diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..aebd4c59 --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +BUCKET ?= zero-downtime +BUCKET_PREFIX ?= /cloudbender/distfiles +FILES ?= distfiles.txt + +.PHONY: clean update + +all: update + + +clean: + rm -f kube*.tgz + +update: + ./script/update_helm.sh diff --git a/charts/fluent-bit b/charts/fluent-bit deleted file mode 120000 index cd73d773..00000000 --- a/charts/fluent-bit +++ /dev/null @@ -1 +0,0 @@ -../../helm-charts/charts/fluent-bit \ No newline at end of file diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml new file mode 100644 index 00000000..99424f1e --- /dev/null +++ b/charts/kubeadm/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: kubeadm +description: KubeZero Kubeadm golden config +type: application +version: 1.18.14 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - kubeadm +maintainers: + - name: Quarky9 +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-logging/values-remote-es.yaml b/charts/kubeadm/README.md similarity index 100% rename from charts/kubezero-logging/values-remote-es.yaml rename to charts/kubeadm/README.md diff --git a/charts/kubeadm/README.md.gotmpl b/charts/kubeadm/README.md.gotmpl new file mode 100644 index 00000000..d29076a4 --- /dev/null +++ b/charts/kubeadm/README.md.gotmpl @@ -0,0 +1,28 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Installs the Istio control plane + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## Resources + +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ +- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 +- https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go +- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/ +- https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration + +- https://github.com/awslabs/amazon-eks-ami diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml new file mode 100644 index 00000000..f7c4238f --- /dev/null +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -0,0 +1,61 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +metadata: + name: kubezero-clusterconfiguration +kubernetesVersion: {{ .Values.clusterVersion }} +clusterName: {{ .Values.clusterName }} +controlPlaneEndpoint: {{ .Values.apiEndpoint }} +networking: + podSubnet: 10.244.0.0/16 +etcd: + local: + extraArgs: + listen-metrics-urls: "http://0.0.0.0:2381" + {{- with .Values.etcdExtraArgs }} + {{- toYaml . | nindent 6 }} + {{- end }} +controllerManager: + extraArgs: + profiling: "false" + bind-address: 0.0.0.0 + terminated-pod-gc-threshold: "300" + leader-elect: {{ .Values.clusterHighAvailable | quote }} + # Default anyways but make kube-bench happy + feature-gates: "RotateKubeletServerCertificate=true" +scheduler: + extraArgs: + profiling: "false" + bind-address: 0.0.0.0 + leader-elect: {{ .Values.clusterHighAvailable | quote }} +apiServer: + certSANs: + - {{ regexSplit ":" .Values.apiEndpoint -1 | first }} + extraArgs: + etcd-servers: {{ .Values.allEtcdEndpoints }} + profiling: "false" + feature-gates: "CSIMigration=true,CSIMigrationAWS=true,CSIMigrationAWSComplete=true" + audit-log-path: "/var/log/kubernetes/audit.log" + audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml + audit-log-maxage: "7" + audit-log-maxsize: "100" + audit-log-maxbackup: "3" + tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml + authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml + enable-admission-plugins: NodeRestriction,EventRateLimit + {{- if .Values.clusterHighAvailable }} + goaway-chance: ".001" + {{- end }} + {{- with .Values.apiExtraArgs }} + {{- toYaml . | nindent 4 }} + {{- end }} + extraVolumes: + - name: kubezero-apiserver + hostPath: /etc/kubernetes/apiserver + mountPath: /etc/kubernetes/apiserver + readOnly: true + pathType: DirectoryOrCreate + - name: audit-log + hostPath: /var/log/kubernetes + mountPath: /var/log/kubernetes + pathType: DirectoryOrCreate diff --git a/charts/kubeadm/templates/InitConfiguration.yaml b/charts/kubeadm/templates/InitConfiguration.yaml new file mode 100644 index 00000000..1b9deb3e --- /dev/null +++ b/charts/kubeadm/templates/InitConfiguration.yaml @@ -0,0 +1,12 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: InitConfiguration +metadata: + name: kubezero-initconfiguration +localAPIEndpoint: + bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} +nodeRegistration: + ignorePreflightErrors: + - Swap + - DirAvailable--var-lib-etcd + kubeletExtraArgs: + node-labels: {{ .Values.nodeLabels | quote }} diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml new file mode 100644 index 00000000..6ad03ccd --- /dev/null +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -0,0 +1,18 @@ +apiVersion: kubeadm.k8s.io/v1beta2 +kind: JoinConfiguration +metadata: + name: kubezero-joinconfiguration +discovery: + bootstrapToken: + apiServerEndpoint: {{ .Values.apiEndpoint }} + token: {{ .Values.joinToken }} + caCertHashes: + - "{{ .Values.caCertHash }}" +nodeRegistration: + ignorePreflightErrors: + - DirAvailable--var-lib-etcd + - Swap +controlPlane: + localAPIEndpoint: + advertiseAddress: {{ .Values.ipAddress }} + bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} diff --git a/charts/kubeadm/templates/KubeProxyConfiguration.yaml b/charts/kubeadm/templates/KubeProxyConfiguration.yaml new file mode 100644 index 00000000..6ca59450 --- /dev/null +++ b/charts/kubeadm/templates/KubeProxyConfiguration.yaml @@ -0,0 +1,6 @@ +apiVersion: kubeproxy.config.k8s.io/v1alpha1 +kind: KubeProxyConfiguration +metadata: + name: kubezero-kubeproxyconfiguration +metricsBindAddress: "0.0.0.0:10249" +mode: "" diff --git a/charts/kubeadm/templates/KubeletConfiguration.yaml b/charts/kubeadm/templates/KubeletConfiguration.yaml new file mode 100644 index 00000000..35682116 --- /dev/null +++ b/charts/kubeadm/templates/KubeletConfiguration.yaml @@ -0,0 +1,19 @@ +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +metadata: + name: kubezero-kubeletconfiguration +failSwapOn: false +hairpinMode: hairpin-veth +resolvConf: /run/systemd/resolve/resolv.conf +protectKernelDefaults: true +eventRecordQPS: 0 +# Breaks kubelet at boot time +# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt +# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key +tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256] +featureGates: + # Default anyways but make kube-bench happy + RotateKubeletServerCertificate: true + CSIMigration: true + CSIMigrationAWS: true + CSIMigrationAWSComplete: true diff --git a/charts/kubeadm/templates/apiserver/admission-configuration.yaml b/charts/kubeadm/templates/apiserver/admission-configuration.yaml new file mode 100644 index 00000000..76d79d07 --- /dev/null +++ b/charts/kubeadm/templates/apiserver/admission-configuration.yaml @@ -0,0 +1,7 @@ +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +metadata: + name: kubezero-admissionconfiguration +plugins: +- name: EventRateLimit + path: /etc/kubernetes/apiserver/event-config.yaml diff --git a/charts/kubeadm/templates/apiserver/audit-policy.yaml b/charts/kubeadm/templates/apiserver/audit-policy.yaml new file mode 100644 index 00000000..40da4ea4 --- /dev/null +++ b/charts/kubeadm/templates/apiserver/audit-policy.yaml @@ -0,0 +1,7 @@ +# Don't Log anything, but audit policy enabled +apiVersion: audit.k8s.io/v1 +kind: Policy +metadata: + name: kubezero-auditpolicy +rules: +- level: None diff --git a/charts/kubeadm/templates/apiserver/event-config.yaml b/charts/kubeadm/templates/apiserver/event-config.yaml new file mode 100644 index 00000000..4e1166aa --- /dev/null +++ b/charts/kubeadm/templates/apiserver/event-config.yaml @@ -0,0 +1,13 @@ +apiVersion: eventratelimit.admission.k8s.io/v1alpha1 +kind: Configuration +metadata: + name: kubezero-eventratelimits +limits: +- type: Namespace + qps: 50 + burst: 100 + cacheSize: 20 +- type: User + qps: 10 + burst: 50 + cacheSize: 20 diff --git a/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml b/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml new file mode 100644 index 00000000..7ff85f7d --- /dev/null +++ b/charts/kubeadm/templates/aws-iam-authenticator/crds.yaml @@ -0,0 +1,32 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: iamidentitymappings.iamauthenticator.k8s.aws +spec: + group: iamauthenticator.k8s.aws + version: v1alpha1 + scope: Cluster + names: + plural: iamidentitymappings + singular: iamidentitymapping + kind: IAMIdentityMapping + categories: + - all + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + required: + - arn + - username + properties: + arn: + type: string + username: + type: string + groups: + type: array + items: + type: string diff --git a/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml b/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml new file mode 100644 index 00000000..6d6d235c --- /dev/null +++ b/charts/kubeadm/templates/aws-iam-authenticator/deployment.yaml @@ -0,0 +1,164 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aws-iam-authenticator +rules: +- apiGroups: + - iamauthenticator.k8s.aws + resources: + - iamidentitymappings + verbs: + - get + - list + - watch +- apiGroups: + - iamauthenticator.k8s.aws + resources: + - iamidentitymappings/status + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - aws-auth + verbs: + - get + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-iam-authenticator + namespace: kube-system + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: aws-iam-authenticator + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-iam-authenticator +subjects: +- kind: ServiceAccount + name: aws-iam-authenticator + namespace: kube-system + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: kube-system + name: aws-iam-authenticator + labels: + k8s-app: aws-iam-authenticator +data: + config.yaml: | + clusterID: {{ .Values.clusterName }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: kube-system + name: aws-iam-authenticator + labels: + k8s-app: aws-iam-authenticator + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default +spec: + selector: + matchLabels: + k8s-app: aws-iam-authenticator + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: "" + labels: + k8s-app: aws-iam-authenticator + spec: + # use service account with access to + serviceAccountName: aws-iam-authenticator + + # run on the host network (don't depend on CNI) + hostNetwork: true + + # run on each master node + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - key: CriticalAddonsOnly + operator: Exists + + containers: + - name: aws-iam-authenticator + image: public.ecr.aws/x8h8t2o1/aws-iam-authenticator:v0.5.2 + args: + - server + - --backend-mode=CRD,MountedFile + - --config=/etc/aws-iam-authenticator/config.yaml + - --state-dir=/var/aws-iam-authenticator + - --kubeconfig-pregenerated=true + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: + requests: + memory: 20Mi + cpu: 10m + limits: + memory: 20Mi + cpu: 100m + + volumeMounts: + - name: config + mountPath: /etc/aws-iam-authenticator/ + - name: state + mountPath: /var/aws-iam-authenticator/ + + volumes: + - name: config + configMap: + name: aws-iam-authenticator + - name: state + hostPath: + path: /var/aws-iam-authenticator/ +--- +apiVersion: iamauthenticator.k8s.aws/v1alpha1 +kind: IAMIdentityMapping +metadata: + name: kubernetes-admin +spec: + # Arn of the User or Role to be allowed to authenticate + arn: {{ .Values.kubeAdminRole }} + username: kubernetes-admin + groups: + - system:masters diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml new file mode 100644 index 00000000..b4d61489 --- /dev/null +++ b/charts/kubeadm/values.yaml @@ -0,0 +1,11 @@ +clusterVersion: 1.18.0 +clusterName: pleasechangeme +apiEndpoint: kube-api.changeme.org:6443 +etcdExtraArgs: {} + # Enable for > 1.18 + # unsafe-no-fsync: "true" +apiExtraArgs: {} +clusterHighAvailable: false +allEtcdEndpoints: "" +joinToken: "" +caCertHash: "" diff --git a/charts/kubezero-argo-cd/templates/app.yaml b/charts/kubezero-argo-cd/templates/app.yaml deleted file mode 100644 index 4bbff87e..00000000 --- a/charts/kubezero-argo-cd/templates/app.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubezero - namespace: argocd - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - project: kubezero - source: - repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }} - targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }} - path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero - - helm: - values: | - {{- toYaml .Values.kubezero | nindent 8 }} - - destination: - server: {{ .Values.kubezero.global.defaultDestination.server }} - namespace: argocd - - {{- if .Values.kubezero.global.syncPolicy }} - syncPolicy: - {{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml similarity index 85% rename from charts/kubezero-argo-cd/Chart.yaml rename to charts/kubezero-argocd/Chart.yaml index 93427001..52e63698 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application -name: kubezero-argo-cd -version: 0.6.0 +name: kubezero-argocd +version: 0.6.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,6 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: argo-cd - version: 2.9.3 + version: 2.9.5 repository: https://argoproj.github.io/argo-helm -kubeVersion: ">= 1.17.0" +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-argo-cd/README.md b/charts/kubezero-argocd/README.md similarity index 71% rename from charts/kubezero-argo-cd/README.md rename to charts/kubezero-argocd/README.md index abe476e1..81b8cfec 100644 --- a/charts/kubezero-argo-cd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,6 +1,6 @@ -# kubezero-argo-cd +# kubezero-argocd -![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) +![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application @@ -14,11 +14,11 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl ## Requirements -Kubernetes: `>= 1.17.0` +Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 | +| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0` | argo-cd.controller.metrics.enabled | bool | `false` | | | argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.dex.enabled | bool | `false` | | -| argo-cd.global.image.tag | string | `"v1.7.8"` | | +| argo-cd.global.image.tag | string | `"v1.7.10"` | | | argo-cd.installCRDs | bool | `false` | | -| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | -| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | -| argo-cd.istio.ipBlocks | list | `[]` | | | argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | | argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | | argo-cd.server.extraArgs[0] | string | `"--insecure"` | | @@ -53,12 +48,16 @@ Kubernetes: `>= 1.17.0` | argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | -| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster | -| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees | -| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications | -| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL | +| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | +| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | +| istio.ipBlocks | list | `[]` | | +| kubezero.enabled | bool | `false` | | +| kubezero.path | string | `"charts/kubezero"` | path within repoURL | +| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications | +| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster | +| kubezero.targetRevision | string | `"HEAD"` | git branch to track | +| kubezero.valuesFiles[0] | string | `"values.yaml"` | | ## Resources - https://argoproj.github.io/argo-cd/operator-manual/metrics/ diff --git a/charts/kubezero-argo-cd/README.md.gotmpl b/charts/kubezero-argocd/README.md.gotmpl similarity index 100% rename from charts/kubezero-argo-cd/README.md.gotmpl rename to charts/kubezero-argocd/README.md.gotmpl diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml similarity index 75% rename from charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml rename to charts/kubezero-argocd/templates/istio-authorization-policy.yaml index d757cd65..1b8ad971 100644 --- a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml @@ -1,5 +1,5 @@ -{{- if index .Values "argo-cd" "istio" "enabled" }} -{{- if index .Values "argo-cd" "istio" "ipBlocks" }} +{{- if .Values.istio.enabled }} +{{- if .Values.istio.ipBlocks }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: @@ -16,7 +16,7 @@ spec: - from: - source: notIpBlocks: - {{- with index .Values "argo-cd" "istio" "ipBlocks" }} + {{- with .Values.istio.ipBlocks }} {{- . | toYaml | nindent 8 }} {{- end }} to: diff --git a/charts/kubezero-argo-cd/templates/istio-service.yaml b/charts/kubezero-argocd/templates/istio-service.yaml similarity index 71% rename from charts/kubezero-argo-cd/templates/istio-service.yaml rename to charts/kubezero-argocd/templates/istio-service.yaml index 03d889cb..16ae10a1 100644 --- a/charts/kubezero-argo-cd/templates/istio-service.yaml +++ b/charts/kubezero-argocd/templates/istio-service.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "argo-cd" "istio" "enabled" }} +{{- if .Values.istio.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -7,7 +7,7 @@ metadata: {{ include "kubezero-lib.labels" . | indent 4 }} spec: gateways: - - {{ index .Values "argo-cd" "istio" "gateway" }} + - {{ .Values.istio.gateway }} hosts: - {{ index .Values "argo-cd" "server" "config" "url" }} http: @@ -18,13 +18,13 @@ spec: prefix: argocd-client route: - destination: - host: {{ .Release.Name }}-argocd-server + host: argocd-server port: number: 443 - name: http route: - destination: - host: {{ .Release.Name }}-argocd-server + host: argocd-server port: number: 80 {{- end }} diff --git a/charts/kubezero-argo-cd/templates/project.yaml b/charts/kubezero-argocd/templates/kubezero.yaml similarity index 56% rename from charts/kubezero-argo-cd/templates/project.yaml rename to charts/kubezero-argocd/templates/kubezero.yaml index 8bf499f5..36808fd5 100644 --- a/charts/kubezero-argo-cd/templates/project.yaml +++ b/charts/kubezero-argocd/templates/kubezero.yaml @@ -1,3 +1,4 @@ +{{- if .Values.kubezero.enabled }} apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -12,7 +13,6 @@ spec: sourceRepos: - '*' - # Only permit applications to deploy to the guestbook namespace in the same cluster destinations: - namespace: argocd server: https://kubernetes.default.svc @@ -20,10 +20,10 @@ spec: server: https://kubernetes.default.svc - namespace: cert-manager server: https://kubernetes.default.svc - - namespace: istio-operator - server: https://kubernetes.default.svc - namespace: istio-system server: https://kubernetes.default.svc + - namespace: istio-ingress + server: https://kubernetes.default.svc - namespace: monitoring server: https://kubernetes.default.svc - namespace: elastic-system @@ -34,3 +34,32 @@ spec: clusterResourceWhitelist: - group: '*' kind: '*' + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubezero + namespace: argocd + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + project: kubezero + source: + repoURL: {{ .Values.kubezero.repoURL }} + targetRevision: {{ .Values.kubezero.targetRevision }} + path: {{ .Values.kubezero.path }} + + helm: + valueFiles: + {{- toYaml .Values.kubezero.valuesFiles | nindent 6 }} + + destination: + server: {{ .Values.kubezero.server }} + namespace: argocd + + {{- with .Values.kubezero.syncPolicy }} + syncPolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argocd/values.yaml similarity index 64% rename from charts/kubezero-argo-cd/values.yaml rename to charts/kubezero-argocd/values.yaml index 732571df..481fd85e 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argocd/values.yaml @@ -1,24 +1,35 @@ +# Configure app of apps kubezero: - global: - # kubezero.global.defaultDestination -- Destination cluster - defaultDestination: - server: https://kubernetes.default.svc + enabled: false - # This repoURL is used a base for all the repoURLs applications - # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be - # integrated into any repository as a git subtree if for example public internet access is unavailable - defaultSource: - # kubezero.global.defaultSource.repoURL -- default repository for argocd applications - repoURL: https://github.com/zero-down-time/kubezero - # kubezero.global.defaultSource.targetRevision -- default tracking of repoURL - targetRevision: HEAD - # kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees - pathPrefix: '' + # kubezero.server -- destination cluster + server: https://kubernetes.default.svc - # syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync - #syncPolicy: - # automated: - # prune: true + # This repoURL is used a base for all the repoURLs applications + # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be + # integrated into any repository as a git subtree if for example public internet access is unavailable + # kubezero.repoURL -- repository for kubezero argo applications + repoURL: https://github.com/zero-down-time/kubezero + # kubezero.targetRevision -- git branch to track + targetRevision: HEAD + # kubezero.path -- path within repoURL + path: 'charts/kubezero' + + # syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync + #syncPolicy: + # automated: + # prune: true + + valuesFiles: + - values.yaml + +# Support for Istio Ingress for ArgoCD +istio: + # istio.enabled -- Deploy Istio VirtualService to expose ArgoCD + enabled: false + # istio.gateway -- Name of the Istio gateway to add the VirtualService to + gateway: istio-ingress/ingressgateway + ipBlocks: [] argo-cd: installCRDs: false @@ -31,7 +42,7 @@ argo-cd: global: image: - tag: v1.7.8 + tag: v1.7.10 controller: args: @@ -44,7 +55,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -62,7 +72,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -72,6 +81,9 @@ argo-cd: # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio url: argocd.example.com + #repositories: | + # - url: https://zero-down-time.github.io/kubezero.git + resource.customizations: | cert-manager.io/Certificate: # Lua script for customizing the health status assessment @@ -105,7 +117,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -118,10 +129,3 @@ argo-cd: dex: enabled: false - - istio: - # argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD - enabled: false - # argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to - gateway: istio-system/ingressgateway - ipBlocks: [] diff --git a/charts/kubezero-aws-ebs-csi-driver/.gitignore b/charts/kubezero-aws-ebs-csi-driver/.gitignore deleted file mode 100644 index 5664e303..