chore: Bump Istio version from 1.9.1 to 1.9.2
This commit is contained in:
parent
bc6d5c45a8
commit
1a1f5e7cd6
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio-ingress
|
||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||
type: application
|
||||
version: 0.5.0
|
||||
appVersion: 1.9.1
|
||||
version: 0.5.1
|
||||
appVersion: 1.9.2
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -16,9 +16,9 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-ingress
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
condition: istio-ingress.enabled
|
||||
- name: istio-private-ingress
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
condition: istio-private-ingress.enabled
|
||||
kubeVersion: ">= 1.18.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-ingress
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
|
@ -3,7 +3,7 @@
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
@ -17,7 +17,7 @@ spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
|
@ -1,8 +1,10 @@
|
||||
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if eq $gateway.injectionTemplate "" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
@ -32,7 +34,7 @@ spec:
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
@ -41,14 +43,17 @@ spec:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "false"
|
||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- end}}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
@ -60,7 +65,7 @@ spec:
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
serviceAccountName: {{ $gateway.name }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
@ -123,7 +128,7 @@ spec:
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- {{ $gateway.name }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
@ -201,9 +206,9 @@ spec:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
@ -349,3 +354,4 @@ spec:
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,143 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
{{/* This provides a minimal gateway, ready to be injected.
|
||||
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "true"
|
||||
{{- with .Values.revision }}
|
||||
istio.io/rev: {{ . }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "true"
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
image: auto
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -3,7 +3,7 @@
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
|
@ -1,78 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -2,7 +2,7 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
|
@ -2,7 +2,7 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
@ -12,8 +12,8 @@ metadata:
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
name: {{ $gateway.name }}-service-account
|
||||
---
|
||||
|
@ -3,7 +3,7 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
|
@ -8,7 +8,7 @@ imagePullSecrets:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
name: {{ $gateway.name }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
|
@ -120,6 +120,9 @@ gateways:
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||
injectionTemplate: ""
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
@ -171,7 +174,7 @@ global:
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.9.1
|
||||
tag: 1.9.2
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-private-ingress
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
|
@ -3,7 +3,7 @@
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
@ -17,7 +17,7 @@ spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
|
@ -1,8 +1,10 @@
|
||||
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if eq $gateway.injectionTemplate "" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
@ -32,7 +34,7 @@ spec:
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
@ -41,14 +43,17 @@ spec:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "false"
|
||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- end}}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
@ -60,7 +65,7 @@ spec:
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
serviceAccountName: {{ $gateway.name }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
@ -123,7 +128,7 @@ spec:
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- {{ $gateway.name }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
@ -201,9 +206,9 @@ spec:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
@ -349,3 +354,4 @@ spec:
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,143 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if ne $gateway.injectionTemplate "" }}
|
||||
{{/* This provides a minimal gateway, ready to be injected.
|
||||
Any settings from values.gateways should be here - these are options specific to the gateway.
|
||||
Global settings, like the image, various env vars and volumes, etc will be injected.
|
||||
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
sidecar.istio.io/inject: "true"
|
||||
{{- with .Values.revision }}
|
||||
istio.io/rev: {{ . }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "true"
|
||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
image: auto
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||
value: "true"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -3,7 +3,7 @@
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
|
@ -1,78 +0,0 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -2,7 +2,7 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
|
@ -2,7 +2,7 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
@ -12,8 +12,8 @@ metadata:
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
name: {{ $gateway.name }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
name: {{ $gateway.name }}-service-account
|
||||
---
|
||||
|
@ -3,7 +3,7 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
name: {{ $gateway.name }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
|
@ -8,7 +8,7 @@ imagePullSecrets:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
name: {{ $gateway.name }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
|
@ -120,6 +120,9 @@ gateways:
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# The injection template to use for the gateway. If not set, no injection will be performed.
|
||||
injectionTemplate: ""
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
@ -171,7 +174,7 @@ global:
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.9.1
|
||||
tag: 1.9.2
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.5.0
|
||||
appVersion: 1.9.1
|
||||
version: 0.5.1
|
||||
appVersion: 1.9.2
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -16,7 +16,7 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: base
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
- name: istio-discovery
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
kubeVersion: ">= 1.18.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: base
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||
keywords:
|
||||
|
@ -2473,7 +2473,8 @@ spec:
|
||||
format: int32
|
||||
type: integer
|
||||
perTryTimeout:
|
||||
description: Timeout per retry attempt for a given request.
|
||||
description: Timeout per attempt for a given request, including
|
||||
the initial call and any retries.
|
||||
type: string
|
||||
retryOn:
|
||||
description: Specifies the conditions under which retry takes
|
||||
|
@ -2475,7 +2475,8 @@ spec:
|
||||
format: int32
|
||||
type: integer
|
||||
perTryTimeout:
|
||||
description: Timeout per retry attempt for a given request.
|
||||
description: Timeout per attempt for a given request, including
|
||||
the initial call and any retries.
|
||||
type: string
|
||||
retryOn:
|
||||
description: Specifies the conditions under which retry takes
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-discovery
|
||||
version: 1.9.1
|
||||
version: 1.9.2
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for istio control plane
|
||||
keywords:
|
||||
|
@ -0,0 +1,233 @@
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
labels:
|
||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
}
|
||||
spec:
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --serviceCluster
|
||||
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||
{{ else -}}
|
||||
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||
{{ end -}}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{ if .ObjectMeta.Annotations }}
|
||||
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||
value: |
|
||||
{{ toJSON .ObjectMeta.Annotations }}
|
||||
{{ end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# SDS channel between istioagent and Envoy
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-envoy
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- mountPath: /etc/certs/
|
||||
name: istio-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
volumes:
|
||||
# SDS channel between istioagent and Envoy
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-envoy
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
optional: true
|
||||
{{ if eq .Spec.ServiceAccountName "" }}
|
||||
secretName: istio.default
|
||||
{{ else -}}
|
||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
@ -695,6 +695,240 @@ data:
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
gateway: |
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
labels:
|
||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
}
|
||||
spec:
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --serviceCluster
|
||||
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||
{{ else -}}
|
||||
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||
{{ end -}}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{ if .ObjectMeta.Annotations }}
|
||||
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||
value: |
|
||||
{{ toJSON .ObjectMeta.Annotations }}
|
||||
{{ end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# SDS channel between istioagent and Envoy
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-envoy
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- mountPath: /etc/certs/
|
||||
name: istio-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
volumes:
|
||||
# SDS channel between istioagent and Envoy
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-envoy
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
optional: true
|
||||
{{ if eq .Spec.ServiceAccountName "" }}
|
||||
secretName: istio.default
|
||||
{{ else -}}
|
||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
---
|
||||
# Source: istio-discovery/templates/service.yaml
|
||||
apiVersion: v1
|
||||
|
@ -48,6 +48,10 @@ data:
|
||||
sidecar: |
|
||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
|
||||
gateway: |
|
||||
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.sidecarInjectorWebhook.templates }}
|
||||
{{ toYaml . | trim | indent 6 }}
|
||||
{{- end }}
|
||||
|
@ -232,7 +232,7 @@ global:
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: docker.io/istio
|
||||
# Default tag for Istio images.
|
||||
tag: 1.9.1
|
||||
tag: 1.9.2
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
export ISTIO_VERSION=1.9.1
|
||||
export ISTIO_VERSION=1.9.2
|
||||
|
||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||
NAME="istio-$ISTIO_VERSION"
|
||||
|
Loading…
Reference in New Issue
Block a user