chore: Bump Istio version from 1.9.1 to 1.9.2

This commit is contained in:
Stefan Reimer 2021-03-26 17:34:43 +01:00
parent bc6d5c45a8
commit 1a1f5e7cd6
34 changed files with 830 additions and 209 deletions

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.5.0
appVersion: 1.9.1
version: 0.5.1
appVersion: 1.9.2
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -16,9 +16,9 @@ dependencies:
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.9.1
version: 1.9.2
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.9.1
version: 1.9.2
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-ingress
version: 1.9.1
version: 1.9.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

View File

@ -3,7 +3,7 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
@ -17,7 +17,7 @@ spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
metrics:
- type: Resource
resource:

View File

@ -1,8 +1,10 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
@ -32,7 +34,7 @@ spec:
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
@ -41,14 +43,17 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
@ -60,7 +65,7 @@ spec:
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
@ -123,7 +128,7 @@ spec:
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
- {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
@ -201,9 +206,9 @@ spec:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
@ -349,3 +354,4 @@ spec:
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,143 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

View File

@ -3,7 +3,7 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}

View File

@ -1,78 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}

View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
@ -12,8 +12,8 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
name: {{ $gateway.name }}-service-account
---

View File

@ -3,7 +3,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}

View File

@ -8,7 +8,7 @@ imagePullSecrets:
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}

View File

@ -120,6 +120,9 @@ gateways:
# whether to run the gateway in a privileged container
runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
@ -171,7 +174,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.1
tag: 1.9.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.

View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-private-ingress
version: 1.9.1
version: 1.9.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

View File

@ -3,7 +3,7 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
@ -17,7 +17,7 @@ spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
metrics:
- type: Resource
resource:

View File

@ -1,8 +1,10 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
@ -32,7 +34,7 @@ spec:
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
@ -41,14 +43,17 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
@ -60,7 +65,7 @@ spec:
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
@ -123,7 +128,7 @@ spec:
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
- {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
@ -201,9 +206,9 @@ spec:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
@ -349,3 +354,4 @@ spec:
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,143 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

View File

@ -3,7 +3,7 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}

View File

@ -1,78 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}

View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
@ -12,8 +12,8 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
name: {{ $gateway.name }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
name: {{ $gateway.name }}-service-account
---

View File

@ -3,7 +3,7 @@
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}

View File

@ -8,7 +8,7 @@ imagePullSecrets:
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}

View File

@ -120,6 +120,9 @@ gateways:
# whether to run the gateway in a privileged container
runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
@ -171,7 +174,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.1
tag: 1.9.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio
description: KubeZero Umbrella Chart for Istio
type: application
version: 0.5.0
appVersion: 1.9.1
version: 0.5.1
appVersion: 1.9.2
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: base
version: 1.9.1
version: 1.9.2
- name: istio-discovery
version: 1.9.1
version: 1.9.2
kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
apiVersion: v1
name: base
version: 1.9.1
version: 1.9.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs
keywords:

View File

@ -2473,7 +2473,8 @@ spec:
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string
retryOn:
description: Specifies the conditions under which retry takes

View File

@ -2475,7 +2475,8 @@ spec:
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string
retryOn:
description: Specifies the conditions under which retry takes

View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-discovery
version: 1.9.1
version: 1.9.2
tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane
keywords:

View File

@ -0,0 +1,233 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

View File

@ -695,6 +695,240 @@ data:
securityContext:
fsGroup: 1337
{{- end }}
gateway: |
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
---
# Source: istio-discovery/templates/service.yaml
apiVersion: v1

View File

@ -1,4 +1,4 @@
{{- $containers := list }}
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:

View File

@ -48,6 +48,10 @@ data:
sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}

View File

@ -232,7 +232,7 @@ global:
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.1
tag: 1.9.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.

View File

@ -1,7 +1,7 @@
#!/bin/bash
set -ex
export ISTIO_VERSION=1.9.1
export ISTIO_VERSION=1.9.2
if [ ! -d istio-$ISTIO_VERSION ]; then
NAME="istio-$ISTIO_VERSION"