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/.gitignore +++ /dev/null @@ -1 +0,0 @@ -git diff --git a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml index 0b29e7ff..a13400ab 100644 --- a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver type: application -version: 0.3.2 -appVersion: 0.7.0 +version: 0.3.4 +appVersion: 0.8.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png sources: @@ -17,6 +17,9 @@ keywords: maintainers: - name: Quarky9 dependencies: + - name: aws-ebs-csi-driver + version: 0.7.1 + repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ diff --git a/charts/kubezero-aws-ebs-csi-driver/README.md b/charts/kubezero-aws-ebs-csi-driver/README.md index 50a76cb6..fc14ab98 100644 --- a/charts/kubezero-aws-ebs-csi-driver/README.md +++ b/charts/kubezero-aws-ebs-csi-driver/README.md @@ -1,6 +1,6 @@ # kubezero-aws-ebs-csi-driver -![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square) +![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.8.0](https://img.shields.io/badge/AppVersion-0.8.0-informational?style=flat-square) KubeZero Umbrella Chart for aws-ebs-csi-driver @@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| +| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## IAM Role diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml deleted file mode 100644 index 856db95a..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -appVersion: "0.7.0" -name: aws-ebs-csi-driver -description: A Helm chart for AWS EBS CSI Driver -version: 0.6.0 -kubeVersion: ">=1.13.0-0" -home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver -sources: - - https://github.com/kubernetes-sigs/aws-ebs-csi-driver -keywords: - - aws - - ebs - - csi -maintainers: - - name: leakingtapan - email: chengpan@amazon.com diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt deleted file mode 100644 index 34db916b..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that aws-ebs-csi-driver has started, run: - - kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml deleted file mode 100644 index 0b967247..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-attacher-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml deleted file mode 100644 index 84f122a0..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-provisioner-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml deleted file mode 100644 index 5f0c758c..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.enableVolumeResizing }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-resizer-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - # The following rule should be uncommented for plugins that require secrets - # for provisioning. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - -{{- end}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml deleted file mode 100644 index ffdb1b7d..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml deleted file mode 100644 index 061b5658..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-snapshotter-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml deleted file mode 100644 index 1888a9b8..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-attacher-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-attacher-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml deleted file mode 100644 index 0fd54990..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-provisioner-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-provisioner-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml deleted file mode 100644 index b23063aa..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeResizing }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-resizer-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-resizer-role - apiGroup: rbac.authorization.k8s.io - -{{- end}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml deleted file mode 100644 index df4937a6..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshot-controller-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-snapshot-controller-role - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml deleted file mode 100644 index 6ebb1d91..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshotter-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-snapshotter-role - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml deleted file mode 100644 index e2b0a976..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml +++ /dev/null @@ -1,157 +0,0 @@ -# Controller Service -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ebs-csi-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.podAnnotations }} - annotations: {{ toYaml .Values.podAnnotations | nindent 8 }} - {{- end }} - spec: - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.nodeSelector }} -{{ toYaml . | indent 8 }} - {{- end }} - serviceAccountName: ebs-csi-controller-sa - priorityClassName: system-cluster-critical - {{- with .Values.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - tolerations: - - operator: Exists - {{- with .Values.tolerations }} -{{ toYaml . | indent 8 }} - {{- end }} - containers: - - name: ebs-plugin - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - {{- if ne .Release.Name "kustomize" }} - - controller - {{- else }} - # - {all,controller,node} # specify the driver mode - {{- end }} - - --endpoint=$(CSI_ENDPOINT) - {{- if .Values.extraVolumeTags }} - {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} - {{- end }} - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - optional: true - {{- if .Values.region }} - - name: AWS_REGION - value: {{ .Values.region }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} - - name: csi-provisioner - image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --v=5 - {{- if .Values.enableVolumeScheduling }} - - --feature-gates=Topology=true - {{- end}} - - --enable-leader-election - - --leader-election-type=leases - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-attacher - image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --leader-election-type=leases - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- if .Values.enableVolumeSnapshot }} - - name: csi-snapshotter - image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- end }} - {{- if .Values.enableVolumeResizing }} - - name: csi-resizer - image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }} - imagePullPolicy: Always - args: - - --csi-address=$(ADDRESS) - - --v=5 - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- end }} - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /csi - volumes: - - name: socket-dir - emptyDir: {} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml deleted file mode 100644 index 1858e39c..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: storage.k8s.io/v1beta1 -kind: CSIDriver -metadata: - name: ebs.csi.aws.com - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - attachRequired: true - podInfoOnMount: false diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml deleted file mode 100644 index d6eadbcf..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# Node Service -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ebs-csi-node - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.node.podAnnotations }} - annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} - {{- end }} - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - nodeSelector: - kubernetes.io/os: linux - hostNetwork: true - priorityClassName: system-node-critical - tolerations: - - operator: Exists - {{- with .Values.node.tolerations }} -{{ toYaml . | indent 8 }} - {{- end }} - containers: - - name: ebs-plugin - securityContext: - privileged: true - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - volumeMounts: - - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: "Bidirectional" - - name: plugin-dir - mountPath: /csi - - name: device-dir - mountPath: /dev - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - - name: node-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=5 - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"] - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: /csi - volumes: - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: device-dir - hostPath: - path: /dev - type: Directory diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml deleted file mode 100644 index 947d241e..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-leaderelection - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml deleted file mode 100644 index 11d8ed49..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-leaderelection - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: Role - name: snapshot-controller-leaderelection - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml deleted file mode 100644 index 9e2cf7cc..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-csi-controller-sa - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.controller.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - {{- if eq .Release.Name "kustomize" }} - #Enable if EKS IAM for SA is used - #annotations: - # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role - {{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml deleted file mode 100644 index baa39c84..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-snapshot-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.snapshot.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml deleted file mode 100644 index b8246091..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} -#Snapshot controller -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: ebs-snapshot-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - serviceName: ebs-snapshot-controller - replicas: 1 - selector: - matchLabels: - app: ebs-snapshot-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-snapshot-controller - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - spec: - serviceAccountName: ebs-snapshot-controller - containers: - - name: snapshot-controller - image: quay.io/k8scsi/snapshot-controller:v2.1.1 - args: - - --v=5 - - --leader-election=false -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml deleted file mode 100644 index 8084d626..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Default values for aws-ebs-csi-driver. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: amazon/aws-ebs-csi-driver - tag: "v0.7.0" - pullPolicy: IfNotPresent - -sidecars: - provisionerImage: - repository: quay.io/k8scsi/csi-provisioner - tag: "v1.5.0" - attacherImage: - repository: quay.io/k8scsi/csi-attacher - tag: "v1.2.0" - snapshotterImage: - repository: quay.io/k8scsi/csi-snapshotter - tag: "v2.1.1" - livenessProbeImage: - repository: quay.io/k8scsi/livenessprobe - tag: "v1.1.0" - resizerImage: - repository: quay.io/k8scsi/csi-resizer - tag: "v0.3.0" - nodeDriverRegistrarImage: - repository: quay.io/k8scsi/csi-node-driver-registrar - tag: "v1.1.0" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} - -# True if enable volume scheduling for dynamic volume provisioning -enableVolumeScheduling: false - -# True if enable volume resizing -enableVolumeResizing: false - -# True if enable volume snapshot -enableVolumeSnapshot: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Extra volume tags to attach to each dynamically provisioned volume. -# --- -# extraVolumeTags: -# key1: value1 -# key2: value2 -extraVolumeTags: {} - -# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata -# service. -# --- -# region: us-east-1 -region: "" - -node: - podAnnotations: {} - tolerations: [] - -serviceAccount: - controller: - annotations: {} - snapshot: - annotations: {} diff --git a/charts/kubezero-aws-ebs-csi-driver/templates/storage-class.yaml b/charts/kubezero-aws-ebs-csi-driver/templates/storage-class.yaml index f03138e8..094d43a1 100644 --- a/charts/kubezero-aws-ebs-csi-driver/templates/storage-class.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/templates/storage-class.yaml @@ -4,6 +4,22 @@ apiVersion: storage.k8s.io/v1 metadata: name: ebs-sc-gp2-xfs labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +provisioner: ebs.csi.aws.com +volumeBindingMode: WaitForFirstConsumer +parameters: + csi.storage.k8s.io/fstype: xfs + type: gp2 + encrypted: "true" +{{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }} +allowVolumeExpansion: true +{{- end }} +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: ebs-sc-gp3-xfs + labels: {{ include "kubezero-lib.labels" . | indent 4 }} {{- if .Values.StorageClass.default }} annotations: @@ -13,7 +29,7 @@ provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer parameters: csi.storage.k8s.io/fstype: xfs - type: gp2 + type: gp3 encrypted: "true" {{- if index .Values "aws-ebs-csi-driver" "enableVolumeResizing" }} allowVolumeExpansion: true diff --git a/charts/kubezero-aws-ebs-csi-driver/update.sh b/charts/kubezero-aws-ebs-csi-driver/update.sh deleted file mode 100755 index 44c1520d..00000000 --- a/charts/kubezero-aws-ebs-csi-driver/update.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -ex - -# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts - -REPO="kubernetes-sigs/aws-ebs-csi-driver" -[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1) - -rm -rf git -git clone https://github.com/$REPO.git git -cd git && git checkout $RELEASE && cd - - -rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver -mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver diff --git a/charts/kubezero-aws-ebs-csi-driver/.helmignore b/charts/kubezero-aws-efs-csi-driver/.helmignore similarity index 98% rename from charts/kubezero-aws-ebs-csi-driver/.helmignore rename to charts/kubezero-aws-efs-csi-driver/.helmignore index 50af0317..58b068b4 100644 --- a/charts/kubezero-aws-ebs-csi-driver/.helmignore +++ b/charts/kubezero-aws-efs-csi-driver/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ + +git diff --git a/charts/kubezero-calico/Chart.yaml b/charts/kubezero-calico/Chart.yaml index 46adbe13..f346a5f4 100644 --- a/charts/kubezero-calico/Chart.yaml +++ b/charts/kubezero-calico/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-calico description: KubeZero Umbrella Chart for Calico type: application -version: 0.2.0 -appVersion: v3.16.1 +version: 0.2.1 +appVersion: v3.16.5 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-calico/README.md b/charts/kubezero-calico/README.md index 8b947f8a..e660c3bf 100644 --- a/charts/kubezero-calico/README.md +++ b/charts/kubezero-calico/README.md @@ -1,6 +1,6 @@ # kubezero-calico -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square) KubeZero Umbrella Chart for Calico @@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from | Key | Type | Default | Description | |-----|------|---------|-------------| | image.tag | string | `""` | | -| installCRDs | bool | `false` | | | loglevel | string | `"Warning"` | | | mtu | int | `8941` | | | network | string | `"vxlan"` | | diff --git a/charts/kubezero-calico/calico-v3.15.patch b/charts/kubezero-calico/calico-v3.15.patch deleted file mode 100644 index 786d2906..00000000 --- a/charts/kubezero-calico/calico-v3.15.patch +++ /dev/null @@ -1,101 +0,0 @@ ---- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100 -+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100 -@@ -10,13 +10,13 @@ - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. -- calico_backend: "bird" -+ calico_backend: "vxlan" - # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. -- veth_mtu: "1410" -+ veth_mtu: "8941" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. -@@ -3451,29 +3451,6 @@ - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: -- # This container performs upgrade from host-local IPAM to calico-ipam. -- # It can be deleted if this is a fresh installation, or if you have already -- # upgraded to use calico-ipam. -- - name: upgrade-ipam -- image: calico/cni:v3.15.0 -- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] -- env: -- - name: KUBERNETES_NODE_NAME -- valueFrom: -- fieldRef: -- fieldPath: spec.nodeName -- - name: CALICO_NETWORKING_BACKEND -- valueFrom: -- configMapKeyRef: -- name: calico-config -- key: calico_backend -- volumeMounts: -- - mountPath: /var/lib/cni/networks -- name: host-local-net-dir -- - mountPath: /host/opt/cni/bin -- name: cni-bin-dir -- securityContext: -- privileged: true - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni -@@ -3545,7 +3522,7 @@ - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE -- value: "k8s,bgp" -+ value: "k8s,kubeadm" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" -@@ -3554,7 +3531,7 @@ - value: "Never" - # Enable or Disable VXLAN on the default IP pool. - - name: CALICO_IPV4POOL_VXLAN -- value: "CrossSubnet" -+ value: "Always" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: -@@ -3595,9 +3572,17 @@ - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN -- value: "info" -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYFILE -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYSYS -+ value: "" - - name: FELIX_HEALTHENABLED - value: "true" -+ - name: FELIX_PROMETHEUSGOMETRICSENABLED -+ value: "false" -+ - name: FELIX_PROMETHEUSMETRICSENABLED -+ value: "true" - securityContext: - privileged: true - resources: -@@ -3608,7 +3593,6 @@ - command: - - /bin/calico-node - - -felix-live -- - -bird-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 -@@ -3617,7 +3601,6 @@ - command: - - /bin/calico-node - - -felix-ready -- - -bird-ready - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules diff --git a/charts/kubezero-calico/calico-v3.16.5.patch b/charts/kubezero-calico/calico-v3.16.5.patch new file mode 100644 index 00000000..0db98ff9 --- /dev/null +++ b/charts/kubezero-calico/calico-v3.16.5.patch @@ -0,0 +1,3359 @@ +--- calico-vxlan.yaml 2020-11-17 08:12:04.783766338 -0800 ++++ templates/calico.yaml 2020-11-17 08:10:35.583765716 -0800 +@@ -10,13 +10,13 @@ + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. +- calico_backend: "vxlan" ++ calico_backend: "{{ .Values.network }}" + # Configure the MTU to use for workload interfaces and tunnels. + # - If Wireguard is enabled, set to your network MTU - 60 + # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 + # - Otherwise, if IPIP is enabled, set to your network MTU - 20 + # - Otherwise, if not using any encapsulation, set to your network MTU. +- veth_mtu: "1410" ++ veth_mtu: "{{ .Values.mtu }}" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. +@@ -55,3230 +55,6 @@ + } + + --- +-# Source: calico/templates/kdd-crds.yaml +- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgpconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPConfiguration +- listKind: BGPConfigurationList +- plural: bgpconfigurations +- singular: bgpconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: BGPConfiguration contains the configuration for any BGP routing. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPConfigurationSpec contains the values of the BGP configuration. +- properties: +- asNumber: +- description: 'ASNumber is the default AS number used by a node. [Default: +- 64512]' +- format: int32 +- type: integer +- communities: +- description: Communities is a list of BGP community values and their +- arbitrary names for tagging routes. +- items: +- description: Community contains standard or large community value +- and its name. +- properties: +- name: +- description: Name given to community value. +- type: string +- value: +- description: Value must be of format `aa:nn` or `aa:nn:mm`. +- For standard community use `aa:nn` format, where `aa` and +- `nn` are 16 bit number. For large community use `aa:nn:mm` +- format, where `aa`, `nn` and `mm` are 32 bit number. Where, +- `aa` is an AS Number, `nn` and `mm` are per-AS identifier. +- pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ +- type: string +- type: object +- type: array +- listenPort: +- description: ListenPort is the port where BGP protocol should listen. +- Defaults to 179 +- maximum: 65535 +- minimum: 1 +- type: integer +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: INFO]' +- type: string +- nodeToNodeMeshEnabled: +- description: 'NodeToNodeMeshEnabled sets whether full node to node +- BGP mesh is enabled. [Default: true]' +- type: boolean +- prefixAdvertisements: +- description: PrefixAdvertisements contains per-prefix advertisement +- configuration. +- items: +- description: PrefixAdvertisement configures advertisement properties +- for the specified CIDR. +- properties: +- cidr: +- description: CIDR for which properties should be advertised. +- type: string +- communities: +- description: Communities can be list of either community names +- already defined in `Specs.Communities` or community value +- of format `aa:nn` or `aa:nn:mm`. For standard community use +- `aa:nn` format, where `aa` and `nn` are 16 bit number. For +- large community use `aa:nn:mm` format, where `aa`, `nn` and +- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and +- `mm` are per-AS identifier. +- items: +- type: string +- type: array +- type: object +- type: array +- serviceClusterIPs: +- description: ServiceClusterIPs are the CIDR blocks from which service +- cluster IPs are allocated. If specified, Calico will advertise these +- blocks, as well as any cluster IPs within them. +- items: +- description: ServiceClusterIPBlock represents a single allowed ClusterIP +- CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- serviceExternalIPs: +- description: ServiceExternalIPs are the CIDR blocks for Kubernetes +- Service External IPs. Kubernetes Service ExternalIPs will only be +- advertised if they are within one of these blocks. +- items: +- description: ServiceExternalIPBlock represents a single allowed +- External IP CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgppeers.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPPeer +- listKind: BGPPeerList +- plural: bgppeers +- singular: bgppeer +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPPeerSpec contains the specification for a BGPPeer resource. +- properties: +- asNumber: +- description: The AS Number of the peer. +- format: int32 +- type: integer +- keepOriginalNextHop: +- description: Option to keep the original nexthop field when routes +- are sent to a BGP Peer. Setting "true" configures the selected BGP +- Peers node to use the "next hop keep;" instead of "next hop self;"(default) +- in the specific branch of the Node on "bird.cfg". +- type: boolean +- node: +- description: The node name identifying the Calico node instance that +- is peering with this peer. If this is not set, this represents a +- global peer, i.e. a peer that peers with every node in the deployment. +- type: string +- nodeSelector: +- description: Selector for the nodes that should have this peering. When +- this is set, the Node field must be empty. +- type: string +- password: +- description: Optional BGP password for the peerings generated by this +- BGPPeer resource. +- properties: +- secretKeyRef: +- description: Selects a key of a secret in the node pod's namespace. +- properties: +- key: +- description: The key of the secret to select from. Must be +- a valid secret key. +- type: string +- name: +- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +- TODO: Add other useful fields. apiVersion, kind, uid?' +- type: string +- optional: +- description: Specify whether the Secret or its key must be +- defined +- type: boolean +- required: +- - key +- type: object +- type: object +- peerIP: +- description: The IP address of the peer followed by an optional port +- number to peer with. If port number is given, format should be `[]:port` +- or `:` for IPv4. If optional port number is not set, +- and this peer IP and ASNumber belongs to a calico/node with ListenPort +- set in BGPConfiguration, then we use that port to peer. +- type: string +- peerSelector: +- description: Selector for the remote nodes to peer with. When this +- is set, the PeerIP and ASNumber fields must be empty. For each +- peering between the local node and selected remote nodes, we configure +- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, +- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The +- remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, +- or the global default if that is not set. +- type: string +- required: +- - asNumber +- - peerIP +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: blockaffinities.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BlockAffinity +- listKind: BlockAffinityList +- plural: blockaffinities +- singular: blockaffinity +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BlockAffinitySpec contains the specification for a BlockAffinity +- resource. +- properties: +- cidr: +- type: string +- deleted: +- description: Deleted indicates that this block affinity is being deleted. +- This field is a string for compatibility with older releases that +- mistakenly treat this field as a string. +- type: string +- node: +- type: string +- state: +- type: string +- required: +- - cidr +- - deleted +- - node +- - state +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: clusterinformations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: ClusterInformation +- listKind: ClusterInformationList +- plural: clusterinformations +- singular: clusterinformation +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: ClusterInformation contains the cluster specific information. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: ClusterInformationSpec contains the values of describing +- the cluster. +- properties: +- calicoVersion: +- description: CalicoVersion is the version of Calico that the cluster +- is running +- type: string +- clusterGUID: +- description: ClusterGUID is the GUID of the cluster +- type: string +- clusterType: +- description: ClusterType describes the type of the cluster +- type: string +- datastoreReady: +- description: DatastoreReady is used during significant datastore migrations +- to signal to components such as Felix that it should wait before +- accessing the datastore. +- type: boolean +- variant: +- description: Variant declares which variant of Calico should be active. +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: felixconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: FelixConfiguration +- listKind: FelixConfigurationList +- plural: felixconfigurations +- singular: felixconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: Felix Configuration contains the configuration for Felix. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: FelixConfigurationSpec contains the values of the Felix configuration. +- properties: +- allowIPIPPacketsFromWorkloads: +- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix +- will add a rule to drop IPIP encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- allowVXLANPacketsFromWorkloads: +- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix +- will add a rule to drop VXLAN encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- awsSrcDstCheck: +- description: 'Set source-destination-check on AWS EC2 instances. Accepted +- value must be one of "DoNothing", "Enabled" or "Disabled". [Default: +- DoNothing]' +- enum: +- - DoNothing +- - Enable +- - Disable +- type: string +- bpfConnectTimeLoadBalancingEnabled: +- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, +- controls whether Felix installs the connection-time load balancer. The +- connect-time load balancer is required for the host to be able to +- reach Kubernetes services and it improves the performance of pod-to-service +- connections. The only reason to disable it is for debugging purposes. [Default: +- true]' +- type: boolean +- bpfDataIfacePattern: +- description: 'BPFDataIfacePattern is a regular expression that controls +- which interfaces Felix should attach BPF programs to in order to +- catch traffic to/from the network. This needs to match the interfaces +- that Calico workload traffic flows over as well as any interfaces +- that handle incoming traffic to nodeports and services from outside +- the cluster. It should not match the workload interfaces (usually +- named cali...). [Default: ^(en.*|eth.*|tunl0$)]' +- type: string +- bpfDisableUnprivileged: +- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled +- sysctl to disable unprivileged use of BPF. This ensures that unprivileged +- users cannot access Calico''s BPF maps and cannot insert their own +- BPF programs to interfere with Calico''s. [Default: true]' +- type: boolean +- bpfEnabled: +- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. +- [Default: false]' +- type: boolean +- bpfExternalServiceMode: +- description: 'BPFExternalServiceMode in BPF mode, controls how connections +- from outside the cluster to services (node ports and cluster IPs) +- are forwarded to remote workloads. If set to "Tunnel" then both +- request and response traffic is tunneled to the remote node. If +- set to "DSR", the request traffic is tunneled but the response traffic +- is sent directly from the remote node. In "DSR" mode, the remote +- node appears to use the IP of the ingress node; this requires a +- permissive L2 network. [Default: Tunnel]' +- type: string +- bpfKubeProxyEndpointSlicesEnabled: +- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls +- whether Felix's embedded kube-proxy accepts EndpointSlices or not. +- type: boolean +- bpfKubeProxyIptablesCleanupEnabled: +- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF +- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s +- iptables chains. Should only be enabled if kube-proxy is not running. [Default: +- true]' +- type: boolean +- bpfKubeProxyMinSyncPeriod: +- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the +- minimum time between updates to the dataplane for Felix''s embedded +- kube-proxy. Lower values give reduced set-up latency. Higher values +- reduce Felix CPU usage by batching up more work. [Default: 1s]' +- type: string +- bpfLogLevel: +- description: 'BPFLogLevel controls the log level of the BPF programs +- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The +- logs are emitted to the BPF trace pipe, accessible with the command +- `tc exec bpf debug`. [Default: Off].' +- type: string +- chainInsertMode: +- description: 'ChainInsertMode controls whether Felix hooks the kernel’s +- top-level iptables chains by inserting a rule at the top of the +- chain or by appending a rule at the bottom. insert is the safe default +- since it prevents Calico’s rules from being bypassed. If you switch +- to append mode, be sure that the other rules in the chains signal +- acceptance by falling through to the Calico rules, otherwise the +- Calico policy will be bypassed. [Default: insert]' +- type: string +- dataplaneDriver: +- type: string +- debugDisableLogDropping: +- type: boolean +- debugMemoryProfilePath: +- type: string +- debugSimulateCalcGraphHangAfter: +- type: string +- debugSimulateDataplaneHangAfter: +- type: string +- defaultEndpointToHostAction: +- description: 'DefaultEndpointToHostAction controls what happens to +- traffic that goes from a workload endpoint to the host itself (after +- the traffic hits the endpoint egress policy). By default Calico +- blocks traffic from workload endpoints to the host itself with an +- iptables “DROP” action. If you want to allow some or all traffic +- from endpoint to host, set this parameter to RETURN or ACCEPT. Use +- RETURN if you have your own rules in the iptables “INPUT” chain; +- Calico will insert its rules at the top of that chain, then “RETURN” +- packets to the “INPUT” chain once it has completed processing workload +- endpoint egress policy. Use ACCEPT to unconditionally accept packets +- from workloads after processing workload endpoint egress policy. +- [Default: Drop]' +- type: string +- deviceRouteProtocol: +- description: This defines the route protocol added to programmed device +- routes, by default this will be RTPROT_BOOT when left blank. +- type: integer +- deviceRouteSourceAddress: +- description: This is the source address to use on programmed device +- routes. By default the source address is left blank, leaving the +- kernel to choose the source address used. +- type: string +- disableConntrackInvalidCheck: +- type: boolean +- endpointReportingDelay: +- type: string +- endpointReportingEnabled: +- type: boolean +- externalNodesList: +- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes +- which may source tunnel traffic and have the tunneled traffic be +- accepted at calico nodes. +- items: +- type: string +- type: array +- failsafeInboundHostPorts: +- description: 'FailsafeInboundHostPorts is a comma-delimited list of +- UDP/TCP ports that Felix will allow incoming traffic to host endpoints +- on irrespective of the security policy. This is useful to avoid +- accidentally cutting off a host with incorrect configuration. Each +- port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all inbound host ports, use the value none. +- The default value allows ssh access and DHCP. [Default: tcp:22, +- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- failsafeOutboundHostPorts: +- description: 'FailsafeOutboundHostPorts is a comma-delimited list +- of UDP/TCP ports that Felix will allow outgoing traffic from host +- endpoints to irrespective of the security policy. This is useful +- to avoid accidentally cutting off a host with incorrect configuration. +- Each port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all outbound host ports, use the value none. +- The default value opens etcd’s standard ports to ensure that Felix +- does not get cut off from etcd as well as allowing DHCP and DNS. +- [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, +- udp:53, udp:67]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- featureDetectOverride: +- description: FeatureDetectOverride is used to override the feature +- detection. Values are specified in a comma separated list with no +- spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". +- "true" or "false" will force the feature, empty or omitted values +- are auto-detected. +- type: string +- genericXDPEnabled: +- description: 'GenericXDPEnabled enables Generic XDP so network cards +- that don''t support XDP offload or driver modes can use XDP. This +- is not recommended since it doesn''t provide better performance +- than iptables. [Default: false]' +- type: boolean +- healthEnabled: +- type: boolean +- healthHost: +- type: string +- healthPort: +- type: integer +- interfaceExclude: +- description: 'InterfaceExclude is a comma-separated list of interfaces +- that Felix should exclude when monitoring for host endpoints. The +- default value ensures that Felix ignores Kubernetes'' IPVS dummy +- interface, which is used internally by kube-proxy. If you want to +- exclude multiple interface names using a single value, the list +- supports regular expressions. For regular expressions you must wrap +- the value with ''/''. For example having values ''/^kube/,veth1'' +- will exclude all interfaces that begin with ''kube'' and also the +- interface ''veth1''. [Default: kube-ipvs0]' +- type: string +- interfacePrefix: +- description: 'InterfacePrefix is the interface name prefix that identifies +- workload endpoints and so distinguishes them from host endpoint +- interfaces. Note: in environments other than bare metal, the orchestrators +- configure this appropriately. For example our Kubernetes and Docker +- integrations set the ‘cali’ value, and our OpenStack integration +- sets the ‘tap’ value. [Default: cali]' +- type: string +- interfaceRefreshInterval: +- description: InterfaceRefreshInterval is the period at which Felix +- rescans local interfaces to verify their state. The rescan can be +- disabled by setting the interval to 0. +- type: string +- ipipEnabled: +- type: boolean +- ipipMTU: +- description: 'IPIPMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- ipsetsRefreshInterval: +- description: 'IpsetsRefreshInterval is the period at which Felix re-checks +- all iptables state to ensure that no other process has accidentally +- broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: +- 90s]' +- type: string +- iptablesBackend: +- description: IptablesBackend specifies which backend of iptables will +- be used. The default is legacy. +- type: string +- iptablesFilterAllowAction: +- type: string +- iptablesLockFilePath: +- description: 'IptablesLockFilePath is the location of the iptables +- lock file. You may need to change this if the lock file is not in +- its standard location (for example if you have mapped it into Felix’s +- container at a different path). [Default: /run/xtables.lock]' +- type: string +- iptablesLockProbeInterval: +- description: 'IptablesLockProbeInterval is the time that Felix will +- wait between attempts to acquire the iptables lock if it is not +- available. Lower values make Felix more responsive when the lock +- is contended, but use more CPU. [Default: 50ms]' +- type: string +- iptablesLockTimeout: +- description: 'IptablesLockTimeout is the time that Felix will wait +- for the iptables lock, or 0, to disable. To use this feature, Felix +- must share the iptables lock file with all other processes that +- also take the lock. When running Felix inside a container, this +- requires the /run directory of the host to be mounted into the calico/node +- or calico/felix container. [Default: 0s disabled]' +- type: string +- iptablesMangleAllowAction: +- type: string +- iptablesMarkMask: +- description: 'IptablesMarkMask is the mask that Felix selects its +- IPTables Mark bits from. Should be a 32 bit hexadecimal number with +- at least 8 bits set, none of which clash with any other mark bits +- in use on the system. [Default: 0xff000000]' +- format: int32 +- type: integer +- iptablesNATOutgoingInterfaceFilter: +- type: string +- iptablesPostWriteCheckInterval: +- description: 'IptablesPostWriteCheckInterval is the period after Felix +- has done a write to the dataplane that it schedules an extra read +- back in order to check the write was not clobbered by another process. +- This should only occur if another application on the system doesn’t +- respect the iptables lock. [Default: 1s]' +- type: string +- iptablesRefreshInterval: +- description: 'IptablesRefreshInterval is the period at which Felix +- re-checks the IP sets in the dataplane to ensure that no other process +- has accidentally broken Calico’s rules. Set to 0 to disable IP sets +- refresh. Note: the default for this value is lower than the other +- refresh intervals as a workaround for a Linux kernel bug that was +- fixed in kernel version 4.11. If you are using v4.11 or greater +- you may want to set this to, a higher value to reduce Felix CPU +- usage. [Default: 10s]' +- type: string +- ipv6Support: +- type: boolean +- kubeNodePortRanges: +- description: 'KubeNodePortRanges holds list of port ranges used for +- service node ports. Only used if felix detects kube-proxy running +- in ipvs mode. Felix uses these ranges to separate host and workload +- traffic. [Default: 30000:32767].' +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- logFilePath: +- description: 'LogFilePath is the full path to the Felix log. Set to +- none to disable file logging. [Default: /var/log/calico/felix.log]' +- type: string +- logPrefix: +- description: 'LogPrefix is the log prefix that Felix uses when rendering +- LOG rules. [Default: calico-packet]' +- type: string +- logSeverityFile: +- description: 'LogSeverityFile is the log severity above which logs +- are sent to the log file. [Default: Info]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- logSeveritySys: +- description: 'LogSeveritySys is the log severity above which logs +- are sent to the syslog. Set to None for no logging to syslog. [Default: +- Info]' +- type: string +- maxIpsetSize: +- type: integer +- metadataAddr: +- description: 'MetadataAddr is the IP address or domain name of the +- server that can answer VM queries for cloud-init metadata. In OpenStack, +- this corresponds to the machine running nova-api (or in Ubuntu, +- nova-api-metadata). A value of none (case insensitive) means that +- Felix should not set up any NAT rule for the metadata path. [Default: +- 127.0.0.1]' +- type: string +- metadataPort: +- description: 'MetadataPort is the port of the metadata server. This, +- combined with global.MetadataAddr (if not ‘None’), is used to set +- up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. +- In most cases this should not need to be changed [Default: 8775].' +- type: integer +- natOutgoingAddress: +- description: NATOutgoingAddress specifies an address to use when performing +- source NAT for traffic in a natOutgoing pool that is leaving the +- network. By default the address used is an address on the interface +- the traffic is leaving on (ie it uses the iptables MASQUERADE target) +- type: string +- natPortRange: +- anyOf: +- - type: integer +- - type: string +- description: NATPortRange specifies the range of ports that is used +- for port mapping when doing outgoing NAT. When unset the default +- behavior of the network stack is used. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- netlinkTimeout: +- type: string +- openstackRegion: +- description: 'OpenstackRegion is the name of the region that a particular +- Felix belongs to. In a multi-region Calico/OpenStack deployment, +- this must be configured somehow for each Felix (here in the datamodel, +- or in felix.cfg or the environment on each compute node), and must +- match the [calico] openstack_region value configured in neutron.conf +- on each node. [Default: Empty]' +- type: string +- policySyncPathPrefix: +- description: 'PolicySyncPathPrefix is used to by Felix to communicate +- policy changes to external services, like Application layer policy. +- [Default: Empty]' +- type: string +- prometheusGoMetricsEnabled: +- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- prometheusMetricsEnabled: +- description: 'PrometheusMetricsEnabled enables the Prometheus metrics +- server in Felix if set to true. [Default: false]' +- type: boolean +- prometheusMetricsHost: +- description: 'PrometheusMetricsHost is the host that the Prometheus +- metrics server should bind to. [Default: empty]' +- type: string +- prometheusMetricsPort: +- description: 'PrometheusMetricsPort is the TCP port that the Prometheus +- metrics server should bind to. [Default: 9091]' +- type: integer +- prometheusProcessMetricsEnabled: +- description: 'PrometheusProcessMetricsEnabled disables process metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- removeExternalRoutes: +- description: Whether or not to remove device routes that have not +- been programmed by Felix. Disabling this will allow external applications +- to also add device routes. This is enabled by default which means +- we will remove externally added routes. +- type: boolean +- reportingInterval: +- description: 'ReportingInterval is the interval at which Felix reports +- its status into the datastore or 0 to disable. Must be non-zero +- in OpenStack deployments. [Default: 30s]' +- type: string +- reportingTTL: +- description: 'ReportingTTL is the time-to-live setting for process-wide +- status reports. [Default: 90s]' +- type: string +- routeRefreshInterval: +- description: 'RouterefreshInterval is the period at which Felix re-checks +- the routes in the dataplane to ensure that no other process has +- accidentally broken Calico’s rules. Set to 0 to disable route refresh. +- [Default: 90s]' +- type: string +- routeSource: +- description: 'RouteSource configures where Felix gets its routing +- information. - WorkloadIPs: use workload endpoints to construct +- routes. - CalicoIPAM: the default - use IPAM data to construct routes.' +- type: string +- routeTableRange: +- description: Calico programs additional Linux route tables for various +- purposes. RouteTableRange specifies the indices of the route tables +- that Calico should use. +- properties: +- max: +- type: integer +- min: +- type: integer +- required: +- - max +- - min +- type: object +- sidecarAccelerationEnabled: +- description: 'SidecarAccelerationEnabled enables experimental sidecar +- acceleration [Default: false]' +- type: boolean +- usageReportingEnabled: +- description: 'UsageReportingEnabled reports anonymous Calico version +- number and cluster size to projectcalico.org. Logs warnings returned +- by the usage server. For example, if a significant security vulnerability +- has been discovered in the version of Calico being used. [Default: +- true]' +- type: boolean +- usageReportingInitialDelay: +- description: 'UsageReportingInitialDelay controls the minimum delay +- before Felix makes a report. [Default: 300s]' +- type: string +- usageReportingInterval: +- description: 'UsageReportingInterval controls the interval at which +- Felix makes reports. [Default: 86400s]' +- type: string +- useInternalDataplaneDriver: +- type: boolean +- vxlanEnabled: +- type: boolean +- vxlanMTU: +- description: 'VXLANMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- vxlanPort: +- type: integer +- vxlanVNI: +- type: integer +- wireguardEnabled: +- description: 'WireguardEnabled controls whether Wireguard is enabled. +- [Default: false]' +- type: boolean +- wireguardInterfaceName: +- description: 'WireguardInterfaceName specifies the name to use for +- the Wireguard interface. [Default: wg.calico]' +- type: string +- wireguardListeningPort: +- description: 'WireguardListeningPort controls the listening port used +- by Wireguard. [Default: 51820]' +- type: integer +- wireguardMTU: +- description: 'WireguardMTU controls the MTU on the Wireguard interface. +- See Configuring MTU [Default: 1420]' +- type: integer +- wireguardRoutingRulePriority: +- description: 'WireguardRoutingRulePriority controls the priority value +- to use for the Wireguard routing rule. [Default: 99]' +- type: integer +- xdpEnabled: +- description: 'XDPEnabled enables XDP acceleration for suitable untracked +- incoming deny rules. [Default: true]' +- type: boolean +- xdpRefreshInterval: +- description: 'XDPRefreshInterval is the period at which Felix re-checks +- all XDP state to ensure that no other process has accidentally broken +- Calico''s BPF maps or attached programs. Set to 0 to disable XDP +- refresh. [Default: 90s]' +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkPolicy +- listKind: GlobalNetworkPolicyList +- plural: globalnetworkpolicies +- singular: globalnetworkpolicy +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- applyOnForward: +- description: ApplyOnForward indicates to apply the rules in this policy +- on forward traffic. +- type: boolean +- doNotTrack: +- description: DoNotTrack indicates whether packets matched by the rules +- in this policy should go through the data plane's connection tracking, +- such as Linux conntrack. If True, the rules in this policy are +- applied before any data plane connection tracking, and packets allowed +- by this policy are marked as not to be tracked. +- type: boolean +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- namespaceSelector: +- description: NamespaceSelector is an optional field for an expression +- used to select a pod based on namespaces. +- type: string +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- preDNAT: +- description: PreDNAT indicates to apply the rules in this policy before +- any DNAT. +- type: boolean +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress rules are present in the policy. The +- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules +- (including the case where there are also no Ingress rules) \n +- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress +- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are +- both Ingress and Egress rules. \n When the policy is read back again, +- Types will always be one of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkSet +- listKind: GlobalNetworkSetList +- plural: globalnetworksets +- singular: globalnetworkset +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs +- that share labels to allow rules to refer to them via selectors. The labels +- of GlobalNetworkSet are not namespaced. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: GlobalNetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: hostendpoints.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: HostEndpoint +- listKind: HostEndpointList +- plural: hostendpoints +- singular: hostendpoint +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: HostEndpointSpec contains the specification for a HostEndpoint +- resource. +- properties: +- expectedIPs: +- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. +- If \"InterfaceName\" is not present, Calico will look for an interface +- matching any of the IPs in the list and apply policy to that. Note: +- \tWhen using the selector match criteria in an ingress or egress +- security Policy \tor Profile, Calico converts the selector into +- a set of IP addresses. For host \tendpoints, the ExpectedIPs field +- is used for that purpose. (If only the interface \tname is specified, +- Calico does not learn the IPs of the interface for use in match +- \tcriteria.)" +- items: +- type: string +- type: array +- interfaceName: +- description: "Either \"*\", or the name of a specific Linux interface +- to apply policy to; or empty. \"*\" indicates that this HostEndpoint +- governs all traffic to, from or through the default network namespace +- of the host named by the \"Node\" field; entering and leaving that +- namespace via any interface, including those from/to non-host-networked +- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint +- only governs traffic that enters or leaves the host through the +- specific interface named by InterfaceName, or - when InterfaceName +- is empty - through the specific interface that has one of the IPs +- in ExpectedIPs. Therefore, when InterfaceName is empty, at least +- one expected IP must be specified. Only external interfaces (such +- as “eth0”) are supported here; it isn't possible for a HostEndpoint +- to protect traffic through a specific local workload interface. +- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; +- initially just pre-DNAT policy. Please check Calico documentation +- for the latest position." +- type: string +- node: +- description: The node name identifying the Calico node instance. +- type: string +- ports: +- description: Ports contains the endpoint's named ports, which may +- be referenced in security policy rules. +- items: +- properties: +- name: +- type: string +- port: +- type: integer +- protocol: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- required: +- - name +- - port +- - protocol +- type: object +- type: array +- profiles: +- description: A list of identifiers of security Profile objects that +- apply to this endpoint. Each profile is applied in the order that +- they appear in this list. Profile rules are applied after the selector-based +- security policy. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamblocks.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMBlock +- listKind: IPAMBlockList +- plural: ipamblocks +- singular: ipamblock +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMBlockSpec contains the specification for an IPAMBlock +- resource. +- properties: +- affinity: +- type: string +- allocations: +- items: +- type: integer +- # TODO: This nullable is manually added in. We should update controller-gen +- # to handle []*int properly itself. +- nullable: true +- type: array +- attributes: +- items: +- properties: +- handle_id: +- type: string +- secondary: +- additionalProperties: +- type: string +- type: object +- type: object +- type: array +- cidr: +- type: string +- deleted: +- type: boolean +- strictAffinity: +- type: boolean +- unallocated: +- items: +- type: integer +- type: array +- required: +- - allocations +- - attributes +- - cidr +- - deleted +- - strictAffinity +- - unallocated +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamconfigs.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMConfig +- listKind: IPAMConfigList +- plural: ipamconfigs +- singular: ipamconfig +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMConfigSpec contains the specification for an IPAMConfig +- resource. +- properties: +- autoAllocateBlocks: +- type: boolean +- strictAffinity: +- type: boolean +- required: +- - autoAllocateBlocks +- - strictAffinity +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamhandles.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMHandle +- listKind: IPAMHandleList +- plural: ipamhandles +- singular: ipamhandle +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMHandleSpec contains the specification for an IPAMHandle +- resource. +- properties: +- block: +- additionalProperties: +- type: integer +- type: object +- handleID: +- type: string +- required: +- - block +- - handleID +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ippools.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPPool +- listKind: IPPoolList +- plural: ippools +- singular: ippool +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPPoolSpec contains the specification for an IPPool resource. +- properties: +- blockSize: +- description: The block size to use for IP address assignments from +- this pool. Defaults to 26 for IPv4 and 112 for IPv6. +- type: integer +- cidr: +- description: The pool CIDR. +- type: string +- disabled: +- description: When disabled is true, Calico IPAM will not assign addresses +- from this pool. +- type: boolean +- ipip: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- properties: +- enabled: +- description: When enabled is true, ipip tunneling will be used +- to deliver packets to destinations within this pool. +- type: boolean +- mode: +- description: The IPIP mode. This can be one of "always" or "cross-subnet". A +- mode of "always" will also use IPIP tunneling for routing to +- destination IP addresses within this pool. A mode of "cross-subnet" +- will only use IPIP tunneling when the destination node is on +- a different subnet to the originating node. The default value +- (if not specified) is "always". +- type: string +- type: object +- ipipMode: +- description: Contains configuration for IPIP tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling +- is disabled). +- type: string +- nat-outgoing: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- type: boolean +- natOutgoing: +- description: When nat-outgoing is true, packets sent from Calico networked +- containers in this pool to destinations outside of this pool will +- be masqueraded. +- type: boolean +- nodeSelector: +- description: Allows IPPool to allocate for a specific node by label +- selector. +- type: string +- vxlanMode: +- description: Contains configuration for VXLAN tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. VXLAN +- tunneling is disabled). +- type: string +- required: +- - cidr +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: kubecontrollersconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: KubeControllersConfiguration +- listKind: KubeControllersConfigurationList +- plural: kubecontrollersconfigurations +- singular: kubecontrollersconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: KubeControllersConfigurationSpec contains the values of the +- Kubernetes controllers configuration. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host endpoints. +- Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation of +- host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- status: +- description: KubeControllersConfigurationStatus represents the status +- of the configuration. It's useful for admins to be able to see the actual +- config that was applied, which can be modified by environment variables +- on the kube-controllers process. +- properties: +- environmentVars: +- additionalProperties: +- type: string +- description: EnvironmentVars contains the environment variables on +- the kube-controllers that influenced the RunningConfig. +- type: object +- runningConfig: +- description: RunningConfig contains the effective config that is running +- in the kube-controllers pod, after merging the API resource with +- any environment variables. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace +- controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host +- endpoints. Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation +- of host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which +- logs are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkPolicy +- listKind: NetworkPolicyList +- plural: networkpolicies +- singular: networkpolicy +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress are present in the policy. The default +- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including +- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress +- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, +- PolicyTypeEgress ], if there are both Ingress and Egress rules. +- \n When the policy is read back again, Types will always be one +- of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkSet +- listKind: NetworkSetList +- plural: networksets +- singular: networkset +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: NetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +---- + # Source: calico/templates/calico-kube-controllers-rbac.yaml + + # Include a clusterrole for the kube-controllers component, +@@ -3563,38 +339,10 @@ + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: +- # This container performs upgrade from host-local IPAM to calico-ipam. +- # It can be deleted if this is a fresh installation, or if you have already +- # upgraded to use calico-ipam. +- - name: upgrade-ipam +- image: calico/cni:v3.16.5 +- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] +- envFrom: +- - configMapRef: +- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +- name: kubernetes-services-endpoint +- optional: true +- env: +- - name: KUBERNETES_NODE_NAME +- valueFrom: +- fieldRef: +- fieldPath: spec.nodeName +- - name: CALICO_NETWORKING_BACKEND +- valueFrom: +- configMapKeyRef: +- name: calico-config +- key: calico_backend +- volumeMounts: +- - mountPath: /var/lib/cni/networks +- name: host-local-net-dir +- - mountPath: /host/opt/cni/bin +- name: cni-bin-dir +- securityContext: +- privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni +- image: calico/cni:v3.16.5 ++ image: calico/cni:{{ default .Chart.AppVersion .Values.image.tag }} + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: +@@ -3635,7 +383,7 @@ + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver +- image: calico/pod2daemon-flexvol:v3.16.5 ++ image: calico/pod2daemon-flexvol:{{ default .Chart.AppVersion .Values.image.tag }} + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver +@@ -3646,7 +394,7 @@ + # container programs network policy and routes on each + # host. + - name: calico-node +- image: calico/node:v3.16.5 ++ image: calico/node:{{ default .Chart.AppVersion .Values.image.tag }} + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +@@ -3672,7 +420,7 @@ + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE +- value: "k8s,bgp" ++ value: "k8s,kubeadm" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" +@@ -3702,7 +450,7 @@ + key: veth_mtu + # Disable AWS source-destination check on nodes. + - name: FELIX_AWSSRCDSTCHECK +- value: Disable ++ value: DoNothing + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. +@@ -3719,7 +467,15 @@ + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN +- value: "info" ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYFILE ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYSYS ++ value: "" ++ - name: FELIX_PROMETHEUSGOMETRICSENABLED ++ value: "{{ .Values.prometheus }}" ++ - name: FELIX_PROMETHEUSMETRICSENABLED ++ value: "{{ .Values.prometheus }}" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: +@@ -3840,6 +596,7 @@ + spec: + nodeSelector: + kubernetes.io/os: linux ++ node-role.kubernetes.io/master: "" + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly +@@ -3850,7 +607,7 @@ + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers +- image: calico/kube-controllers:v3.16.5 ++ image: calico/kube-controllers:{{ default .Chart.AppVersion .Values.image.tag }} + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS diff --git a/charts/kubezero-calico/crds/crds.yaml b/charts/kubezero-calico/crds/crds.yaml index da6def43..afb8ee38 100644 --- a/charts/kubezero-calico/crds/crds.yaml +++ b/charts/kubezero-calico/crds/crds.yaml @@ -1,3 +1,4 @@ +--- # Source: calico/templates/kdd-crds.yaml @@ -192,6 +193,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` @@ -396,6 +420,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: diff --git a/charts/kubezero-calico/templates/crds.yaml b/charts/kubezero-calico/templates/crds.yaml deleted file mode 100644 index 45ab72d4..00000000 --- a/charts/kubezero-calico/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.installCRDs }} -{{- range $path, $_ := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/charts/kubezero-calico/values.yaml b/charts/kubezero-calico/values.yaml index 04a29796..281caa30 100644 --- a/charts/kubezero-calico/values.yaml +++ b/charts/kubezero-calico/values.yaml @@ -1,5 +1,3 @@ -installCRDs: false - image: tag: "" diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 9096c450..72e6898c 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.4.0 +version: 0.4.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: cert-manager - version: 1.0.3 + version: 1.1.0 repository: https://charts.jetstack.io + condition: cert-manager.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index a600e3ff..9a15eae6 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 1.0.3 | +| https://charts.jetstack.io | cert-manager | 1.1.