ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 25 Packages Projects Releases Wiki Activity

feat: Istio version bump, optional support for proxyprotocol for ingress, bugfixes

Browse Source
This commit is contained in:
Stefan Reimer 2021-07-01 16:42:24 +02:00
parent 7fcdbfc2cd
commit 274ab74364
38 changed files with 11926 additions and 6624 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
charts/kubezero-istio-ingress/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.5.6
appVersion: 1.9.3
version: 0.6.0
appVersion: 1.10.2
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -16,9 +16,9 @@ dependencies:
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.9.3
version: 1.10.2
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.9.3
version: 1.10.2
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0"

29
charts/kubezero-istio-ingress/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio-ingress
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-ingress | 1.9.3 |
| | istio-private-ingress | 1.9.3 |
| | istio-ingress | 1.10.2 |
| | istio-private-ingress | 1.10.2 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0`
|-----|------|---------|-------------|
| global.arch.amd64 | int | `2` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| istio-ingress.dnsNames | list | `[]` | |
| istio-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | |
| istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0`
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-ingress.proxyProtocol | bool | `false` | |
| istio-ingress.telemetry.enabled | bool | `false` | |
| istio-private-ingress.dnsNames | list | `[]` | |
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-private-ingress.proxyProtocol | bool | `false` | |
| istio-private-ingress.telemetry.enabled | bool | `false` | |
## Resources

2
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-ingress
version: 1.9.3
version: 1.10.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

18
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
View File

@ -1,4 +1,3 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
@ -45,17 +44,14 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
sidecar.istio.io/inject: "false"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
@ -219,13 +215,13 @@ spec:
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
{{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
{{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
@ -233,7 +229,7 @@ spec:
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
value: "{{ $val }}"
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}

20
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
View File

@ -24,17 +24,8 @@ gateways:
targetPort: 8443
name: https
protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# Scalability tuning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
@ -174,7 +165,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.3
tag: 1.10.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
@ -310,11 +301,14 @@ global:
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig:
proxyMetadata: {}
tracing:

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-private-ingress
version: 1.9.3
version: 1.10.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

18
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
View File

@ -1,4 +1,3 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1
@ -45,17 +44,14 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
sidecar.istio.io/inject: "false"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
@ -219,13 +215,13 @@ spec:
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
{{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
{{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }}
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
@ -233,7 +229,7 @@ spec:
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
value: "{{ $val }}"
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}

20
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
View File

@ -24,17 +24,8 @@ gateways:
targetPort: 8443
name: https
protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# Scalability tuning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
@ -174,7 +165,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.3
tag: 1.10.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
@ -310,11 +301,14 @@ global:
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig:
proxyMetadata: {}
tracing:

2
charts/kubezero-istio-ingress/templates/bootstrap-config.yaml
View File

@ -1,6 +1,6 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
# https://github.com/istio/istio/issues/24715
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: v1
kind: ConfigMap
metadata:

43
charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
View File

@ -1,4 +1,4 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
@ -7,6 +7,47 @@ metadata:
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
# SOL_SOCKET = 1
# SO_KEEPALIVE = 9
- level: 1
name: 9
int_value: 1
state: STATE_LISTENING
# IPPROTO_TCP = 6
# TCP_KEEPIDLE = 4
- level: 6
name: 4
int_value: 120
state: STATE_LISTENING
# TCP_KEEPINTVL = 5
- level: 6
name: 5
int_value: 60
state: STATE_LISTENING
{{- end }}
{{- if index .Values "istio-private-ingress" "enabled" }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:

44
charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml Normal file
View File

@ -0,0 +1,44 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}

34
charts/kubezero-istio-ingress/templates/ingress-certificate.yaml
View File

@ -1,35 +1,39 @@
{{- if index .Values "istio-ingress" "dnsNames" }}
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ingress-cert
namespace: {{ .Release.Namespace }}
name: {{ $cert.name }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
secretName: ingress-cert
secretName: {{ $cert.name }}
issuerRef:
name: letsencrypt-dns-prod
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
{{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }}
{{- if index .Values "istio-private-ingress" "dnsNames" }}
---
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: private-ingress-cert
namespace: {{ .Release.Namespace }}
name: {{ $cert.name }}
namespace: {{ $.Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{ include "kubezero-lib.labels" $ | indent 4 }}
spec:
secretName: private-ingress-cert
issuerRef:
name: letsencrypt-dns-prod
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer
dnsNames:
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
{{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }}

