diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index f1e0e668..27ff228f 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.2.5 -appVersion: 1.6.9 +version: 0.3.0 +appVersion: 1.7.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,5 +16,5 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-operator - version: ">= 1.6" + version: ">= 1.7" kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 23cbeacf..b3ac36e4 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio Installs Istio Operator and KubeZero Istio profile -Current chart version is `0.2.4` +Current chart version is `0.3.0` Source code can be found [here](https://kubezero.com) @@ -13,7 +13,7 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| -| | istio-operator | >= 1.6 | +| | istio-operator | >= 1.7 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -30,10 +30,12 @@ Source code can be found [here](https://kubezero.com) | ingress.replicaCount | int | `2` | | | ingress.type | string | `"NodePort"` | | | istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.6.7"` | | +| istio-operator.tag | string | `"1.7.1"` | | | istiod.autoscaleEnabled | bool | `false` | | | istiod.replicaCount | int | `1` | | ## Resources +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml - https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio/charts/istio-operator/Chart.yaml b/charts/kubezero-istio/charts/istio-operator/Chart.yaml index 4f4977f1..807caae8 100644 --- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-operator/Chart.yaml @@ -1,12 +1,12 @@ apiVersion: v1 name: istio-operator -version: 1.6.0 +version: 1.7.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio operator keywords: - istio - operator sources: - - http://github.com/istio/istio/operator + - https://github.com/istio/istio/tree/master/operator engine: gotpl -icon: https://istio.io/favicons/android-192x192.png +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 00000000..05fb86a6 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,74 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + type: string + name: Status + - jsonPath: .metadata.creationTimestamp + description: + "CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: + "Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: + "Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index d02da88d..bdbd5bda 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} rules: # istio groups - apiGroups: @@ -29,12 +29,6 @@ rules: - '*' verbs: - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - security.istio.io resources: diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml index 39e26636..9b9df7da 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml @@ -1,13 +1,13 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} subjects: - kind: ServiceAccount - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{.Values.operatorNamespace}} roleRef: kind: ClusterRole - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} apiGroup: rbac.authorization.k8s.io --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml deleted file mode 100644 index 6b85c37c..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml new file mode 100644 index 00000000..a3703650 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml index 5e302de7..73b5d663 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: replicas: 1 selector: @@ -13,7 +13,7 @@ spec: labels: name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -26,14 +26,19 @@ spec: command: - operator - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true imagePullPolicy: IfNotPresent resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi +{{ toYaml .Values.operator.resources | trim | indent 12 }} env: - name: WATCH_NAMESPACE value: {{.Values.watchedNamespaces | quote}} @@ -45,4 +50,8 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: {{.Values.operatorNamespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml index 93e2638b..e7967a72 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml @@ -4,7 +4,7 @@ metadata: namespace: {{.Values.operatorNamespace}} labels: name: istio-operator - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: ports: - name: http-metrics diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml index 32307f32..cb708eee 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} --- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml index aa5d70ae..45c5c968 100644 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ b/charts/kubezero-istio/charts/istio-operator/values.yaml @@ -1,5 +1,25 @@ hub: gcr.io/istio-testing -tag: 1.6-dev +tag: latest + operatorNamespace: istio-operator + # Used to replace istioNamespace to support operator watch multiple namespaces. watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# Operator resource defaults +operator: + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + diff --git a/charts/kubezero-istio/istio-operator.patch b/charts/kubezero-istio/istio-operator.patch index 7043f507..bf364361 100644 --- a/charts/kubezero-istio/istio-operator.patch +++ b/charts/kubezero-istio/istio-operator.patch @@ -1,11 +1,9 @@ -diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -index 5ef7848..8350dd5 100644 ---- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -@@ -14,6 +14,12 @@ spec: +--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100 ++++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100 +@@ -14,6 +14,12 @@ name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/master: "" diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index 4324e5c8..2aebcc80 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5221,6 +5221,67 @@ spec: --- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 65f10afb..ed50e1d8 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -ISTIO_VERSION=1.6.9 +ISTIO_VERSION=1.7.1 NAME="istio-$ISTIO_VERSION" URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" @@ -15,7 +15,7 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts rm -rf istio-${ISTIO_VERSION} # Apply our patch -patch -i istio-operator.patch -p3 +patch -i istio-operator.patch -p0 # Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 61379acc..24c778c1 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -14,4 +14,4 @@ ingress: istio-operator: hub: docker.io/istio - tag: 1.6.9 + tag: 1.7.1