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## AWS - IAM Role @@ -38,12 +38,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.enabled | bool | `true` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | +| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | -| cert-manager.installCRDs | bool | `true` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | +| cert-manager.podAnnotations | object | `{}` | | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | @@ -51,5 +52,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | clusterIssuer | object | `{}` | | -| localCA.enabled | bool | `true` | | +| localCA.enabled | bool | `false` | | | localCA.selfsigning | bool | `true` | | diff --git a/charts/kubezero-cert-manager/templates/cluster-ca.yaml b/charts/kubezero-cert-manager/templates/cluster-ca.yaml index bd2f45a9..01889599 100644 --- a/charts/kubezero-cert-manager/templates/cluster-ca.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-ca.yaml @@ -3,11 +3,11 @@ # KubeZero / Local cluster CA # The resources are serialized via waves in Argo -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-selfsigning-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -15,11 +15,11 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kubezero-local-ca - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -30,6 +30,7 @@ spec: isCA: true issuerRef: name: kubezero-selfsigning-issuer + kind: ClusterIssuer usages: - "any" --- @@ -39,7 +40,7 @@ apiVersion: v1 kind: Secret metadata: name: kubezero-ca-tls - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} data: @@ -48,11 +49,11 @@ data: --- {{- end }} -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-local-ca-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: diff --git a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml index 4861733c..f7280fc4 100644 --- a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml @@ -1,5 +1,5 @@ {{- if .Values.clusterIssuer.name }} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: {{ .Values.clusterIssuer.name }} diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index b14b4b9e..9a7badec 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -9,7 +9,7 @@ clusterIssuer: {} # hostedZoneID: 1234567890 localCA: - enabled: true + enabled: false # If selfsigning is false you must provide the ca key and crt below selfsigning: true #ca: @@ -17,34 +17,45 @@ localCA: # crt: cert-manager: - installCRDs: true + enabled: true + + global: + leaderElection: + namespace: "cert-manager" + + podAnnotations: {} + # iam.amazonaws.com/role: "" + tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + ingressShim: defaultIssuerName: letsencrypt-dns-prod defaultIssuerKind: ClusterIssuer + webhook: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + cainjector: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + extraArgs: - "--dns01-recursive-nameservers-only" # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true + prometheus: servicemonitor: enabled: false # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" - podAnnotations: {} - # iam.amazonaws.com/role: "" diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml new file mode 100644 index 00000000..e66651e3 --- /dev/null +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: kubezero-istio-ingress +description: KubeZero Umbrella Chart for Istio based Ingress +type: application +version: 0.1.1 +appVersion: 1.8.1 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - istio +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ + - name: istio-ingress + version: 1.1.0 + condition: istio-ingress.enabled + - name: istio-private-ingress + version: 1.1.0 + condition: istio-private-ingress.enabled +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md new file mode 100644 index 00000000..e7557d3f --- /dev/null +++ b/charts/kubezero-istio-ingress/README.md @@ -0,0 +1,97 @@ +# kubezero-istio-ingress + +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) + +KubeZero Umbrella Chart for Istio based Ingress + +Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.16.0` + +| Repository | Name | Version | +|------------|------|---------| +| | istio-ingress | 1.1.0 | +| | istio-private-ingress | 1.1.0 | +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.arch.amd64 | int | `2` | | +| global.defaultPodDisruptionBudget.enabled | bool | `false` | | +| global.hub | string | `"docker.io/istio"` | | +| global.jwtPolicy | string | `"first-party-jwt"` | | +| global.logAsJson | bool | `true` | | +| global.priorityClassName | string | `"system-cluster-critical"` | | +| global.tag | string | `"1.8.1"` | | +| istio-ingress.dnsNames | list | `[]` | | +| istio-ingress.enabled | bool | `false` | | +| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | | +| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | +| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | +| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | | +| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | +| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | +| istio-private-ingress.dnsNames | list | `[]` | | +| istio-private-ingress.enabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | | +| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | +| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | +| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | + +## Resources + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml +- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/README.md.gotmpl b/charts/kubezero-istio-ingress/README.md.gotmpl new file mode 100644 index 00000000..fcd08643 --- /dev/null +++ b/charts/kubezero-istio-ingress/README.md.gotmpl @@ -0,0 +1,24 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## Resources + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml +- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml new file mode 100644 index 00000000..108c8f25 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-ingress +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt new file mode 100644 index 00000000..221ee560 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl new file mode 100644 index 00000000..400ff543 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml new file mode 100644 index 00000000..0b339dc6 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name | default "istio-ingressgateway" }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml new file mode 100644 index 00000000..b5137a4a --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -0,0 +1,346 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + terminationGracePeriodSeconds: 90 +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + - --serviceCluster + - {{ $gateway.name | default "istio-ingressgateway" }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name | default "istio-ingressgateway" }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: TRUST_DOMAIN + value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: {{ .Values.global.network }} + {{- end }} +{{- if $gateway.podAnnotations }} + - name: "ISTIO_METAJSON_ANNOTATIONS" + value: | +{{ toJson $gateway.podAnnotations | indent 16}} +{{ end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + - name: gatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: gatewaysdsudspath + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml new file mode 100644 index 00000000..67c164b0 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml @@ -0,0 +1,79 @@ +{{- if .Values.global.meshExpansion.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15012 + protocol: TCP + name: tcp-istiod + hosts: + - "*" + - port: + number: 15017 + protocol: TCP + name: tcp-istiodwebhook + hosts: + - "*" +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15012 + route: + - destination: + host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15012 + - match: + - port: 15017 + route: + - destination: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 443 +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15012 + tls: + mode: DISABLE + - port: + number: 15017 + tls: + mode: DISABLE + +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..d0b480d7 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml new file mode 100644 index 00000000..230e3446 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml @@ -0,0 +1,78 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +{{- if .Values.global.multiCluster.includeEnvoyFilter }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + portNumber: 15443 + filterChain: + filter: + name: "envoy.filters.network.sni_cluster" + patch: + operation: INSERT_AFTER + value: + name: "envoy.filters.network.tcp_cluster_rewrite" + typed_config: + "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" + cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +{{- end }} +## To ensure all traffic to globalDomainSuffix is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml new file mode 100644 index 00000000..7d931728 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml new file mode 100644 index 00000000..81625cb3 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml new file mode 100644 index 00000000..237be954 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml @@ -0,0 +1,55 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml new file mode 100644 index 00000000..4b0ab1ae --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml new file mode 100644 index 00000000..9f4dee62 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -0,0 +1,336 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + protocol: TCP + + # Scalability tunning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # Enable cross-cluster access using SNI matching + zvpn: + enabled: false + suffix: global + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15012 + targetPort: 15012 + name: tcp-istiod + ####### end MESH EXPANSION PORTS ###### + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Deprecated, use meshConfig.trustDomain +# trustDomain: "" + +meshConfig: + enablePrometheusMerge: true +# trustDomain: "" + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml new file mode 100644 index 00000000..2cd775d2 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-private-ingress +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt new file mode 100644 index 00000000..221ee560 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl new file mode 100644 index 00000000..400ff543 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml new file mode 100644 index 00000000..0b339dc6 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name | default "istio-ingressgateway" }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml new file mode 100644 index 00000000..b5137a4a --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -0,0 +1,346 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + terminationGracePeriodSeconds: 90 +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + - --serviceCluster + - {{ $gateway.name | default "istio-ingressgateway" }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name | default "istio-ingressgateway" }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: TRUST_DOMAIN + value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: {{ .Values.global.network }} + {{- end }} +{{- if $gateway.podAnnotations }} + - name: "ISTIO_METAJSON_ANNOTATIONS" + value: | +{{ toJson $gateway.podAnnotations | indent 16}} +{{ end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + - name: gatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: gatewaysdsudspath + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml new file mode 100644 index 00000000..67c164b0 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml @@ -0,0 +1,79 @@ +{{- if .Values.global.meshExpansion.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15012 + protocol: TCP + name: tcp-istiod + hosts: + - "*" + - port: + number: 15017 + protocol: TCP + name: tcp-istiodwebhook + hosts: + - "*" +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15012 + route: + - destination: + host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15012 + - match: + - port: 15017 + route: + - destination: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 443 +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15012 + tls: + mode: DISABLE + - port: + number: 15017 + tls: + mode: DISABLE + +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..d0b480d7 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml new file mode 100644 index 00000000..230e3446 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml @@ -0,0 +1,78 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +{{- if .Values.global.multiCluster.includeEnvoyFilter }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + portNumber: 15443 + filterChain: + filter: + name: "envoy.filters.network.sni_cluster" + patch: + operation: INSERT_AFTER + value: + name: "envoy.filters.network.tcp_cluster_rewrite" + typed_config: + "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" + cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +{{- end }} +## To ensure all traffic to globalDomainSuffix is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml new file mode 100644 index 00000000..7d931728 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml new file mode 100644 index 00000000..81625cb3 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml new file mode 100644 index 00000000..237be954 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml @@ -0,0 +1,55 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml new file mode 100644 index 00000000..4b0ab1ae --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml new file mode 100644 index 00000000..9f4dee62 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -0,0 +1,336 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + protocol: TCP + + # Scalability tunning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # Enable cross-cluster access using SNI matching + zvpn: + enabled: false + suffix: global + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15012 + targetPort: 15012 + name: tcp-istiod + ####### end MESH EXPANSION PORTS ###### + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Deprecated, use meshConfig.trustDomain +# trustDomain: "" + +meshConfig: + enablePrometheusMerge: true +# trustDomain: "" + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/charts/kubezero-istio/templates/envoyfilter.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml similarity index 88% rename from charts/kubezero-istio/templates/envoyfilter.yaml rename to charts/kubezero-istio-ingress/templates/envoyfilter.yaml index 3351376c..f11e290d 100644 --- a/charts/kubezero-istio/templates/envoyfilter.yaml +++ b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml @@ -1,8 +1,9 @@ +{{- if index .Values "istio-ingress" "enabled" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ingressgateway-listener-tcp-keepalive - namespace: istio-system + namespace: {{ .Release.Namespace }} spec: workloadSelector: labels: @@ -30,14 +31,15 @@ spec: name: 5 int_value: 60 state: STATE_LISTENING +{{- end }} -{{- if .Values.ingress.private.enabled }} +{{- if index .Values "istio-private-ingress" "enabled" }} --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: private-ingressgateway-listener-tcp-keepalive - namespace: istio-system + namespace: {{ .Release.Namespace }} spec: workloadSelector: labels: diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml new file mode 100644 index 00000000..fbb2fee2 --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml @@ -0,0 +1,35 @@ +{{- if index .Values "istio-ingress" "dnsNames" }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-cert + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + secretName: ingress-cert + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + dnsNames: +{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} +{{- end }} + +{{- if index .Values "istio-private-ingress" "dnsNames" }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: private-ingress-cert + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + secretName: private-ingress-cert + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + dnsNames: +{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }} +{{- end }} + diff --git a/charts/kubezero-istio/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml similarity index 51% rename from charts/kubezero-istio/templates/ingress-gateway.yaml rename to charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index 66f447c1..4995ee0f 100644 --- a/charts/kubezero-istio/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -1,8 +1,9 @@ -apiVersion: networking.istio.io/v1alpha3 +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }} +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: ingressgateway - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -14,7 +15,7 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} tls: httpsRedirect: true - port: @@ -22,20 +23,21 @@ spec: name: https protocol: HTTPS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: ingress-cert +{{- end }} -{{- if .Values.ingress.private.enabled }} +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} --- -apiVersion: networking.istio.io/v1alpha3 +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: private-ingressgateway - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -47,7 +49,7 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: httpsRedirect: true - port: @@ -55,33 +57,45 @@ spec: name: https protocol: HTTPS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: private-ingress-cert - port: number: 5672 name: amqp protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - port: number: 5671 name: amqps protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - port: number: 24224 name: fluentd-forward protocol: TLS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: private-ingress-cert + - port: + number: 6379 + name: redis + protocol: TCP + hosts: + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + - port: + number: 6380 + name: redis-1 + protocol: TCP + hosts: + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml new file mode 100644 index 00000000..b989ba75 --- /dev/null +++ b/charts/kubezero-istio-ingress/values.yaml @@ -0,0 +1,122 @@ +# Make sure these values match kuberzero-istio !!! +global: + hub: docker.io/istio + tag: 1.8.1 + + logAsJson: true + jwtPolicy: first-party-jwt + + priorityClassName: "system-cluster-critical" + + defaultPodDisruptionBudget: + enabled: false + + arch: + amd64: 2 + +istio-ingress: + enabled: false + + gateways: + istio-ingressgateway: + autoscaleEnabled: false + replicaCount: 1 + resources: + requests: + memory: 64Mi + limits: + # cpu: 100m + memory: 256Mi + externalTrafficPolicy: Local + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-ingressgateway + type: NodePort + env: + TERMINATION_DRAIN_DURATION_SECONDS: '"60"' + # ISTIO_META_HTTP10: '"1"' + + # The node selector is normally the list of nodeports, see CloudBender + nodeSelector: + node.kubernetes.io/ingress.public: "30080_30443" + ports: + - name: http-status + port: 15021 + nodePort: 30021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 30080 + - name: https + port: 443 + targetPort: 8443 + nodePort: 30443 + + dnsNames: [] +# - '*.example.com' + +istio-private-ingress: + enabled: false + + gateways: + istio-ingressgateway: + # name and labels make the ingress private + name: istio-private-ingressgateway + labels: + app: istio-private-ingressgateway + istio: private-ingressgateway + + autoscaleEnabled: false + replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + # cpu: 100m + memory: 256Mi + externalTrafficPolicy: Local + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-private-ingressgateway + type: NodePort + env: + TERMINATION_DRAIN_DURATION_SECONDS: '"60"' + # ISTIO_META_HTTP10: '"1"' + + nodeSelector: + node.kubernetes.io/ingress.private: "31080_31443" + #nodeSelector: "31080_31443_31671_31672_31224" + + ports: + - name: http-status + port: 15021 + nodePort: 31021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31080 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31443 + #- name: fluentd-forward + # port: 24224 + # nodePort: 31224 + #- name: amqps + # port: 5671 + # nodePort: 31671 + #- name: amqp + # port: 5672 + # nodePort: 31672 + #- name: redis + # port: 6379 + # nodePort: 31379 + + dnsNames: [] +# - '*.example.com' + diff --git a/charts/kubezero-istio/.gitignore b/charts/kubezero-istio/.gitignore index 56f8b3d4..b4a6b6b6 100644 --- a/charts/kubezero-istio/.gitignore +++ b/charts/kubezero-istio/.gitignore @@ -1,2 +1,2 @@ istioctl -istio-* +istio-?.?.? diff --git a/charts/kubezero-istio/.helmignore b/charts/kubezero-istio/.helmignore new file mode 100644 index 00000000..b4a6b6b6 --- /dev/null +++ b/charts/kubezero-istio/.helmignore @@ -0,0 +1,2 @@ +istioctl +istio-?.?.? diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 3857a76a..903bd5a8 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.3.4 -appVersion: 1.7.3 +version: 0.4.1 +appVersion: 1.8.