diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index 15b38893..76d0a004 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.1.2 -appVersion: 1.8.2 +version: 0.5.0 +appVersion: 1.9.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,9 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-ingress - version: 1.1.0 + version: 1.9.0 condition: istio-ingress.enabled - name: istio-private-ingress - version: 1.1.0 + version: 1.9.0 condition: istio-private-ingress.enabled -kubeVersion: ">= 1.16.0" +kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml index 108c8f25..78bd0c46 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-ingress -version: 1.1.0 +version: 1.9.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl index 400ff543..cb6a91ce 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl @@ -1,11 +1,11 @@ {{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} -{{- define "nodeaffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} {{- end }} {{- define "nodeAffinityRequiredDuringScheduling" }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml index b5137a4a..0c32e2f2 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -41,6 +41,7 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" @@ -101,12 +102,6 @@ spec: - containerPort: {{ $val.targetPort | default $val.port }} protocol: {{ $val.protocol | default "TCP" }} {{- end }} - {{- if $.Values.global.meshExpansion.enabled }} - {{- range $key, $val := $gateway.meshExpansionPorts }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - {{- end }} - containerPort: 15090 protocol: TCP name: http-envoy-prom @@ -220,6 +215,10 @@ spec: - name: TRUST_DOMAIN value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} value: {{ $val }} @@ -228,10 +227,10 @@ spec: - name: {{ $key }} value: "{{ $value }}" {{- end }} - {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} {{- if and (not $network_set) .Values.global.network }} - name: ISTIO_META_NETWORK - value: {{ .Values.global.network }} + value: "{{ .Values.global.network }}" {{- end }} {{- if $gateway.podAnnotations }} - name: "ISTIO_METAJSON_ANNOTATIONS" @@ -254,8 +253,6 @@ spec: mountPath: /var/run/secrets/tokens readOnly: true {{- end }} - - name: gatewaysdsudspath - mountPath: /var/run/ingress_gateway {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs @@ -296,10 +293,18 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m - name: istio-envoy emptyDir: {} - - name: gatewaysdsudspath - emptyDir: {} - name: istio-data emptyDir: {} {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} @@ -335,7 +340,7 @@ spec: optional: true {{- end }} affinity: - {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} {{- include "podAntiAffinity" $gateway | indent 6 }} {{- if $gateway.tolerations }} tolerations: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml deleted file mode 100644 index 67c164b0..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if .Values.global.meshExpansion.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-gateway - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 15012 - protocol: TCP - name: tcp-istiod - hosts: - - "*" - - port: - number: 15017 - protocol: TCP - name: tcp-istiodwebhook - hosts: - - "*" ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-vs-istiod - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} -spec: - hosts: - - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-gateway - tcp: - - match: - - port: 15012 - route: - - destination: - host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 15012 - - match: - - port: 15017 - route: - - destination: - host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 443 ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: meshexpansion-dr-istiod - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} -spec: - host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - trafficPolicy: - portLevelSettings: - - port: - number: 15012 - tls: - mode: DISABLE - - port: - number: 15017 - tls: - mode: DISABLE - -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml index 237be954..0f9dbf25 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml @@ -38,14 +38,6 @@ spec: {{- end }} {{- end }} - {{- if $.Values.global.meshExpansion.enabled }} - {{- range $key, $val := $gateway.meshExpansionPorts }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} {{ range $app := $gateway.ingressPorts }} - port: {{ $app.port }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml index 9f4dee62..cc01ef8b 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -24,7 +24,11 @@ gateways: targetPort: 8443 name: https protocol: TCP - # This is the port where sni routing happens + - port: 15012 + targetPort: 15012 + name: tcp-istiod + protocol: TCP + # This is the port where sni routing happens - port: 15443 targetPort: 15443 name: tls @@ -66,18 +70,6 @@ gateways: podAnnotations: {} type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - #### MESH EXPANSION PORTS ######## - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - # Delete these ports if mesh expansion is not enabled, to avoid - # exposing unnecessary ports on the web. - # You can remove these ports if you are not using mesh expansion - meshExpansionPorts: - - port: 15012 - targetPort: 15012 - name: tcp-istiod - ####### end MESH EXPANSION PORTS ###### - ############## secretVolumes: - name: ingressgateway-certs @@ -99,7 +91,7 @@ gateways: # A gateway with