
image: auto
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodDisruptionBudget
|
kind: PodDisruptionBudget
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
@ -1,78 +0,0 @@
|
|||||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
|
||||||
{{- if .Values.global.multiCluster.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "IngressGateways"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
istio: ingressgateway
|
|
||||||
servers:
|
|
||||||
- hosts:
|
|
||||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
|
||||||
port:
|
|
||||||
name: tls
|
|
||||||
number: 15443
|
|
||||||
protocol: TLS
|
|
||||||
tls:
|
|
||||||
mode: AUTO_PASSTHROUGH
|
|
||||||
---
|
|
||||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
workloadSelector:
|
|
||||||
labels:
|
|
||||||
istio: ingressgateway
|
|
||||||
configPatches:
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
listener:
|
|
||||||
portNumber: 15443
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.sni_cluster"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_AFTER
|
|
||||||
value:
|
|
||||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
|
||||||
typed_config:
|
|
||||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
|
||||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
|
||||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
||||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: DestinationRule
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
|
||||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
|
||||||
exportTo:
|
|
||||||
- '*'
|
|
||||||
{{- end }}
|
|
||||||
trafficPolicy:
|
|
||||||
tls:
|
|
||||||
mode: ISTIO_MUTUAL
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -2,7 +2,7 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
@ -12,8 +12,8 @@ metadata:
|
|||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: Role
|
kind: Role
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
name: {{ $gateway.name }}-service-account
|
||||||
---
|
---
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
annotations:
|
annotations:
|
||||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
@ -8,7 +8,7 @@ imagePullSecrets:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
name: {{ $gateway.name }}-service-account
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
@ -120,6 +120,9 @@ gateways:
|
|||||||
# whether to run the gateway in a privileged container
|
# whether to run the gateway in a privileged container
|
||||||
runAsRoot: false
|
runAsRoot: false
|
||||||
|
|
||||||
|
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||||
|
injectionTemplate: ""
|
||||||
|
|
||||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
revision: ""
|
revision: ""
|
||||||
|
|
||||||
@ -171,7 +174,7 @@ global:
|
|||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.1
|
tag: 1.9.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-private-ingress
|
name: istio-private-ingress
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: autoscaling/v2beta1
|
apiVersion: autoscaling/v2beta1
|
||||||
kind: HorizontalPodAutoscaler
|
kind: HorizontalPodAutoscaler
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
@ -17,7 +17,7 @@ spec:
|
|||||||
scaleTargetRef:
|
scaleTargetRef:
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
metrics:
|
metrics:
|
||||||
- type: Resource
|
- type: Resource
|
||||||
resource:
|
resource:
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
|
|
||||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if eq $gateway.injectionTemplate "" }}
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
@ -32,7 +34,7 @@ spec:
|
|||||||
release: istio
|
release: istio
|
||||||
chart: gateways
|
chart: gateways
|
||||||
{{- end }}
|
{{- end }}
|
||||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||||
{{- if not (eq .Values.revision "") }}
|
{{- if not (eq .Values.revision "") }}
|
||||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
{{- else}}
|
{{- else}}
|
||||||
@ -41,14 +43,17 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
sidecar.istio.io/inject: "false"
|
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
prometheus.io/path: "/stats/prometheus"
|
prometheus.io/path: "/stats/prometheus"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
sidecar.istio.io/inject: "false"
|
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||||
|
{{- if ne $gateway.injectionTemplate "" }}
|
||||||
|
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||||
|
{{- end}}
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
@ -60,7 +65,7 @@ spec:
|
|||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
fsGroup: 1337
|
fsGroup: 1337
|
||||||
{{- end }}
|
{{- end }}
|
||||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
serviceAccountName: {{ $gateway.name }}-service-account
|
||||||
{{- if .Values.global.priorityClassName }}
|
{{- if .Values.global.priorityClassName }}
|
||||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -123,7 +128,7 @@ spec:
|
|||||||
- --log_as_json
|
- --log_as_json
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- --serviceCluster
|
- --serviceCluster
|
||||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
- {{ $gateway.name }}
|
||||||
{{- if .Values.global.sts.servicePort }}
|
{{- if .Values.global.sts.servicePort }}
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -201,9 +206,9 @@ spec:
|
|||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
- name: ISTIO_META_WORKLOAD_NAME
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
value: {{ $gateway.name }}
|
||||||
- name: ISTIO_META_OWNER
|
- name: ISTIO_META_OWNER
|
||||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||||
{{- if $.Values.global.meshID }}
|
{{- if $.Values.global.meshID }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.meshID }}"
|
value: "{{ $.Values.global.meshID }}"
|
||||||
@ -349,3 +354,4 @@ spec:
|
|||||||
tolerations:
|
tolerations:
|
||||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
@ -0,0 +1,143 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if ne $gateway.injectionTemplate "" }}
|
||||||
|
{{/* This provides a minimal gateway, ready to be injected.