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,8 @@ dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - - name: istio-operator - version: ">= 1.7" + - name: base + version: 1.1.0 + - name: istio-discovery + version: 1.2.0 kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index bdde2399..849a5b4f 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,10 +1,10 @@ # kubezero-istio -![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) KubeZero Umbrella Chart for Istio -Installs Istio Operator and KubeZero Istio profile +Installs the Istio control plane **Homepage:** @@ -20,26 +20,33 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| | istio-operator | >= 1.7 | +| | base | 1.1.0 | +| | istio-discovery | 1.2.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | -## KubeZero default configuration -- mapped istio-operator to run on the controller nodes only - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| ingress.autoscaleEnabled | bool | `false` | | -| ingress.dnsNames[0] | string | `"*"` | | -| ingress.private.enabled | bool | `true` | | -| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | -| ingress.replicaCount | int | `2` | | -| ingress.type | string | `"NodePort"` | | -| istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.7.3"` | | -| istiod.autoscaleEnabled | bool | `false` | | -| istiod.replicaCount | int | `1` | | +| global.defaultPodDisruptionBudget.enabled | bool | `false` | | +| global.hub | string | `"docker.io/istio"` | | +| global.jwtPolicy | string | `"first-party-jwt"` | | +| global.logAsJson | bool | `true` | | +| global.priorityClassName | string | `"system-cluster-critical"` | | +| global.tag | string | `"1.8.0"` | | +| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | +| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | | +| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | | +| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | | +| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | | +| istio-discovery.pilot.autoscaleEnabled | bool | `false` | | +| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| istio-discovery.pilot.replicaCount | int | `1` | | +| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | | +| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | | +| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | | +| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| istio-discovery.telemetry.enabled | bool | `false` | | ## Resources diff --git a/charts/kubezero-istio/README.md.gotmpl b/charts/kubezero-istio/README.md.gotmpl index d7f368fb..1b4d30f2 100644 --- a/charts/kubezero-istio/README.md.gotmpl +++ b/charts/kubezero-istio/README.md.gotmpl @@ -5,7 +5,7 @@ {{ template "chart.description" . }} -Installs Istio Operator and KubeZero Istio profile +Installs the Istio control plane {{ template "chart.homepageLine" . }} @@ -15,9 +15,6 @@ Installs Istio Operator and KubeZero Istio profile {{ template "chart.requirementsSection" . }} -## KubeZero default configuration -- mapped istio-operator to run on the controller nodes only - {{ template "chart.valuesSection" . }} ## Resources diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml new file mode 100644 index 00000000..e0127276 --- /dev/null +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: base +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/base/NOTES.txt b/charts/kubezero-istio/charts/base/NOTES.txt new file mode 100644 index 00000000..7cdd4403 --- /dev/null +++ b/charts/kubezero-istio/charts/base/NOTES.txt @@ -0,0 +1 @@ +Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts. diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 00000000..deea6517 --- /dev/null +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,3426 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from + the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + preserveUnknownFields: true + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate + VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry + to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + - JSONPath: .spec.address + description: Address associated with the network endpoint. + name: Address + type: string + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more + details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workloadgroups.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: health is determined by how the command that is executed + exited. + properties: + command: + description: command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before + readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. + format: int32 + type: integer + tcpSocket: + description: health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication methods + are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected + workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for + the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding + the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- diff --git a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml new file mode 100644 index 00000000..d0be4c3a --- /dev/null +++ b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml @@ -0,0 +1,66 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .status.status + description: IOP current state + type: string + name: Status + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml new file mode 100644 index 00000000..0a304333 --- /dev/null +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -0,0 +1,3749 @@ +--- +# Source: crds/crd-all.gen.yaml +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from + the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + preserveUnknownFields: true + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate + VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry + to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + - JSONPath: .spec.address + description: Address associated with the network endpoint. + name: Address + type: string + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more + details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workloadgroups.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: health is determined by how the command that is executed + exited. + properties: + command: + description: command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before + readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. + format: int32 + type: integer + tcpSocket: + description: health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication methods + are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected + workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for + the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding + the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- + +--- +# Source: crds/crd-operator.yaml +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .status.status + description: IOP current state + type: string + name: Status + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + +--- +# Source: base/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- +# Source: base/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod-service-account + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: base/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/validatingwebhookconfiguration.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio + istio: istiod +webhooks: + - name: validation.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] diff --git a/charts/kubezero-istio/charts/base/kustomization.yaml b/charts/kubezero-istio/charts/base/kustomization.yaml new file mode 100644 index 00000000..dbde62f0 --- /dev/null +++ b/charts/kubezero-istio/charts/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio-cluster.yaml diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml new file mode 100644 index 00000000..521c24bc --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -0,0 +1,146 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +--- diff --git a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..ff248689 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} +--- diff --git a/charts/kubezero-istio/charts/base/templates/crds.yaml b/charts/kubezero-istio/charts/base/templates/crds.yaml new file mode 100644 index 00000000..871ee2a6 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/crds.yaml @@ -0,0 +1,4 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{ .Files.Get "crds/crd-operator.yaml" }} +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/endpoints.yaml b/charts/kubezero-istio/charts/base/templates/endpoints.yaml new file mode 100644 index 00000000..fb4dd5ef --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/endpoints.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/role.yaml b/charts/kubezero-istio/charts/base/templates/role.yaml new file mode 100644 index 00000000..557af5ab --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml new file mode 100644 index 00000000..aabc0c3c --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml new file mode 100644 index 00000000..36e0e080 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/charts/kubezero-istio/charts/base/templates/services.yaml b/charts/kubezero-istio/charts/base/templates/services.yaml new file mode 100644 index 00000000..f654508a --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} +# when istiod is enabled in remote cluster, we can't use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + clusterIP: None + {{- else }} +# when istiod isn't enabled in remote cluster, we can use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + # if the remotePilotAddress is IP addr, we use clusterIP: None. + # else, we use externalName + {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} + clusterIP: None + {{- else }} + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 00000000..80124a9e --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,40 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +--- +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-istio/charts/base/values.yaml b/charts/kubezero-istio/charts/base/values.yaml new file mode 100644 index 00000000..af165102 --- /dev/null +++ b/charts/kubezero-istio/charts/base/values.yaml @@ -0,0 +1,22 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" \ No newline at end of file diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml new file mode 100644 index 00000000..daed6bd2 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: istio-discovery +version: 1.2.0 +appVersion: 1.2.0 +tillerVersion: ">=2.7.2" +description: Helm chart for istio control plane +keywords: + - istio + - istiod + - istio-discovery +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt new file mode 100644 index 00000000..997f4ac6 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt @@ -0,0 +1,5 @@ +Minimal control plane for Istio. Pilot and mesh config are included. + +MCP and injector should optionally be installed in the same namespace. Alternatively remote +address of an MCP server can be set. + diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml new file mode 100644 index 00000000..da98e338 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -0,0 +1,1983 @@ +--- +# Source: istio-discovery/templates/poddisruptionbudget.yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +# Source: istio-discovery/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + proxyMetadata: + DNS_AGENT: "" + tracing: + zipkin: + address: zipkin.istio-system:9411 + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local +--- +# Source: istio-discovery/templates/istiod-injector-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + values: |- + { + "global": { + "arch": { + "amd64": 2, + "ppc64le": 2, + "s390x": 2 + }, + "caAddress": "", + "centralIstiod": false, + "configValidation": true, + "defaultConfigVisibilitySettings": [], + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "defaultTolerations": [], + "externalIstiod": false, + "hub": "gcr.io/istio-testing", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshExpansion": { + "enabled": false, + "useILB": false + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false, + "globalDomainSuffix": "global", + "includeEnvoyFilter": true + }, + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "latest", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "trustDomain": "", + "useMCP": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "objectSelector": { + "autoInject": true, + "enabled": false + }, + "rewriteAppHTTPProbe": true + } + } + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + + template: | + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + podRedirectAnnot: + {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +# Source: istio-discovery/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: istio +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot +--- +# Source: istio-discovery/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + release: istio +spec: + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiod-service-account + securityContext: + fsGroup: 1337 + containers: + - name: discovery + image: "gcr.io/istio-testing/pilot:latest" + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15053 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "default" + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "true" + - name: INJECTION_WEBHOOK_CONFIG_NAME + value: istio-sidecar-injector + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "false" + - name: CLUSTER_ID + value: "Kubernetes" + - name: EXTERNAL_ISTIOD + value: "false" + - name: CENTRAL_ISTIOD + value: "false" + - name: PILOT_ENDPOINT_TELEMETRY_LABEL + value: "true" + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + - name: inject + mountPath: /var/lib/istio/inject + readOnly: true + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional - image should have + - name: inject + configMap: + name: istio-sidecar-injector + - name: config-volume + configMap: + name: istio +--- +# Source: istio-discovery/templates/autoscale.yaml +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: ANY # inbound, outbound, and gateway + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.8 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/mutatingwebhook.yaml +# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchLabels: + istio-injection: enabled diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml new file mode 100644 index 00000000..10dfbbe3 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -0,0 +1,463 @@ +template: | + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + podRedirectAnnot: + {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml b/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml new file mode 100644 index 00000000..7f9bbc39 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio.yaml diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml new file mode 100644 index 00000000..b8b14ad0 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml new file mode 100644 index 00000000..7b719ac7 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml new file mode 100644 index 00000000..17174f19 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -0,0 +1,92 @@ + +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- else if .Values.global.trustDomain }} + meshId: {{ .Values.global.trustDomain }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} + {{ toYaml $.Values.meshConfig.defaultConfig.tracing }} + {{- end }} + + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml new file mode 100644 index 00000000..ba586deb --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -0,0 +1,245 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision ""}} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + {{- if eq .Values.revision ""}} + istio: pilot + {{- else }} + istio: istiod + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: istiod-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + securityContext: + fsGroup: 1337 + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15053 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" +{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }} + - name: INJECTION_WEBHOOK_CONFIG_NAME + {{- if eq .Release.Namespace "istio-system" }} + value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- else }} + value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + {{- end }} +{{- end }} + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: EXTERNAL_ISTIOD + value: "{{ $.Values.global.externalIstiod | default "false" }}" + - name: CENTRAL_ISTIOD + value: "{{ $.Values.global.centralIstiod | default "false" }}" +{{- if .Values.telemetry.v2.enabled }} + - name: PILOT_ENDPOINT_TELEMETRY_LABEL + value: "true" +{{- end }} + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + - name: inject + mountPath: /var/lib/istio/inject + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional - image should have + - name: inject + configMap: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} +--- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml new file mode 100644 index 00000000..8e660e9a --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml @@ -0,0 +1,35 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + +{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} + +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml new file mode 100644 index 00000000..ca11b4f8 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -0,0 +1,85 @@ +# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{ else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} + matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} + - key: istio-injection + operator: NotIn + values: + - disabled + - key: istio-env + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- else if .Values.revision }} + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} +{{- else }} + matchLabels: + istio-injection: enabled +{{- end }} +{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }} + objectSelector: +{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: NotIn + values: + - "false" +{{- else if .Values.revision }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} +{{- else }} + matchLabels: + "sidecar.istio.io/inject": "true" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..fef641af --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision ""}} + istio.io/rev: {{ .Values.revision }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml new file mode 100644 index 00000000..1fe1b5a0 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision ""}} + istio.io/rev: {{ .Values.revision }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} +--- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml new file mode 100644 index 00000000..f8783216 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml @@ -0,0 +1,792 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "downstream_peer.cluster_id", + "destination_cluster": "node.metadata['CLUSTER_ID']" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }}, + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "downstream_peer.cluster_id", + "destination_cluster": "node.metadata['CLUSTER_ID']" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- + +{{- end }} + +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml new file mode 100644 index 00000000..ac59dbdb --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -0,0 +1,485 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + env: {} + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector. + # It is disabled by default since this function will only work after k8s v1.15. + objectSelector: + enabled: false + autoInject: true + + rewriteAppHTTPProbe: true +istiodRemote: + # Sidecar injector mutating webhook configuration url + # For example: https://$remotePilotAddress:15017/inject + injectionURL: "" +telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # enable_mesh_edges_reporting: true + # disable_server_access_logging: false + # meshEdgesReportingDuration: 500s + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + defaultConfig: + proxyMetadata: + # If empty, agent will not start :15013 DNS listener and will not attempt + # to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in + # istiod and the dns-over-tls listener. + # DNS_AGENT: DNS-TLS + DNS_AGENT: "" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: "istio-system" + + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. + + # What we may configure in mesh config is the ".global" - and use of other suffixes. + # No hurry to do this in 1.6, we're trying to prove the code. + +global: + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Used to locate istiod. + istioNamespace: istio-system + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # External istiod controls all remote clusters: disabled by default + externalIstiod: false + # Central istiod controls all remote clusters: disabled by default + centralIstiod: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + + # Deprecated, use meshConfig.trustDomain + trustDomain: "" diff --git a/charts/kubezero-istio/charts/istio-operator/Chart.yaml b/charts/kubezero-istio/charts/istio-operator/Chart.yaml deleted file mode 100644 index 807caae8..00000000 --- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -name: istio-operator -version: 1.7.0 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio operator -keywords: - - istio - - operator -sources: - - https://github.com/istio/istio/tree/master/operator -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml deleted file mode 100644 index 05fb86a6..00000000 --- a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - type: string - name: Status - - jsonPath: .metadata.creationTimestamp - description: - "CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - spec: - description: - "Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: - "Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- - diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml deleted file mode 100644 index bdbd5bda..