71
charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
View File

@ -1,6 +1,6 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
@ -17,23 +17,25 @@ spec:
name: http
protocol: HTTP2
hosts:
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
tls:
httpsRedirect: true
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
- port:
number: 443
name: https
protocol: HTTPS
hosts:
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: ingress-cert
credentialName: {{ $cert.name }}
{{- end }}
{{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
@ -51,53 +53,62 @@ spec:
name: http
protocol: HTTP2
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
tls:
httpsRedirect: true
# All SSL hosts one entry per ingress-certificate
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
- port:
number: 443
name: https
protocol: HTTPS
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: private-ingress-cert
- port:
number: 5672
name: amqp
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
credentialName: {{ $cert.name }}
- port:
number: 24224
name: fluentd-forward
protocol: TLS
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: private-ingress-cert
credentialName: {{ $cert.name }}
{{- end }}
- port:
number: 5672
name: amqp
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 6379
name: redis
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 6380
name: redis-1
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
{{- end }}

53
charts/kubezero-istio-ingress/values.yaml
View File

@ -1,10 +1,9 @@
# Make sure these values match kuberzero-istio !!!
global:
#hub: docker.io/istio
#tag: 1.9.3
#tag: 1.10.2
logAsJson: true
jwtPolicy: first-party-jwt
priorityClassName: "system-cluster-critical"
@ -69,21 +68,13 @@ istio-ingress:
targetPort: 8443
nodePort: 30443
protocol: TCP
## multi-cluster - disabled on public LBs
#- name: tcp-istiod
# port: 15012
# targetPort: 15012
# nodePort: 30012
# protocol: TCP
## multi-cluster sni east-west
#- name: tls
# port: 15443
# targetPort: 15443
# nodePort: 30044
# protocol: TCP
dnsNames: []
# - '*.example.com'
certificates:
- name: ingress-cert
dnsNames: []
# - '*.example.com'
proxyProtocol: false
meshConfig:
defaultConfig:
@ -123,8 +114,16 @@ istio-private-ingress:
values: istio-private-ingressgateway
type: NodePort
podAnnotations:
# sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
configVolumes:
- name: custom-bootstrap-volume
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"
@ -143,18 +142,6 @@ istio-private-ingress:
targetPort: 8443
nodePort: 31443
protocol: TCP
# multi-cluster
- name: tcp-istiod
port: 15012
targetPort: 15012
nodePort: 31012
protocol: TCP
# multi-cluster sni east-west
- name: tls
port: 15443
targetPort: 15443
nodePort: 31044
protocol: TCP
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
@ -168,8 +155,12 @@ istio-private-ingress:
# port: 6379
# nodePort: 31379
dnsNames: []
# - '*.example.com'
certificates:
- name: private-ingress-cert
dnsNames: []
#- '*.example.com'
proxyProtocol: false
meshConfig:
defaultConfig:

8
charts/kubezero-istio/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio
description: KubeZero Umbrella Chart for Istio
type: application
version: 0.5.6
appVersion: 1.9.3
version: 0.6.0
appVersion: 1.10.2
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: base
version: 1.9.3
version: 1.10.2
- name: istio-discovery
version: 1.9.3
version: 1.10.2
kubeVersion: ">= 1.18.0"

7
charts/kubezero-istio/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
KubeZero Umbrella Chart for Istio
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version |
|------------|------|---------|
| | base | 1.9.3 |
| | istio-discovery | 1.9.3 |
| | base | 1.10.2 |
| | istio-discovery | 1.10.2 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |

2
charts/kubezero-istio/charts/base/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: base
version: 1.9.3
version: 1.10.2
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs
keywords:

8733
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
View File

File diff suppressed because it is too large Load Diff

74
charts/kubezero-istio/charts/base/crds/crd-operator.yaml
View File

@ -1,66 +1,48 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
additionalPrinterColumns:
- JSONPath: .spec.revision
description: Istio control plane revision
name: Revision
type: string
- JSONPath: .status.status
description: IOP current state
type: string
name: Status
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
status:
description: 'Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
name: v1alpha1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---

8819
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
View File

File diff suppressed because it is too large Load Diff

12
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
View File

@ -19,11 +19,11 @@ rules:
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
@ -97,12 +97,20 @@ rules:
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

2
charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml
View File

@ -1,5 +1,5 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1beta1
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-{{ .Values.global.istioNamespace }}

2
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-discovery
version: 1.9.3
version: 1.10.2
tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane
keywords:

4
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
View File

@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included.
MCP and injector should optionally be installed in the same namespace. Alternatively remote
address of an MCP server can be set.
Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/KjkrDnMPByq7akrYA"

1
charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml
View File

@ -8,6 +8,7 @@ metadata:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:

208
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
View File

@ -167,7 +167,6 @@ data:
"address": ""
}
},
"trustDomain": "",
"useMCP": false
},
"revision": "",
@ -183,7 +182,7 @@ data:
},
"rewriteAppHTTPProbe": true,
"templates": {},
"useLegacySelectors": true
"useLegacySelectors": false
}
}
@ -215,6 +214,7 @@ data:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
@ -286,7 +286,7 @@ data:
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@ -355,7 +355,7 @@ data:
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {}
securityContext:
allowPrivilegeEscalation: true
@ -417,6 +417,10 @@ data:
- wait
{{- end }}
env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
@ -519,7 +523,7 @@ data:
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
@ -706,6 +710,7 @@ data:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
@ -1063,8 +1068,6 @@ spec:
value: "false"
- name: CLUSTER_ID
value: "Kubernetes"
- name: EXTERNAL_ISTIOD
value: "false"
resources:
requests:
cpu: 500m
@ -1077,8 +1080,6 @@ spec:
drop:
- ALL
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
@ -1090,9 +1091,6 @@ spec:
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
- name: inject
mountPath: /var/lib/istio/inject
readOnly: true
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
@ -1115,13 +1113,6 @@ spec:
secret:
secretName: istio-kubeconfig
optional: true
# Optional - image should have
- name: inject
configMap:
name: istio-sidecar-injector
- name: config-volume
configMap:
name: istio
---
# Source: istio-discovery/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1
@ -1148,12 +1139,17 @@ spec:
name: cpu
targetAverageUtilization: 80
---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
# Source: istio-discovery/templates/revision-tags.yaml
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
---
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: metadata exchange filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: metadata-exchange-1.8
name: metadata-exchange-1.10
namespace: istio-system
labels:
istio.io/rev: default
@ -1165,7 +1161,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1192,7 +1188,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1219,7 +1215,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1243,11 +1239,11 @@ spec:
local:
inline_string: envoy.wasm.metadata_exchange
---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-metadata-exchange-1.8
name: tcp-metadata-exchange-1.10
namespace: istio-system
labels:
istio.io/rev: default
@ -1257,7 +1253,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener: {}
patch:
operation: INSERT_BEFORE
@ -1272,7 +1268,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
cluster: {}
patch:
operation: MERGE
@ -1288,7 +1284,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
cluster: {}
patch:
operation: MERGE
@ -1301,12 +1297,12 @@ spec:
value:
protocol: istio-peer-exchange
---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: http stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.8
name: stats-filter-1.10
namespace: istio-system
labels:
istio.io/rev: default
@ -1316,7 +1312,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1337,6 +1333,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio"
}
vm_config:
vm_id: stats_outbound
@ -1348,7 +1346,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1369,6 +1367,16 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
vm_config:
vm_id: stats_inbound
@ -1380,7 +1388,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1401,6 +1409,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true
}
vm_config:
@ -1410,12 +1420,12 @@ spec:
local:
inline_string: envoy.wasm.stats
---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.8
name: tcp-stats-filter-1.10
namespace: istio-system
labels:
istio.io/rev: default
@ -1425,7 +1435,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1444,6 +1454,16 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
}
vm_config:
vm_id: tcp_stats_inbound
@ -1455,7 +1475,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1474,6 +1494,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio"
}
vm_config:
vm_id: tcp_stats_outbound
@ -1485,7 +1507,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -1504,6 +1526,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"debug": "false",
"stat_prefix": "istio"
}
vm_config:
vm_id: tcp_stats_outbound
@ -1937,7 +1961,7 @@ spec:
inline_string: "envoy.wasm.stats"
---
# Source: istio-discovery/templates/mutatingwebhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
@ -1948,12 +1972,13 @@ metadata:
app: sidecar-injector
release: istio
webhooks:
- name: sidecar-injector.istio.io
- name: rev.namespace.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
@ -1964,11 +1989,106 @@ webhooks:
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchLabels:
istio-injection: enabled
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "default"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: "sidecar.istio.io/inject"
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- name: rev.object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "default"
- name: namespace.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- name: object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist

11
charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml
View File

@ -9,6 +9,7 @@ metadata:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
{{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }}
@ -80,7 +81,7 @@ spec:
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@ -149,7 +150,7 @@ spec:
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {}
securityContext:
allowPrivilegeEscalation: true
@ -211,6 +212,10 @@ spec:
- wait
{{- end }}
env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
@ -313,7 +318,7 @@ spec:
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:

9
charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml
View File

@ -1,8 +1,7 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
@ -13,8 +12,6 @@
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- else if .Values.global.trustDomain }}
meshId: {{ .Values.global.trustDomain }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
@ -50,8 +47,8 @@
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}