this mode ensures that pilot generates an additional # set of clusters for internal services but without Istio mTLS, to # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "sni-dnat" + ISTIO_META_ROUTER_MODE: "standard" nodeSelector: {} tolerations: [] @@ -142,6 +134,12 @@ global: # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host defaultConfigVisibilitySettings: [] + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + # enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: @@ -170,10 +168,10 @@ global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing + hub: docker.io/istio # Default tag for Istio images. - tag: latest + tag: 1.9.0 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -206,14 +204,6 @@ global: logging: level: "default:info" - # If set to true, the pilot and citadel mtls will be exposed on the - # ingress gateway - meshExpansion: - enabled: false - # If set to true, the pilot and citadel mtls and the plain text pilot ports - # will be exposed on an internal gateway - useILB: false - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low priority class. @@ -318,11 +308,10 @@ global: servicePort: 0 # Deprecated, use meshConfig.trustDomain -# trustDomain: "" + trustDomain: "" meshConfig: enablePrometheusMerge: true -# trustDomain: "" defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml index 2cd775d2..fac8f494 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-private-ingress -version: 1.1.0 +version: 1.9.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl index 400ff543..cb6a91ce 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl @@ -1,11 +1,11 @@ {{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} -{{- define "nodeaffinity" }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} {{- end }} {{- define "nodeAffinityRequiredDuringScheduling" }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml index b5137a4a..0c32e2f2 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -41,6 +41,7 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" @@ -101,12 +102,6 @@ spec: - containerPort: {{ $val.targetPort | default $val.port }} protocol: {{ $val.protocol | default "TCP" }} {{- end }} - {{- if $.Values.global.meshExpansion.enabled }} - {{- range $key, $val := $gateway.meshExpansionPorts }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - {{- end }} - containerPort: 15090 protocol: TCP name: http-envoy-prom @@ -220,6 +215,10 @@ spec: - name: TRUST_DOMAIN value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} value: {{ $val }} @@ -228,10 +227,10 @@ spec: - name: {{ $key }} value: "{{ $value }}" {{- end }} - {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} {{- if and (not $network_set) .Values.global.network }} - name: ISTIO_META_NETWORK - value: {{ .Values.global.network }} + value: "{{ .Values.global.network }}" {{- end }} {{- if $gateway.podAnnotations }} - name: "ISTIO_METAJSON_ANNOTATIONS" @@ -254,8 +253,6 @@ spec: mountPath: /var/run/secrets/tokens readOnly: true {{- end }} - - name: gatewaysdsudspath - mountPath: /var/run/ingress_gateway {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs @@ -296,10 +293,18 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m - name: istio-envoy emptyDir: {} - - name: gatewaysdsudspath - emptyDir: {} - name: istio-data emptyDir: {} {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} @@ -335,7 +340,7 @@ spec: optional: true {{- end }} affinity: - {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} {{- include "podAntiAffinity" $gateway | indent 6 }} {{- if $gateway.tolerations }} tolerations: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml deleted file mode 100644 index 67c164b0..00000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if .Values.global.meshExpansion.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: meshexpansion-gateway - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - selector: - istio: ingressgateway - servers: - - port: - number: 15012 - protocol: TCP - name: tcp-istiod - hosts: - - "*" - - port: - number: 15017 - protocol: TCP - name: tcp-istiodwebhook - hosts: - - "*" ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: meshexpansion-vs-istiod - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} -spec: - hosts: - - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - gateways: - - meshexpansion-gateway - tcp: - - match: - - port: 15012 - route: - - destination: - host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 15012 - - match: - - port: 15017 - route: - - destination: - host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - port: - number: 443 ---- - -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: meshexpansion-dr-istiod - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} -spec: - host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} - trafficPolicy: - portLevelSettings: - - port: - number: 15012 - tls: - mode: DISABLE - - port: - number: 15017 - tls: - mode: DISABLE - -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml index 237be954..0f9dbf25 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml @@ -38,14 +38,6 @@ spec: {{- end }} {{- end }} - {{- if $.Values.global.meshExpansion.enabled }} - {{- range $key, $val := $gateway.meshExpansionPorts }} - - - {{- range $pkey, $pval := $val }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} {{ range $app := $gateway.ingressPorts }} - port: {{ $app.port }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml index 9f4dee62..cc01ef8b 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -24,7 +24,11 @@ gateways: targetPort: 8443 name: https protocol: TCP - # This is the port where sni routing happens + - port: 15012 + targetPort: 15012 + name: tcp-istiod + protocol: TCP + # This is the port where sni routing happens - port: 15443 targetPort: 15443 name: tls @@ -66,18 +70,6 @@ gateways: podAnnotations: {} type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - #### MESH EXPANSION PORTS ######## - # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect - # to pilot/citadel if global.meshExpansion settings are enabled. - # Delete these ports if mesh expansion is not enabled, to avoid - # exposing unnecessary ports on the web. - # You can remove these ports if you are not using mesh expansion - meshExpansionPorts: - - port: 15012 - targetPort: 15012 - name: tcp-istiod - ####### end MESH EXPANSION PORTS ###### - ############## secretVolumes: - name: ingressgateway-certs @@ -99,7 +91,7 @@ gateways: # A gateway with this mode ensures that pilot generates an additional # set of clusters for internal services but without Istio mTLS, to # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "sni-dnat" + ISTIO_META_ROUTER_MODE: "standard" nodeSelector: {} tolerations: [] @@ -142,6 +134,12 @@ global: # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host defaultConfigVisibilitySettings: [] + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + # enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: @@ -170,10 +168,10 @@ global: # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing + hub: docker.io/istio # Default tag for Istio images. - tag: latest + tag: 1.9.0 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -206,14 +204,6 @@ global: logging: level: "default:info" - # If set to true, the pilot and citadel mtls will be exposed on the - # ingress gateway - meshExpansion: - enabled: false - # If set to true, the pilot and citadel mtls and the plain text pilot ports - # will be exposed on an internal gateway - useILB: false - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low priority class. @@ -318,11 +308,10 @@ global: servicePort: 0 # Deprecated, use meshConfig.trustDomain -# trustDomain: "" + trustDomain: "" meshConfig: enablePrometheusMerge: true -# trustDomain: "" defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index a349c7c6..708ab9e5 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.4.2 -appVersion: 1.8.2 +version: 0.5.0 +appVersion: 1.9.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: base - version: 1.1.0 + version: 1.9.0 - name: istio-discovery - version: 1.2.0 -kubeVersion: ">= 1.16.0" + version: 1.9.0 +kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml index e0127276..8cf22dc7 100644 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: base -version: 1.1.0 +version: 1.9.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio cluster resources and CRDs keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index 35b4db8c..faddc02a 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -1287,6 +1287,10 @@ spec: description: Applies only to sidecars. format: string type: string + destinationPort: + description: The destination_port value used by a + filter chain's match condition. + type: integer filter: description: The name of a specific filter to apply the patch to. @@ -2817,6 +2821,11 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio name: workloadgroups.networking.istio.io spec: additionalPrinterColumns: @@ -2884,11 +2893,11 @@ spec: - exec properties: exec: - description: health is determined by how the command that is executed + description: Health is determined by how the command that is executed exited. properties: command: - description: command to run. + description: Command to run. items: format: string type: string @@ -2906,7 +2915,7 @@ spec: format: string type: string httpHeaders: - description: headers the proxy will pass on to make the request. + description: Headers the proxy will pass on to make the request. items: properties: name: @@ -2922,7 +2931,7 @@ spec: format: string type: string port: - description: port on which the endpoint lives. + description: Port on which the endpoint lives. type: integer scheme: format: string @@ -2943,7 +2952,7 @@ spec: format: int32 type: integer tcpSocket: - description: health is determined by if the proxy is able to connect. + description: Health is determined by if the proxy is able to connect. properties: host: format: string @@ -3048,6 +3057,7 @@ spec: - CUSTOM type: string provider: + description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. @@ -3243,6 +3253,19 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: + additionalPrinterColumns: + - JSONPath: .spec.mtls.mode + description: Defines the mTLS mode used for peer authentication. + name: Mode + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date group: security.istio.io names: categories: diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index ac70215b..2fda970e 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -1289,6 +1289,10 @@ spec: description: Applies only to sidecars. format: string type: string + destinationPort: + description: The destination_port value used by a + filter chain's match condition. + type: integer filter: description: The name of a specific filter to apply the patch