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -rules: -# istio groups -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - ingresses - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - update -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - verbs: - - '*' ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml deleted file mode 100644 index 9b9df7da..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -subjects: -- kind: ServiceAccount - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{.Values.operatorNamespace}} -roleRef: - kind: ClusterRole - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - apiGroup: rbac.authorization.k8s.io ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml deleted file mode 100644 index a3703650..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.enableCRDTemplates -}} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} ---- -{{ $.Files.Get $path }} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml deleted file mode 100644 index 73b5d663..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: {{.Values.operatorNamespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - replicas: 1 - selector: - matchLabels: - name: istio-operator - template: - metadata: - labels: - name: istio-operator - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - nodeSelector: - kubernetes.io/os: linux - node-role.kubernetes.io/master: "" - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} - command: - - operator - - server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.operator.resources | trim | indent 12 }} - env: - - name: WATCH_NAMESPACE - value: {{.Values.watchedNamespaces | quote}} - - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace | quote}} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{.Values.operatorNamespace | quote}} - - name: WAIT_FOR_RESOURCES_TIMEOUT - value: {{.Values.waitForResourcesTimeout | quote}} - - name: REVISION - value: {{.Values.revision | quote}} ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml b/charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml deleted file mode 100644 index 31dc5aae..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{.Values.operatorNamespace}} - labels: - istio-operator-managed: Reconcile - istio-injection: disabled ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml deleted file mode 100644 index e7967a72..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: {{.Values.operatorNamespace}} - labels: - name: istio-operator - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - ports: - - name: http-metrics - port: 8383 - targetPort: 8383 - selector: - name: istio-operator ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml deleted file mode 100644 index cb708eee..00000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{.Values.operatorNamespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} ---- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml deleted file mode 100644 index 45c5c968..00000000 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -hub: gcr.io/istio-testing -tag: latest - -operatorNamespace: istio-operator - -# Used to replace istioNamespace to support operator watch multiple namespaces. -watchedNamespaces: istio-system -waitForResourcesTimeout: 300s - -# Used for helm2 to add the CRDs to templates. -enableCRDTemplates: false - -# revision for the operator resources -revision: "" - -# Operator resource defaults -operator: - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi - diff --git a/charts/kubezero-istio/ingress-terminationgraceperiod.patch b/charts/kubezero-istio/ingress-terminationgraceperiod.patch new file mode 100644 index 00000000..0d3e465b --- /dev/null +++ b/charts/kubezero-istio/ingress-terminationgraceperiod.patch @@ -0,0 +1,12 @@ +diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +index b69da65..b5137a4 100644 +--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml ++++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +@@ -63,6 +63,7 @@ spec: + {{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" + {{- end }} ++ terminationGracePeriodSeconds: 90 + {{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump diff --git a/charts/kubezero-istio/istio-discovery.patch b/charts/kubezero-istio/istio-discovery.patch new file mode 100644 index 00000000..9a1940c1 --- /dev/null +++ b/charts/kubezero-istio/istio-discovery.patch @@ -0,0 +1,16 @@ +diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +index e4a983a..ba586de 100644 +--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml ++++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +@@ -59,6 +59,11 @@ spec: + {{- end }} + securityContext: + fsGroup: 1337 ++ nodeSelector: ++ node-role.kubernetes.io/master: "" ++ tolerations: ++ - effect: NoSchedule ++ key: node-role.kubernetes.io/master + containers: + - name: discovery + {{- if contains "/" .Values.pilot.image }} diff --git a/charts/kubezero-istio/istio-operator.patch b/charts/kubezero-istio/istio-operator.patch deleted file mode 100644 index bf364361..00000000 --- a/charts/kubezero-istio/istio-operator.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100 -+++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100 -@@ -14,6 +14,12 @@ - name: istio-operator - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -+ nodeSelector: -+ kubernetes.io/os: linux -+ node-role.kubernetes.io/master: "" -+ tolerations: -+ - key: node-role.kubernetes.io/master -+ effect: NoSchedule - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} diff --git a/charts/kubezero-istio/templates/ingress-certificate.yaml b/charts/kubezero-istio/templates/ingress-certificate.yaml deleted file mode 100644 index eab9e8c8..00000000 --- a/charts/kubezero-istio/templates/ingress-certificate.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.ingress.dnsNames }} -apiVersion: cert-manager.io/v1alpha2 -kind: Certificate -metadata: - name: public-ingress-cert - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - secretName: public-ingress-cert - issuerRef: - name: letsencrypt-dns-prod - kind: ClusterIssuer - dnsNames: -{{ toYaml .Values.ingress.dnsNames | indent 4 }} -{{- end }} diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml deleted file mode 100644 index 64e4f027..00000000 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ /dev/null @@ -1,6892 +0,0 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: attributemanifests.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: attributemanifest - listKind: attributemanifestList - plural: attributemanifests - singular: attributemanifest - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - attributes: - additionalProperties: - properties: - description: - description: A human-readable description of the attribute's - purpose. - format: string - type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP - type: string - type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. - type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - type: string - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to SIDECAR_INBOUND context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-handler - package: handler - release: istio - name: handlers.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: handler - listKind: handlerList - plural: handlers - singular: handler - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Handler allows the operator to configure a specific adapter - implementation. - properties: - adapter: - description: The name of a specific adapter implementation. - format: string - type: string - compiledAdapter: - description: The name of the compiled in adapter this handler instantiates. - format: string - type: string - connection: - description: Information on how to connect to the out-of-process adapter. - properties: - address: - description: The address of the backend. - format: string - type: string - authentication: - description: Auth config for the connection to the backend. - oneOf: - - not: - anyOf: - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - properties: - mutual: - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: The path to the file holding client certificate - for mutual TLS. - format: string - type: string - privateKey: - description: The path to the file holding the private - key for mutual TLS. - format: string - type: string - serverName: - description: Used to configure mixer mutual TLS client - to supply server name for SNI. - format: string - type: string - type: object - tls: - properties: - authHeader: - description: Access token is passed as authorization header. - enum: - - PLAIN - - BEARER - type: string - caCertificates: - format: string - type: string - customHeader: - description: Customized header key to hold access token, - e.g. - format: string - type: string - oauth: - description: Oauth config to fetch access token from auth - provider. - properties: - clientId: - description: OAuth client id for mixer. - format: string - type: string - clientSecret: - description: The path to the file holding the client - secret for oauth. - format: string - type: string - endpointParams: - additionalProperties: - format: string - type: string - description: Additional parameters for requests to - the token endpoint. - type: object - scopes: - description: List of requested permissions. - items: - format: string - type: string - type: array - tokenUrl: - description: The Resource server's token endpoint - URL. - format: string - type: string - type: object - serverName: - format: string - type: string - tokenPath: - format: string - type: string - type: object - type: object - timeout: - description: Timeout for remote calls to the backend. - type: string - type: object - name: - description: Must be unique in the entire Mixer configuration. - format: string - type: string - params: - description: Depends on adapter implementation. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - listKind: HTTPAPISpecBindingList - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - listKind: HTTPAPISpecList - plural: httpapispecs - singular: httpapispec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - not: - anyOf: - - required: - - uriTemplate - - required: - - regex - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-instance - package: instance - release: istio - name: instances.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: instance - listKind: instanceList - plural: instances - singular: instance - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: An Instance tells Mixer how to create instances for particular - template. - properties: - attributeBindings: - additionalProperties: - format: string - type: string - type: object - compiledTemplate: - description: The name of the compiled in template this instance creates - instances for. - format: string - type: string - name: - format: string - type: string - params: - description: Depends on referenced template. - type: object - x-kubernetes-preserve-unknown-fields: true - template: - description: The name of the template this instance creates instances - for. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - listKind: QuotaSpecBindingList - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - listKind: QuotaSpecList - plural: quotaspecs - singular: quotaspec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - listKind: ruleList - plural: rules - singular: rule - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the - unsampled limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod-service-account - namespace: istio-system - labels: - app: istiod - release: istio ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - - security.istio.io - - authentication.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml deleted file mode 100644 index 68209009..00000000 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{- if .Values.ingress.private.enabled }} -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: kubezero-istio-private-ingress - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - profile: empty - components: - ingressGateways: - - name: istio-private-ingressgateway - enabled: true - namespace: istio-system - k8s: - replicaCount: {{ .Values.ingress.replicaCount }} - {{- if .Values.ingress.autoscaleEnabled }} - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-private-ingressgateway - {{- end }} - env: - {{- if .Values.ingress.private.http10 }} - - name: ISTIO_META_HTTP10 - value: '"1"' - {{- end }} - # https://github.com/istio/istio/issues/26524, not in 1.7 either - #- name: TERMINATION_DRAIN_DURATION_SECONDS - # value: "60" - #- name: ISTIO_META_IDLE_TIMEOUT - # value: "3600s" - {{- if eq .Values.ingress.type "NodePort" }} - nodeSelector: - node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}" - {{- end }} - resources: - limits: - # cpu: 2000m - memory: 256Mi - requests: - cpu: 100m - memory: 64Mi - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-private-ingressgateway - patches: - - path: spec.template.spec.containers.[name:istio-proxy].lifecycle - value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}} - - path: spec.template.spec.terminationGracePeriodSeconds - value: 90 - - meshConfig: - accessLogFile: /dev/stdout - accessLogEncoding: 'JSON' - h2UpgradePolicy: 'DO_NOT_UPGRADE' - tcpKeepalive: - interval: 30s - time: 60s - - values: - gateways: - istio-ingressgateway: - autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} - externalTrafficPolicy: Local - labels: - app: istio-private-ingressgateway - istio: private-ingressgateway - meshExpansionPorts: [] - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-private-ingressgateway - type: {{ default "NodePort" .Values.ingress.type }} - ports: - - name: http-status - port: 15021 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31021 - {{- end }} - - name: http2 - port: 80 - targetPort: 8080 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31080 - {{- end }} - - name: https - port: 443 - targetPort: 8443 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31443 - {{- end }} - - name: fluentd-forward - port: 24224 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31224 - {{- end }} - - name: amqps - port: 5671 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31671 - {{- end }} - - name: amqp - port: 5672 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31672 - {{- end }} - - global: - jwtPolicy: first-party-jwt - logAsJson: true - defaultPodDisruptionBudget: - enabled: false - -{{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml deleted file mode 100644 index c01c9e57..00000000 --- a/charts/kubezero-istio/templates/istio.yaml +++ /dev/null @@ -1,146 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: kubezero-istio - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - profile: empty - components: - ingressGateways: - - enabled: true - k8s: - replicaCount: {{ .Values.ingress.replicaCount }} - {{- if .Values.ingress.autoscaleEnabled }} - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - {{- end }} - env: - {{- if .Values.ingress.http10 }} - - name: ISTIO_META_HTTP10 - value: '"1"' - {{- end }} - # https://github.com/istio/istio/issues/26524, not in 1.7 ! - #- name: TERMINATION_DRAIN_DURATION_SECONDS - # value: "60" - #- name: ISTIO_META_IDLE_TIMEOUT - # value: "3600s" - {{- if eq .Values.ingress.type "NodePort" }} - nodeSelector: - node.kubernetes.io/ingress.public: "30080_30443" - {{- end }} - resources: - limits: - #cpu: 2000m - memory: 256Mi - requests: - cpu: 100m - memory: 64Mi - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.containers.[name:istio-proxy].lifecycle - value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}} - - path: spec.template.spec.terminationGracePeriodSeconds - value: 90 - - name: istio-ingressgateway - pilot: - enabled: true - k8s: - replicaCount: {{ .Values.istiod.replicaCount }} - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - resources: - requests: - cpu: 100m - memory: 128Mi - env: - - name: PILOT_ENABLE_MYSQL_FILTER - value: "true" - - name: PILOT_ENABLE_REDIS_FILTER - value: "true" - - name: PILOT_HTTP10 - value: "true" - policy: - enabled: true - k8s: - replicaCount: {{ .Values.istiod.replicaCount }} - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - telemetry: - enabled: false - meshConfig: - accessLogFile: /dev/stdout - accessLogEncoding: 'JSON' - h2UpgradePolicy: 'DO_NOT_UPGRADE' - tcpKeepalive: - interval: 30s - time: 60s - values: - gateways: - istio-ingressgateway: - autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} - externalTrafficPolicy: Local - labels: - app: istio-ingressgateway - istio: ingressgateway - meshExpansionPorts: [] - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-ingressgateway - type: {{ default "NodePort" .Values.ingress.type }} - ports: - - name: http-status - port: 15021 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30021 - {{- end }} - - name: http2 - port: 80 - targetPort: 8080 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30080 - {{- end }} - - name: https - port: 443 - targetPort: 8443 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30443 - {{- end }} - global: - jwtPolicy: first-party-jwt - logAsJson: true - defaultPodDisruptionBudget: - enabled: false - pilot: - autoscaleEnabled: false - mixer: - policy: - autoscaleEnabled: false diff --git a/charts/kubezero-istio/templates/namespace.yaml b/charts/kubezero-istio/templates/namespace.yaml deleted file mode 100644 index 92cf7fef..00000000 --- a/charts/kubezero-istio/templates/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - istio-injection: disabled -{{ include "kubezero-lib.labels" . | indent 4 }} diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 3e1f876e..39938330 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.7.3 +export ISTIO_VERSION=1.8.1 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" @@ -10,17 +10,28 @@ if [ ! -d istio-$ISTIO_VERSION ]; then curl -sL "$URL" | tar xz fi -# Now lets extract what we need -rm -rf charts/istio-operator -cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts +# Extract control plane charts +rm -rf charts/base charts/istio-* +cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/ +cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/ -# Apply our patch -patch -i istio-operator.patch -p0 +# Patch for istiod to control plane +patch -p3 -i istio-discovery.patch -[ -x istioctl ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } +# remove unused old telemetry filters +rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml -# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs -./istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml +# Ingress charts +rm -rf ../kubezero-istio-ingress/charts/istio-* +cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/ +cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress -# Remove double CRD -patch -i istio-base.patch -p3 +# Rename private chart +sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml + +# Patch for ingress for extended termination grace period +patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml + +# Get matching istioctl +[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 79fec8b6..2b58c922 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,17 +1,43 @@ -istiod: - autoscaleEnabled: false - replicaCount: 1 - -ingress: - autoscaleEnabled: false - replicaCount: 2 - type: NodePort - private: - enabled: true - nodeSelector: "31080_31443_31671_31672_31224" - dnsNames: - - "*" - -istio-operator: +global: hub: docker.io/istio - tag: 1.7.3 + tag: 1.8.0 + + logAsJson: true + jwtPolicy: first-party-jwt + + defaultPodDisruptionBudget: + enabled: false + + priorityClassName: "system-cluster-critical" + +istio-discovery: + pilot: + autoscaleEnabled: false + replicaCount: 1 + + # Not implemented, monkey patched in the chart itself + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + + resources: + requests: + cpu: 100m + memory: 128Mi +# env: +# PILOT_ENABLE_MYSQL_FILTER: true +# PILOT_ENABLE_REDIS_FILTER: true +# PILOT_HTTP10: true + + telemetry: + enabled: false + + meshConfig: + accessLogFile: /dev/stdout + accessLogEncoding: 'JSON' + h2UpgradePolicy: 'DO_NOT_UPGRADE' + tcpKeepalive: + interval: 30s + time: 60s diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index ba2ddfcb..8503fc58 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.2.11 +version: 0.2.12 appVersion: 3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kiam - version: 5.8.1 + version: 5.9.0 repository: https://uswitch.github.io/kiam-helm-charts/charts/ condition: kiam.