22
charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
View File

@ -25,7 +25,7 @@ spec:
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision ""}}
{{- if ne .Values.revision "" }}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }}
@ -39,10 +39,10 @@ spec:
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot"
{{- if eq .Values.revision ""}}
istio: pilot
{{- else }}
{{- if ne .Values.revision "" }}
istio: istiod
{{- else }}
istio: pilot
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
@ -153,8 +153,6 @@ spec:
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- name: EXTERNAL_ISTIOD
value: "{{ $.Values.global.externalIstiod | default "false" }}"
{{- if not .Values.telemetry.v2.enabled }}
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
value: "false"
@ -173,8 +171,6 @@ spec:
drop:
- ALL
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
@ -188,9 +184,6 @@ spec:
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
- name: inject
mountPath: /var/lib/istio/inject
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
@ -219,13 +212,6 @@ spec:
secret:
secretName: istio-kubeconfig
optional: true
# Optional - image should have
- name: inject
configMap:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:

25
charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml
View File

@ -11,6 +11,7 @@ a unique prefix to each. */}}
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
port: 443
{{- end }}
caBundle: ""
sideEffects: None
@ -24,7 +25,7 @@ a unique prefix to each. */}}
{{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1beta1
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
@ -41,7 +42,7 @@ metadata:
webhooks:
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }}
{{- include "core" . }}
namespaceSelector:
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
matchExpressions:
@ -92,18 +93,21 @@ webhooks:
{{- end }}
{{- else }}
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- if .Values.revision }}
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
- key: istio-injection
operator: DoesNotExist
objectSelector:
@ -114,7 +118,7 @@ webhooks:
- "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
@ -130,10 +134,15 @@ webhooks:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
{{- else }}
{{- /* "default" revision */}}
{{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}

2
charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml
View File

@ -16,7 +16,7 @@ spec:
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision ""}}
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
istio: pilot

113
charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml Normal file
View File

@ -0,0 +1,113 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- define "core" }}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: {{ .Values.istiodRemote.injectionURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}

2
charts/kubezero-istio/charts/istio-discovery/templates/service.yaml
View File

@ -27,7 +27,7 @@ spec:
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision ""}}
{{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.

98
charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml → charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml
View File

@ -3,7 +3,7 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -19,7 +19,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -54,7 +54,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -89,7 +89,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -124,7 +124,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -138,7 +138,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener: {}
patch:
operation: INSERT_BEFORE
@ -153,7 +153,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
cluster: {}
patch:
operation: MERGE
@ -169,7 +169,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
cluster: {}
patch:
operation: MERGE
@ -187,7 +187,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -201,7 +201,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -224,15 +224,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@ -255,7 +247,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -309,7 +301,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -333,15 +325,7 @@ spec:
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
"disable_host_header_fallback": true
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@ -365,7 +349,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -379,7 +363,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -431,7 +415,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -452,15 +436,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@ -483,7 +459,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -504,15 +480,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
"stat_prefix": "istio"
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@ -537,7 +505,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -552,7 +520,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -573,7 +541,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
@ -587,7 +555,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -608,7 +576,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
@ -621,7 +589,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -642,7 +610,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
@ -655,7 +623,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -670,7 +638,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -703,7 +671,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -735,7 +703,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.9.*'
proxyVersion: '^1\.10.*'
listener:
filterChain:
filter:
@ -768,7 +736,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -782,7 +750,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.9.*'
proxyVersion: '1\.10.*'
listener:
filterChain:
filter:

17
charts/kubezero-istio/charts/istio-discovery/values.yaml
View File

@ -68,7 +68,7 @@ sidecarInjectorWebhook:
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
# requests in Istiod, rather than at the webhook selection level.
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
useLegacySelectors: true
useLegacySelectors: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
@ -157,15 +157,13 @@ telemetry:
enabled: false
logging: false
monitoring: false
topology: false
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
# e.g.
# enable_mesh_edges_reporting: true
# disable_server_access_logging: false
# meshEdgesReportingDuration: 500s
# disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy:
@ -176,6 +174,9 @@ telemetry:
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility.
ownerName: ""
@ -197,6 +198,10 @@ meshConfig:
rootNamespace:
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term
@ -232,7 +237,7 @@ global:
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.9.3
tag: 1.10.2
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
@ -505,8 +510,6 @@ global:
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

8
charts/kubezero-istio/templates/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

4
charts/kubezero-istio/update.sh
View File

@ -4,14 +4,14 @@ set -ex
### TODO
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
export ISTIO_VERSION=1.9.3
export ISTIO_VERSION=1.10.2
rm -rf istio
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
mv istio-${ISTIO_VERSION} istio
# remove unused old telemetry filters
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
# Patch
patch -p0 -i zdt.patch --no-backup-if-mismatch

3
charts/kubezero-istio/values.yaml
View File

@ -1,9 +1,8 @@
global:
# hub: docker.io/istio
# tag: 1.9.3
# tag: 1.10.2
logAsJson: true
jwtPolicy: first-party-jwt
defaultPodDisruptionBudget:
enabled: false