to. @@ -2819,6 +2823,11 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio name: workloadgroups.networking.istio.io spec: additionalPrinterColumns: @@ -2886,11 +2895,11 @@ spec: - exec properties: exec: - description: health is determined by how the command that is executed + description: Health is determined by how the command that is executed exited. properties: command: - description: command to run. + description: Command to run. items: format: string type: string @@ -2908,7 +2917,7 @@ spec: format: string type: string httpHeaders: - description: headers the proxy will pass on to make the request. + description: Headers the proxy will pass on to make the request. items: properties: name: @@ -2924,7 +2933,7 @@ spec: format: string type: string port: - description: port on which the endpoint lives. + description: Port on which the endpoint lives. type: integer scheme: format: string @@ -2945,7 +2954,7 @@ spec: format: int32 type: integer tcpSocket: - description: health is determined by if the proxy is able to connect. + description: Health is determined by if the proxy is able to connect. properties: host: format: string @@ -3050,6 +3059,7 @@ spec: - CUSTOM type: string provider: + description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. @@ -3245,6 +3255,19 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: + additionalPrinterColumns: + - JSONPath: .spec.mtls.mode + description: Defines the mTLS mode used for peer authentication. + name: Mode + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date group: security.istio.io names: categories: @@ -3528,7 +3551,7 @@ rules: # sidecar injection controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] + verbs: ["get", "list", "watch", "update", "patch"] # configuration validation webhook controller - apiGroups: ["admissionregistration.k8s.io"] @@ -3628,6 +3651,12 @@ rules: - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml index f53b8308..e4176d5a 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -9,7 +9,7 @@ rules: # sidecar injection controller - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] + verbs: ["get", "list", "watch", "update", "patch"] # configuration validation webhook controller - apiGroups: ["admissionregistration.k8s.io"] @@ -123,6 +123,12 @@ rules: - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] @@ -135,13 +141,13 @@ rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] -{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }} +{{- if or .Values.global.externalIstiod }} - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] + verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] diff --git a/charts/kubezero-istio/charts/base/values.yaml b/charts/kubezero-istio/charts/base/values.yaml index af165102..8f86ba0e 100644 --- a/charts/kubezero-istio/charts/base/values.yaml +++ b/charts/kubezero-istio/charts/base/values.yaml @@ -12,6 +12,8 @@ global: enableAnalysis: false configValidation: true + externalIstiod: false + remotePilotAddress: "" base: # Used for helm2 to add the CRDs to templates. @@ -19,4 +21,7 @@ base: # Validation webhook configuration url # For example: https://$remotePilotAddress:15017/validate - validationURL: "" \ No newline at end of file + validationURL: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml index daed6bd2..60e1a494 100644 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -1,7 +1,6 @@ apiVersion: v1 name: istio-discovery -version: 1.2.0 -appVersion: 1.2.0 +version: 1.9.0 tillerVersion: ">=2.7.2" description: Helm chart for istio control plane keywords: diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml index da98e338..4a4077a1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -39,8 +39,6 @@ data: mesh: |- defaultConfig: discoveryAddress: istiod.istio-system.svc:15012 - proxyMetadata: - DNS_AGENT: "" tracing: zipkin: address: zipkin.istio-system:9411 @@ -64,16 +62,7 @@ data: values: |- { "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, "caAddress": "", - "centralIstiod": false, - "configValidation": true, - "defaultConfigVisibilitySettings": [], - "defaultNodeSelector": {}, "defaultPodDisruptionBudget": { "enabled": true }, @@ -82,7 +71,6 @@ data: "cpu": "10m" } }, - "defaultTolerations": [], "externalIstiod": false, "hub": "gcr.io/istio-testing", "imagePullPolicy": "", @@ -96,18 +84,12 @@ data: "logging": { "level": "default:info" }, - "meshExpansion": { - "enabled": false, - "useILB": false - }, "meshID": "", "meshNetworks": {}, "mountMtlsCerts": false, "multiCluster": { "clusterName": "", - "enabled": false, - "globalDomainSuffix": "global", - "includeEnvoyFilter": true + "enabled": false }, "network": "", "omitSidecarInjectorConfigMap": false, @@ -191,14 +173,17 @@ data: "revision": "", "sidecarInjectorWebhook": { "alwaysInjectSelector": [], + "defaultTemplates": [], "enableNamespacesByDefault": false, "injectedAnnotations": {}, "neverInjectSelector": [], "objectSelector": { "autoInject": true, - "enabled": false + "enabled": true }, - "rewriteAppHTTPProbe": true + "rewriteAppHTTPProbe": true, + "templates": {}, + "useLegacySelectors": true } } @@ -208,476 +193,508 @@ data: # New fields should not use Values - it is a 'primary' config object, users should be able # to fine tune it or use it with kube-inject. config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + defaultTemplates: [sidecar] policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] injectedAnnotations: - - template: | - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - istio-iptables - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" + templates: + sidecar: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} - - --concurrency - - "{{ .ProxyConfig.Concurrency.GetValue }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN + {{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} - runAsGroup: 1337 - fsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default + } + spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 2 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - podRedirectAnnot: - {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{- end }} - traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- # Source: istio-discovery/templates/service.yaml apiVersion: v1 @@ -740,6 +757,7 @@ spec: app: istiod istio.io/rev: default install.operator.istio.io/owning-resource: unknown + sidecar.istio.io/inject: "false" operator.istio.io/component: "Pilot" istio: pilot annotations: @@ -768,8 +786,6 @@ spec: protocol: TCP - containerPort: 15017 protocol: TCP - - containerPort: 15053 - protocol: TCP readinessProbe: httpGet: path: /ready @@ -807,8 +823,6 @@ spec: value: "true" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND value: "true" - - name: INJECTION_WEBHOOK_CONFIG_NAME - value: istio-sidecar-injector - name: ISTIOD_ADDR value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS @@ -817,10 +831,6 @@ spec: value: "Kubernetes" - name: EXTERNAL_ISTIOD value: "false" - - name: CENTRAL_ISTIOD - value: "false" - - name: PILOT_ENDPOINT_TELEMETRY_LABEL - value: "true" resources: requests: cpu: 500m @@ -904,687 +914,6 @@ spec: name: cpu targetAverageUtilization: 80 --- -# Source: istio-discovery/templates/telemetryv2_1.6.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.6 - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: ANY # inbound, outbound, and gateway - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.6.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.6.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Source: istio-discovery/templates/telemetryv2_1.6.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -# Source: istio-discovery/templates/telemetryv2_1.7.yaml -# Note: metadata exchange filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.7 - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.7.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.7.yaml -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Source: istio-discovery/templates/telemetryv2_1.7.yaml -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- # Source: istio-discovery/templates/telemetryv2_1.8.yaml # Note: metadata exchange filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 @@ -1606,7 +935,7 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -1633,7 +962,7 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -1660,7 +989,7 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -1757,9 +1086,9 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -1789,9 +1118,9 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -1821,9 +1150,9 @@ spec: listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -1866,7 +1195,7 @@ spec: listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -1896,7 +1225,7 @@ spec: listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -1926,7 +1255,7 @@ spec: listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -1949,13 +1278,435 @@ spec: local: inline_string: "envoy.wasm.stats" --- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.9 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- # Source: istio-discovery/templates/mutatingwebhook.yaml -# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector - labels: istio.io/rev: default install.operator.istio.io/owning-resource: unknown @@ -1963,21 +1714,27 @@ metadata: app: sidecar-injector release: istio webhooks: - - name: sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchLabels: - istio-injection: enabled +- name: sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchLabels: + istio-injection: enabled + objectSelector: + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: NotIn + values: + - "false" diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml index 10dfbbe3..b9b9866d 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -1,6 +1,35 @@ -template: | + {{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if .Values.istio_cni.enabled -}} @@ -8,8 +37,8 @@ template: | {{ else -}} - name: istio-init {{ end -}} - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} @@ -81,7 +110,7 @@ template: | {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} securityContext: @@ -115,8 +144,8 @@ template: | - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited command: - /bin/sh - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} @@ -157,8 +186,9 @@ template: | {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} @@ -171,7 +201,7 @@ template: | {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- else if $holdProxy }} lifecycle: postStart: @@ -236,7 +266,7 @@ template: | {{- end}} ] - name: ISTIO_META_APP_CONTAINERS - value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + value: "{{ $containers | join "," }}" - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_INTERCEPTION_MODE @@ -341,7 +371,7 @@ template: | {{- end }} {{- else }} {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} {{- end }} {{- end }} volumeMounts: @@ -378,7 +408,7 @@ template: | {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} + {{ toYaml $value | indent 6 }} {{ end }} {{- end }} volumes: @@ -402,6 +432,16 @@ template: | - path: "annotations" fieldRef: fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: @@ -430,7 +470,7 @@ template: | {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" - {{ toYaml $value | indent 2 }} + {{ toYaml $value | indent 4 }} {{ end }} {{ end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} @@ -439,25 +479,13 @@ template: | optional: true secretName: lightstep.cacert {{- end }} - podRedirectAnnot: - {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{- end }} - traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{- if .Values.global.imagePullSecrets }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml index 17174f19..3a6bb685 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -4,6 +4,12 @@ # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + defaultConfig: {{- if .Values.global.meshID }} meshId: {{ .Values.global.meshID }} @@ -47,10 +53,13 @@ {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} {{ toYaml $.Values.meshConfig.defaultConfig.tracing }} {{- end }} - {{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 {{- end }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml index ba586deb..c7a42c09 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -37,6 +37,7 @@ spec: app: istiod istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" operator.istio.io/component: "Pilot" {{- if eq .Values.revision ""}} istio: pilot @@ -101,8 +102,6 @@ spec: protocol: TCP - containerPort: 15017 protocol: TCP - - containerPort: 15053 - protocol: TCP readinessProbe: httpGet: path: /ready @@ -148,14 +147,6 @@ spec: value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" -{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }} - - name: INJECTION_WEBHOOK_CONFIG_NAME - {{- if eq .Release.Namespace "istio-system" }} - value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- else }} - value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - {{- end }} -{{- end }} - name: ISTIOD_ADDR value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 - name: PILOT_ENABLE_ANALYSIS @@ -164,11 +155,9 @@ spec: value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - name: EXTERNAL_ISTIOD value: "{{ $.Values.global.externalIstiod | default "false" }}" - - name: CENTRAL_ISTIOD - value: "{{ $.Values.global.centralIstiod | default "false" }}" -{{- if .Values.telemetry.v2.enabled }} +{{- if not .Values.telemetry.v2.enabled }} - name: PILOT_ENDPOINT_TELEMETRY_LABEL - value: "true" + value: "false" {{- end }} resources: {{- if .Values.pilot.resources }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml index 8e660e9a..15ece14b 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml @@ -20,6 +20,15 @@ data: # New fields should not use Values - it is a 'primary' config object, users should be able # to fine tune it or use it with kube-inject. config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} policy: {{ .Values.global.proxy.autoInject }} alwaysInjectSelector: {{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} @@ -29,7 +38,18 @@ data: {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} "{{ $key }}": "{{ $val }}" {{- end }} - -{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml index ca11b4f8..f9fd67b5 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -1,11 +1,35 @@ -# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) +{{- /* Core defines the common configuration used by all webhook segments */}} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} {{- if not .Values.global.operatorManageWebhooks }} apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: {{- if eq .Release.Namespace "istio-system"}} name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{ else }} +{{- else }} name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} {{- end }} labels: @@ -15,71 +39,151 @@ metadata: app: sidecar-injector release: {{ .Release.Name }} webhooks: - - name: sidecar-injector.istio.io - clientConfig: - {{- if .Values.istiodRemote.injectionURL }} - url: {{ .Values.istiodRemote.injectionURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - path: "/inject" - {{- end }} - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: +{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}} +{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }} + namespaceSelector: + {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} + matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} + - key: istio-injection + operator: NotIn + values: + - disabled + - key: istio-env + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + {{- else if .Values.revision }} + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} + {{- else }} + matchLabels: + istio-injection: enabled + {{- end }} + {{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }} + objectSelector: + {{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: NotIn + values: + - "false" + {{- else if .Values.revision }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} + {{- else }} + matchLabels: + "sidecar.istio.io/inject": "true" + {{- end }} + {{- end }} +{{- else }} + +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} +{{- if .Values.revision }} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ .Values.revision }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ .Values.revision }}" + +{{- else }} +{{- /* "default" revision */}} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} - matchExpressions: - - key: name - operator: NotIn - values: - - {{ .Release.Namespace }} - - key: istio-injection - operator: NotIn - values: - - disabled - - key: istio-env - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- else if .Values.revision }} - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: In - values: - - {{ .Values.revision }} -{{- else }} - matchLabels: - istio-injection: enabled +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist {{- end }} -{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }} - objectSelector: -{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }} - matchExpressions: - - key: "sidecar.istio.io/inject" - operator: NotIn - values: - - "false" -{{- else if .Values.revision }} - matchExpressions: - - key: "sidecar.istio.io/inject" - operator: DoesNotExist - - key: istio.io/rev - operator: In - values: - - {{ .Values.revision }} -{{- else }} - matchLabels: - "sidecar.istio.io/inject": "true" + {{- end }} {{- end }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml similarity index 90% rename from charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml rename to charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml index 6985a680..b1db1b98 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml @@ -3,7 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -19,11 +19,11 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -54,11 +54,11 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -89,11 +89,11 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" patch: operation: INSERT_BEFORE value: @@ -124,7 +124,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -138,7 +138,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: {} patch: operation: INSERT_BEFORE @@ -153,7 +153,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' cluster: {} patch: operation: MERGE @@ -169,7 +169,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' cluster: {} patch: operation: MERGE @@ -187,7 +187,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -201,13 +201,13 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -223,7 +223,8 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { - {{- if .Values.global.multiCluster.clusterName }} + "debug": "false", + "stat_prefix": "istio", "metrics": [ { "dimensions": { @@ -232,7 +233,6 @@ spec: } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -255,13 +255,13 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -277,16 +277,16 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} { - {{- if .Values.global.multiCluster.clusterName }} + "debug": "false", + "stat_prefix": "istio", "metrics": [ { "dimensions": { - "source_cluster": "downstream_peer.cluster_id", - "destination_cluster": "node.metadata['CLUSTER_ID']" + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} @@ -309,13 +309,13 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -331,7 +331,9 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} { - "disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }}, + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, "metrics": [ { "dimensions": { @@ -340,7 +342,6 @@ spec: } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -364,7 +365,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -378,11 +379,11 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -398,16 +399,16 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} { - {{- if .Values.global.multiCluster.clusterName }} + "debug": "false", + "stat_prefix": "istio", "metrics": [ { "dimensions": { - "source_cluster": "downstream_peer.cluster_id", - "destination_cluster": "node.metadata['CLUSTER_ID']" + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} @@ -430,11 +431,11 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -450,7 +451,8 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { - {{- if .Values.global.multiCluster.clusterName }} + "debug": "false", + "stat_prefix": "istio", "metrics": [ { "dimensions": { @@ -459,7 +461,6 @@ spec: } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -482,11 +483,11 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -502,7 +503,8 @@ spec: value: | {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} { - {{- if .Values.global.multiCluster.clusterName }} + "debug": "false", + "stat_prefix": "istio", "metrics": [ { "dimensions": { @@ -511,7 +513,6 @@ spec: } } ] - {{- end }} } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -536,7 +537,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -551,13 +552,13 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -586,13 +587,13 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -620,13 +621,13 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: - name: "envoy.router" + name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: @@ -654,7 +655,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -669,11 +670,11 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -702,11 +703,11 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -734,11 +735,11 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.9.