|
||||||
|
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||||
|
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||||
|
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
sidecar.istio.io/inject: "true"
|
||||||
|
{{- with .Values.revision }}
|
||||||
|
istio.io/rev: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "true"
|
||||||
|
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
image: auto
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: policy/v1beta1
|
apiVersion: policy/v1beta1
|
||||||
kind: PodDisruptionBudget
|
kind: PodDisruptionBudget
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
@ -1,78 +0,0 @@
|
|||||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
|
||||||
{{- if .Values.global.multiCluster.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "IngressGateways"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
istio: ingressgateway
|
|
||||||
servers:
|
|
||||||
- hosts:
|
|
||||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
|
||||||
port:
|
|
||||||
name: tls
|
|
||||||
number: 15443
|
|
||||||
protocol: TLS
|
|
||||||
tls:
|
|
||||||
mode: AUTO_PASSTHROUGH
|
|
||||||
---
|
|
||||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: EnvoyFilter
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
workloadSelector:
|
|
||||||
labels:
|
|
||||||
istio: ingressgateway
|
|
||||||
configPatches:
|
|
||||||
- applyTo: NETWORK_FILTER
|
|
||||||
match:
|
|
||||||
context: GATEWAY
|
|
||||||
listener:
|
|
||||||
portNumber: 15443
|
|
||||||
filterChain:
|
|
||||||
filter:
|
|
||||||
name: "envoy.filters.network.sni_cluster"
|
|
||||||
patch:
|
|
||||||
operation: INSERT_AFTER
|
|
||||||
value:
|
|
||||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
|
||||||
typed_config:
|
|
||||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
|
||||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
|
||||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
||||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: DestinationRule
|
|
||||||
metadata:
|
|
||||||
name: istio-multicluster-ingressgateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{ $gateway.labels | toYaml | indent 4 }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
|
||||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
|
||||||
exportTo:
|
|
||||||
- '*'
|
|
||||||
{{- end }}
|
|
||||||
trafficPolicy:
|
|
||||||
tls:
|
|
||||||
mode: ISTIO_MUTUAL
|
|
||||||
---
|
|
||||||
{{- end }}
|
|
@ -2,7 +2,7 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
@ -12,8 +12,8 @@ metadata:
|
|||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: Role
|
kind: Role
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
name: {{ $gateway.name }}-sds
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
name: {{ $gateway.name }}-service-account
|
||||||
---
|
---
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
name: {{ $gateway.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
annotations:
|
annotations:
|
||||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
@ -8,7 +8,7 @@ imagePullSecrets:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
name: {{ $gateway.name }}-service-account
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
@ -120,6 +120,9 @@ gateways:
|
|||||||
# whether to run the gateway in a privileged container
|
# whether to run the gateway in a privileged container
|
||||||
runAsRoot: false
|
runAsRoot: false
|
||||||
|
|
||||||
|
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||||
|
injectionTemplate: ""
|
||||||
|
|
||||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
revision: ""
|
revision: ""
|
||||||
|
|
||||||
@ -171,7 +174,7 @@ global:
|
|||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.1
|
tag: 1.9.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.5.0
|
version: 0.5.1
|
||||||
appVersion: 1.9.1
|
appVersion: 1.9.2
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,7 +16,7 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: base
|
- name: base
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
- name: istio-discovery
|
- name: istio-discovery
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
kubeVersion: ">= 1.18.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: base
|
name: base
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -2473,7 +2473,8 @@ spec:
|
|||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
perTryTimeout:
|
perTryTimeout:
|
||||||
description: Timeout per retry attempt for a given request.