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index 8366b57d..a71327a9 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -1,6 +1,6 @@ # kubezero-kiam -![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) +![Version: 0.2.12](https://img.shields.io/badge/Version-0.2.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) KubeZero Umbrella Chart for Kiam @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 | +| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.9.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -47,8 +47,8 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.gatewayTimeoutCreation | string | `"5s"` | | | kiam.agent.host.interface | string | `"cali+"` | | | kiam.agent.host.iptables | bool | `false` | | -| kiam.agent.image.tag | string | `"v3.6"` | | -| kiam.agent.log.level | string | `"warn"` | | +| kiam.agent.log.level | string | `"info"` | | +| kiam.agent.priorityClassName | string | `"system-node-critical"` | | | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | @@ -69,9 +69,9 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role | | kiam.server.deployment.enabled | bool | `true` | | | kiam.server.deployment.replicas | int | `1` | | -| kiam.server.image.tag | string | `"v3.6"` | | -| kiam.server.log.level | string | `"warn"` | | +| kiam.server.log.level | string | `"info"` | | | kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kiam.server.priorityClassName | string | `"system-cluster-critical"` | | | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | diff --git a/charts/kubezero-kiam/templates/certificates.yaml b/charts/kubezero-kiam/templates/certificates.yaml index c2a9775f..9d4b21cf 100644 --- a/charts/kubezero-kiam/templates/certificates.yaml +++ b/charts/kubezero-kiam/templates/certificates.yaml @@ -1,28 +1,32 @@ -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-agent + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-agent-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: - "kiam-agent" --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-server + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-server-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index d09c24bc..3c5b38df 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -3,8 +3,6 @@ annotateKubeSystemNameSpace: false kiam: enabled: true server: - image: - tag: "v3.6" # kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role assumeRoleArn: '' useHostNetwork: true @@ -33,6 +31,7 @@ kiam: effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + priorityClassName: system-cluster-critical prometheus: servicemonitor: enabled: false @@ -40,11 +39,9 @@ kiam: labels: release: metrics log: - level: warn + level: info agent: - image: - tag: "v3.6" gatewayTimeoutCreation: "5s" updateStrategy: RollingUpdate # IP tables set on each node at boot, see CloudBender @@ -68,6 +65,7 @@ kiam: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + priorityClassName: system-node-critical prometheus: servicemonitor: enabled: false @@ -75,7 +73,7 @@ kiam: labels: release: metrics log: - level: warn + level: info # extraEnv: # - name: GRPC_GO_LOG_SEVERITY_LEVEL # value: "info" diff --git a/charts/kubezero-local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/Chart.yaml new file mode 100644 index 00000000..4a327181 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: kubezero-local-path-provisioner +description: KubeZero Umbrella Chart for local-path-provisioner +type: application +version: 0.1.0 +appVersion: 0.0.18 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - local-path-provisioner +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/README.md new file mode 100644 index 00000000..c69fb7ff --- /dev/null +++ b/charts/kubezero-local-path-provisioner/README.md @@ -0,0 +1,44 @@ +# kubezero-local-path-provisioner + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.18](https://img.shields.io/badge/AppVersion-0.0.18-informational?style=flat-square) + +KubeZero Umbrella Chart for local-path-provisioner + +Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.16.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| local-path-provisioner.nodePathMap[0].node | string | `"DEFAULT_PATH_FOR_NON_LISTED_NODES"` | | +| local-path-provisioner.nodePathMap[0].paths[0] | string | `"/opt/local-path-provisioner"` | | +| local-path-provisioner.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| local-path-provisioner.storageClass.create | bool | `true` | | +| local-path-provisioner.storageClass.defaultClass | bool | `false` | | +| local-path-provisioner.tolerations[0].effect | string | `"NoSchedule"` | | +| local-path-provisioner.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | + +## KubeZero default configuration + +- add nodeSelector to only install on nodes actually having ephemeral local storage +- provide matching storage class to expose mounted disks under `/mnt/disks` + +## Resources + +- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/README.md.gotmpl b/charts/kubezero-local-path-provisioner/README.md.gotmpl new file mode 100644 index 00000000..7eecd10b --- /dev/null +++ b/charts/kubezero-local-path-provisioner/README.md.gotmpl @@ -0,0 +1,27 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## KubeZero default configuration + +- add nodeSelector to only install on nodes actually having ephemeral local storage +- provide matching storage class to expose mounted disks under `/mnt/disks` + +## Resources + +- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml new file mode 100644 index 00000000..59f96aa9 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +description: Use HostPath for persistent local storage with Kubernetes +name: local-path-provisioner +version: 0.0.18 +appVersion: "v0.0.18" +keywords: + - storage + - hostpath +kubeVersion: ">=1.12.0-r0" +home: https://github.com/rancher/local-path-provisioner +sources: + - https://github.com/rancher/local-path-provisioner.git diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md new file mode 100644 index 00000000..03235f01 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md @@ -0,0 +1,116 @@ +# Local Path Provisioner + +[Local Path Provisioner](https://github.com/rancher/local-path-provisioner) provides a way for the Kubernetes users to +utilize the local storage in each node. Based on the user configuration, the Local Path Provisioner will create +`hostPath` based persistent volume on the node automatically. It utilizes the features introduced by Kubernetes [Local +Persistent Volume feature](https://kubernetes.io/blog/2018/04/13/local-persistent-volumes-beta/), but make it a simpler +solution than the built-in `local` volume feature in Kubernetes. + +## TL;DR; + +```console +$ git clone https://github.com/rancher/local-path-provisioner.git +$ cd local-path-provisioner +$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ +``` + +## Introduction + +This chart bootstraps a [Local Path Provisioner](https://github.com/rancher/local-path-provisioner) deployment on a +[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.12+ with Beta APIs enabled + +## Installing the Chart + +To install the chart with the release name `local-path-storage`: + +```console +$ git clone https://github.com/rancher/local-path-provisioner.git +$ cd local-path-provisioner +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage +``` + +The command deploys Local Path Provisioner on the Kubernetes cluster in the default configuration. The +[configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `local-path-storage` deployment: + +```console +$ helm delete --purge local-path-storage +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the Local Path Provisioner for Kubernetes chart and their +default values. + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `image.repository` | Local Path Provisioner image name | `rancher/local-path-provisioner` | +| `image.tag` | Local Path Provisioner image tag | `v0.0.18` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `storageClass.create` | If true, create a `StorageClass` | `true` | +| `storageClass.provisionerName` | The provisioner name for the storage class | `nil` | +| `storageClass.defaultClass` | If true, set the created `StorageClass` as the cluster's default `StorageClass` | `false` | +| `storageClass.name` | The name to assign the created StorageClass | local-path | +| `storageClass.reclaimPolicy` | ReclaimPolicy field of the class | Delete | +| `nodePathMap` | Configuration of where to store the data on each node | `[{node: DEFAULT_PATH_FOR_NON_LISTED_NODES, paths: [/opt/local-path-provisioner]}]` | +| `resources` | Local Path Provisioner resource requests & limits | `{}` | +| `rbac.create` | If true, create & use RBAC resources | `true` | +| `serviceAccount.create` | If true, create the Local Path Provisioner service account | `true` | +| `serviceAccount.name` | Name of the Local Path Provisioner service account to use or create | `nil` | +| `nodeSelector` | Node labels for Local Path Provisioner pod assignment | `{}` | +| `tolerations` | Node taints to tolerate | `[]` | +| `affinity` | Pod affinity | `{}` | +| `configmap.setup` | Configuration of script to execute setup operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
mkdir -m 0777 -p ${absolutePath} | +| `configmap.teardown` | Configuration of script to execute teardown operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
rm -rf ${absolutePath} | +| `configmap.name` | configmap name | `local-path-config` | +| `configmap.helperPod` | helper pod yaml file | apiVersion: v1
kind: Pod
metadata:
 name: helper-pod
spec:
 containers:
 - name: helper-pod
  image: busybox | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set storageClass.provisionerName=rancher.io/local-path +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the +chart. For example, + +```console +$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## RBAC + +By default the chart will install the recommended RBAC roles and rolebindings. + +You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable +[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/). + +To determine if your cluster supports RBAC, run the following command: + +```console +$ kubectl api-versions | grep rbac +``` + +If the output contains "beta", you may install the chart with RBAC enabled (see below). + +### Enable RBAC role/rolebinding creation + +To enable the creation of RBAC resources (On clusters with RBAC). Do the following: + +```console +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set rbac.create=true +``` diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt new file mode 100644 index 00000000..25370acc --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt @@ -0,0 +1,13 @@ +You can create a hostpath-backed persistent volume with a persistent volume claim like this: + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: local-path-pvc +spec: + accessModes: + - ReadWriteOnce + storageClassName: {{ .Values.storageClass.name }} + resources: + requests: + storage: 2Gi diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl new file mode 100644 index 00000000..cd58f3dd --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl @@ -0,0 +1,71 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "local-path-provisioner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "local-path-provisioner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "local-path-provisioner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "local-path-provisioner.labels" -}} +app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} +helm.sh/chart: {{ include "local-path-provisioner.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use. +*/}} +{{- define "local-path-provisioner.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "local-path-provisioner.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the provisioner to use. +*/}} +{{- define "local-path-provisioner.provisionerName" -}} +{{- if .Values.storageClass.provisionerName -}} +{{- printf .Values.storageClass.provisionerName -}} +{{- else -}} +cluster.local/{{ template "local-path-provisioner.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "local-path-provisioner.secret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml new file mode 100644 index 00000000..a9fd1c67 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..9a46a7b6 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "local-path-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "local-path-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml new file mode 100644 index 00000000..b0250538 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.configmap.name }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +data: + config.json: |- + { + "nodePathMap": {{ .Values.nodePathMap | toPrettyJson | nindent 8 }} + } + setup: |- + {{ .Values.configmap.setup | nindent 4 }} + teardown: |- + {{ .Values.configmap.teardown | nindent 4 }} + helperPod.yaml: |- + {{ .Values.configmap.helperPod | nindent 4 }} + diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml new file mode 100644 index 00000000..ad42ae01 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "local-path-provisioner.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - local-path-provisioner + - --debug + - start + - --config + - /etc/config/config.json + - --service-account-name + - {{ template "local-path-provisioner.serviceAccountName" . }} + - --provisioner-name + - {{ template "local-path-provisioner.provisionerName" . }} + - --helper-image + {{- if .Values.privateRegistry.registryUrl }} + - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" + {{- else }} + - "{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" + {{- end }} + - --configmap-name + - {{ .Values.configmap.name }} + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + value: {{ .Release.Namespace }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: config-volume + configMap: + name: {{ .Values.configmap.name }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml new file mode 100644 index 00000000..eb33897c --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml @@ -0,0 +1,9 @@ +{{- if .Values.defaultSettings.registrySecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.defaultSettings.registrySecret }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "local-path-provisioner.secret" . }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml new file mode 100644 index 00000000..aed111e6 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "local-path-provisioner.serviceAccountName" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +{{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .Values.defaultSettings.registrySecret }} + - name: {{ .Values.defaultSettings.registrySecret }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml new file mode 100644 index 00000000..c451b827 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml @@ -0,0 +1,15 @@ +{{ if .Values.storageClass.create -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ .Values.storageClass.name }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +{{- if .Values.storageClass.defaultClass }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" +{{- end }} +provisioner: {{ template "local-path-provisioner.provisionerName" . }} +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: {{ .Values.storageClass.reclaimPolicy }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml new file mode 100644 index 00000000..a19bcd22 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml @@ -0,0 +1,144 @@ +# Default values for local-path-provisioner. + +replicaCount: 1 + +image: + repository: rancher/local-path-provisioner + tag: v0.0.18 + pullPolicy: IfNotPresent + +helperImage: + repository: busybox + tag: latest + +defaultSettings: + registrySecret: ~ + +privateRegistry: + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +## For creating the StorageClass automatically: +storageClass: + create: true + + ## Set a provisioner name. If unset, a name will be generated. + # provisionerName: rancher.io/local-path + + ## Set StorageClass as the default StorageClass + ## Ignored if storageClass.create is false + defaultClass: false + + ## Set a StorageClass name + ## Ignored if storageClass.create is false + name: local-path + + ## ReclaimPolicy field of the class, which can be either Delete or Retain + reclaimPolicy: Delete + +# nodePathMap is the place user can customize where to store the data on each node. +# 1. If one node is not listed on the nodePathMap, and Kubernetes wants to create volume on it, the paths specified in +# DEFAULT_PATH_FOR_NON_LISTED_NODES will be used for provisioning. +# 2. If one node is listed on the nodePathMap, the specified paths will be used for provisioning. +# 1. If one node is listed but with paths set to [], the provisioner will refuse to provision on this node. +# 2. If more than one path was specified, the path would be chosen randomly when provisioning. +# +# The configuration must obey following rules: +# 1. A path must start with /, a.k.a an absolute path. +# 2. Root directory (/) is prohibited. +# 3. No duplicate paths allowed for one node. +# 4. No duplicate node allowed. +nodePathMap: + - node: DEFAULT_PATH_FOR_NON_LISTED_NODES + paths: + - /opt/local-path-provisioner + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +rbac: + # Specifies whether RBAC resources should be created + create: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +configmap: + # specify the config map name + name: local-path-config + # specify the custom script for setup and teardown + setup: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + mkdir -m 0777 -p ${absolutePath} + teardown: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + rm -rf ${absolutePath} + # specify the custom helper pod yaml + helperPod: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: busybox + + + + + diff --git a/charts/kubezero-local-path-provisioner/update.sh b/charts/kubezero-local-path-provisioner/update.sh new file mode 100755 index 00000000..78e944f6 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/update.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# get subchart until they have upstream repo +rm -rf charts/local-path-provisioner && mkdir -p charts/local-path-provisioner + +git clone --depth=1 https://github.com/rancher/local-path-provisioner.git +cp -r local-path-provisioner/deploy/chart/* charts/local-path-provisioner +rm -rf local-path-provisioner diff --git a/charts/kubezero-local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/values.yaml new file mode 100644 index 00000000..2add882f --- /dev/null +++ b/charts/kubezero-local-path-provisioner/values.yaml @@ -0,0 +1,16 @@ +local-path-provisioner: + storageClass: + create: true + defaultClass: false + + nodePathMap: + - node: DEFAULT_PATH_FOR_NON_LISTED_NODES + paths: + - /opt/local-path-provisioner + + nodeSelector: + node-role.kubernetes.io/master: "" + + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index a9431a99..3776ccdd 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.4.1 -appVersion: 1.2.1 +version: 0.5.2 +appVersion: 1.3.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -18,13 +18,14 @@ dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ + - name: eck-operator + version: 1.3.1 + repository: https://helm.elastic.co + condition: eck-operator.enabled - name: fluentd - version: 2.5.1 - repository: https://kubernetes-charts.storage.googleapis.com/ + version: 2.5.3 condition: fluentd.enabled - name: fluent-bit - version: 0.7.2 - repository: https://zero-down-time.github.io/kubezero/ - # repository: https://fluent.github.io/helm-charts + version: 0.7.14 condition: fluent-bit.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index ae34a20f..9f47d631 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 0.5.1](https://img.shields.io/badge/Version-0.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -18,8 +18,8 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| +| https://helm.elastic.co | eck-operator | 1.3.1 | | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | -| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream @@ -56,20 +56,25 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| eck-operator.enabled | bool | `false` | | +| eck-operator.installCRDs | bool | `false` | | +| eck-operator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | +| eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | elastic_password | string | `""` | | | es.nodeSets | list | `[]` | | | es.prometheus | bool | `false` | | | es.s3Snapshot.enabled | bool | `false` | | | es.s3Snapshot.iamrole | string | `""` | | -| fluent-bit.config.customParsers | string | `"[PARSER]\n Name cri-log\n Format regex\n Regex ^(?