*' listener: filterChain: filter: - name: "envoy.tcp_proxy" + name: "envoy.filters.network.tcp_proxy" patch: operation: INSERT_BEFORE value: @@ -767,7 +768,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -781,11 +782,11 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '1\.8.*' + proxyVersion: '1\.9.*' listener: filterChain: filter: - name: "envoy.http_connection_manager" + name: "envoy.filters.network.http_connection_manager" subFilter: name: "istio.stackdriver" patch: diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml index ac59dbdb..5dab58df 100644 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -65,6 +65,10 @@ pilot: sidecarInjectorWebhook: + # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook + # requests in Istiod, rather than at the webhook selection level. + # This is option is intended for migration purposes only and will be removed in Istio 1.10. + useLegacySelectors: true # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # always skip the injection on pods that match that label selector, regardless of the global policy. # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions @@ -90,13 +94,41 @@ sidecarInjectorWebhook: # Only one environment should have this enabled. enableNamespacesByDefault: false - # Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector. - # It is disabled by default since this function will only work after k8s v1.15. + # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. + # It is enabled by default as the minimum supported Kubernetes version is 1.15+ objectSelector: - enabled: false + enabled: true autoInject: true rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] istiodRemote: # Sidecar injector mutating webhook configuration url # For example: https://$remotePilotAddress:15017/inject @@ -150,26 +182,20 @@ ownerName: "" # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options meshConfig: - + enablePrometheusMerge: true # Config for the default ProxyConfig. # Initially using directly the proxy metadata - can also be activated using annotations # on the pod. This is an unsupported low-level API, pending review and decisions on # enabling the feature. Enabling the DNS listener is safe - and allows further testing # and gradual adoption by setting capture only on specific workloads. It also allows # VMs to use other DNS options, like dnsmasq or unbound. - defaultConfig: - proxyMetadata: - # If empty, agent will not start :15013 DNS listener and will not attempt - # to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in - # istiod and the dns-over-tls listener. - # DNS_AGENT: DNS-TLS - DNS_AGENT: "" # The namespace to treat as the administrative root namespace for Istio configuration. # When processing a leaf namespace Istio will search for declarations in that namespace first # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace # is processed as if it were declared in the leaf namespace. - rootNamespace: "istio-system" + + rootNamespace: # TODO: the intent is to eventually have this enabled by default when security is used. # It is not clear if user should normally need to configure - the metadata is typically @@ -180,6 +206,8 @@ meshConfig: # No hurry to do this in 1.6, we're trying to prove the code. global: + # Used to locate istiod. + istioNamespace: istio-system # enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: @@ -199,15 +227,12 @@ global: # cpu: 100m # memory: 128Mi - # Used to locate istiod. - istioNamespace: istio-system - # Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing + hub: docker.io/istio # Default tag for Istio images. - tag: latest + tag: 1.9.0 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -353,12 +378,11 @@ global: # The customized CA address to retrieve certificates for the pods in the cluster. # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. caAddress: "" # External istiod controls all remote clusters: disabled by default externalIstiod: false - # Central istiod controls all remote clusters: disabled by default - centralIstiod: false # Configure the policy for validating JWT. # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". @@ -483,3 +507,6 @@ global: # Deprecated, use meshConfig.trustDomain trustDomain: "" +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 5d6a3648..00d385eb 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.8.2 +export ISTIO_VERSION=1.9.0 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" @@ -16,10 +16,10 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/ # Patch for istiod to control plane -patch -p3 -i istio-discovery.patch +patch -p3 -i istio-discovery.patch --no-backup-if-mismatch # remove unused old telemetry filters -rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml +rm -f charts/istio-discovery/templates/telemetryv2_1.[678].yaml # Ingress charts rm -rf ../kubezero-istio-ingress/charts/istio-* @@ -30,8 +30,8 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml # Patch for ingress for extended termination grace period -patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml -patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml --no-backup-if-mismatch +patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml --no-backup-if-mismatch # Get matching istioctl [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index a855e1a9..398dd39e 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,6 +1,6 @@ global: - hub: docker.io/istio - tag: 1.8.2 + # hub: docker.io/istio + # tag: 1.9.0 logAsJson: true jwtPolicy: first-party-jwt