|
description: Timeout per attempt for a given request, including
|
||||||
|
the initial call and any retries.
|
||||||
type: string
|
type: string
|
||||||
retryOn:
|
retryOn:
|
||||||
description: Specifies the conditions under which retry takes
|
description: Specifies the conditions under which retry takes
|
||||||
|
@ -2475,7 +2475,8 @@ spec:
|
|||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
perTryTimeout:
|
perTryTimeout:
|
||||||
description: Timeout per retry attempt for a given request.
|
description: Timeout per attempt for a given request, including
|
||||||
|
the initial call and any retries.
|
||||||
type: string
|
type: string
|
||||||
retryOn:
|
retryOn:
|
||||||
description: Specifies the conditions under which retry takes
|
description: Specifies the conditions under which retry takes
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-discovery
|
name: istio-discovery
|
||||||
version: 1.9.1
|
version: 1.9.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for istio control plane
|
description: Helm chart for istio control plane
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -0,0 +1,233 @@
|
|||||||
|
{{- $containers := list }}
|
||||||
|
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||||
|
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||||
|
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||||
|
annotations: {
|
||||||
|
{{- if eq (len $containers) 1 }}
|
||||||
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
- --serviceCluster
|
||||||
|
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||||
|
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||||
|
{{ else -}}
|
||||||
|
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||||
|
{{ end -}}
|
||||||
|
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.proxy.lifecycle }}
|
||||||
|
lifecycle:
|
||||||
|
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: PROXY_CONFIG
|
||||||
|
value: |
|
||||||
|
{{ protoToJSON .ProxyConfig }}
|
||||||
|
- name: ISTIO_META_POD_PORTS
|
||||||
|
value: |-
|
||||||
|
[
|
||||||
|
{{- $first := true }}
|
||||||
|
{{- range $index1, $c := .Spec.Containers }}
|
||||||
|
{{- range $index2, $p := $c.Ports }}
|
||||||
|
{{- if (structToJSON $p) }}
|
||||||
|
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||||
|
{{- $first = false }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end}}
|
||||||
|
{{- end}}
|
||||||
|
]
|
||||||
|
- name: ISTIO_META_APP_CONTAINERS
|
||||||
|
value: "{{ $containers | join "," }}"
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||||
|
- name: ISTIO_META_INTERCEPTION_MODE
|
||||||
|
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
||||||
|
{{- if .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: "{{ .Values.global.network }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ if .ObjectMeta.Annotations }}
|
||||||
|
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||||
|
value: |
|
||||||
|
{{ toJSON .ObjectMeta.Annotations }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: "{{ .DeploymentMeta.Name }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ .Values.global.meshID }}"
|
||||||
|
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ . }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
||||||
|
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
||||||
|
timeoutSeconds: 3
|
||||||
|
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- mountPath: /etc/istio/proxy
|
||||||
|
name: istio-envoy
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- mountPath: /var/run/secrets/tokens
|
||||||
|
name: istio-token
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- mountPath: /etc/certs/
|
||||||
|
name: istio-certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: istio-podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
volumes:
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
name: istio-envoy
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- path: "cpu-limit"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: limits.cpu
|
||||||
|
divisor: 1m
|
||||||
|
- path: "cpu-request"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: requests.cpu
|
||||||
|
divisor: 1m
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
optional: true
|
||||||
|
{{ if eq .Spec.ServiceAccountName "" }}
|
||||||
|
secretName: istio.default
|
||||||
|
{{ else -}}
|
||||||
|
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||||
|
{{ end -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
@ -695,6 +695,240 @@ data:
|
|||||||
securityContext:
|
securityContext:
|
||||||
fsGroup: 1337
|
fsGroup: 1337
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
gateway: |
|
||||||
|
{{- $containers := list }}
|
||||||
|
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||||
|
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||||
|
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||||
|
annotations: {
|
||||||
|
{{- if eq (len $containers) 1 }}
|
||||||
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
{{ end }}
|
||||||
|
}
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
- --serviceCluster
|
||||||
|
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||||
|
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||||
|
{{ else -}}
|
||||||
|
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||||
|
{{ end -}}
|
||||||
|
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.proxy.lifecycle }}
|
||||||
|
lifecycle:
|
||||||
|
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: PROXY_CONFIG
|
||||||
|
value: |
|
||||||
|
{{ protoToJSON .ProxyConfig }}
|
||||||
|
- name: ISTIO_META_POD_PORTS
|
||||||
|
value: |-
|
||||||
|
[
|
||||||
|
{{- $first := true }}
|
||||||
|
{{- range $index1, $c := .Spec.Containers }}
|
||||||
|
{{- range $index2, $p := $c.Ports }}
|
||||||
|
{{- if (structToJSON $p) }}
|
||||||
|
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||||
|
{{- $first = false }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end}}
|
||||||
|
{{- end}}
|
||||||
|
]
|
||||||
|
- name: ISTIO_META_APP_CONTAINERS
|
||||||
|
value: "{{ $containers | join "," }}"
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||||
|
- name: ISTIO_META_INTERCEPTION_MODE
|
||||||
|
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
||||||
|
{{- if .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: "{{ .Values.global.network }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ if .ObjectMeta.Annotations }}
|
||||||
|
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||||
|
value: |
|
||||||
|
{{ toJSON .ObjectMeta.Annotations }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: "{{ .DeploymentMeta.Name }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ .Values.global.meshID }}"
|
||||||
|
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ . }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
||||||
|
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
||||||
|
timeoutSeconds: 3
|
||||||
|
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- mountPath: /etc/istio/proxy
|
||||||
|
name: istio-envoy
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- mountPath: /var/run/secrets/tokens
|
||||||
|
name: istio-token
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- mountPath: /etc/certs/
|
||||||
|
name: istio-certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: istio-podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
volumes:
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
name: istio-envoy
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- path: "cpu-limit"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: limits.cpu
|
||||||
|
divisor: 1m
|
||||||
|
- path: "cpu-request"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: requests.cpu
|
||||||
|
divisor: 1m
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
optional: true
|
||||||
|
{{ if eq .Spec.ServiceAccountName "" }}
|
||||||
|
secretName: istio.default
|
||||||
|
{{ else -}}
|
||||||
|
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||||
|
{{ end -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/service.yaml
|
# Source: istio-discovery/templates/service.yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -48,6 +48,10 @@ data:
|
|||||||
sidecar: |
|
sidecar: |
|
||||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
|
||||||
|
gateway: |
|
||||||
|
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- with .Values.sidecarInjectorWebhook.templates }}
|
{{- with .Values.sidecarInjectorWebhook.templates }}
|
||||||
{{ toYaml . | trim | indent 6 }}
|
{{ toYaml . | trim | indent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -232,7 +232,7 @@ global:
|
|||||||
# Dev builds from prow are on gcr.io
|
# Dev builds from prow are on gcr.io
|
||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.1
|
tag: 1.9.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
export ISTIO_VERSION=1.9.1
|
export ISTIO_VERSION=1.9.2
|
||||||
|
|
||||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||||
NAME="istio-$ISTIO_VERSION"
|
NAME="istio-$ISTIO_VERSION"
|
||||||
|
Loading…
Reference in New Issue
Block a user