Upgrade Istio to 1.9
This commit is contained in:
parent
4a7f7f8187
commit
b6e92ceba2
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio-ingress
|
name: kubezero-istio-ingress
|
||||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.2
|
version: 0.5.0
|
||||||
appVersion: 1.8.2
|
appVersion: 1.9.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,9 +16,9 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-ingress
|
- name: istio-ingress
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
condition: istio-ingress.enabled
|
condition: istio-ingress.enabled
|
||||||
- name: istio-private-ingress
|
- name: istio-private-ingress
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
condition: istio-private-ingress.enabled
|
condition: istio-private-ingress.enabled
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-ingress
|
name: istio-ingress
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
{{- define "nodeaffinity" }}
|
{{ define "nodeaffinity" }}
|
||||||
nodeAffinity:
|
nodeAffinity:
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
@ -41,6 +41,7 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
@ -101,12 +102,6 @@ spec:
|
|||||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
protocol: {{ $val.protocol | default "TCP" }}
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $.Values.global.meshExpansion.enabled }}
|
|
||||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
|
||||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
|
||||||
protocol: {{ $val.protocol | default "TCP" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
- containerPort: 15090
|
- containerPort: 15090
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
name: http-envoy-prom
|
name: http-envoy-prom
|
||||||
@ -220,6 +215,10 @@ spec:
|
|||||||
- name: TRUST_DOMAIN
|
- name: TRUST_DOMAIN
|
||||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
{{- range $key, $val := $gateway.env }}
|
{{- range $key, $val := $gateway.env }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: {{ $val }}
|
value: {{ $val }}
|
||||||
@ -228,10 +227,10 @@ spec:
|
|||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: "{{ $value }}"
|
value: "{{ $value }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
{{- if and (not $network_set) .Values.global.network }}
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
- name: ISTIO_META_NETWORK
|
- name: ISTIO_META_NETWORK
|
||||||
value: {{ .Values.global.network }}
|
value: "{{ .Values.global.network }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
@ -254,8 +253,6 @@ spec:
|
|||||||
mountPath: /var/run/secrets/tokens
|
mountPath: /var/run/secrets/tokens
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: gatewaysdsudspath
|
|
||||||
mountPath: /var/run/ingress_gateway
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
- name: istio-certs
|
- name: istio-certs
|
||||||
@ -296,10 +293,18 @@ spec:
|
|||||||
- path: "annotations"
|
- path: "annotations"
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.annotations
|
fieldPath: metadata.annotations
|
||||||
|
- path: "cpu-limit"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: limits.cpu
|
||||||
|
divisor: 1m
|
||||||
|
- path: "cpu-request"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: requests.cpu
|
||||||
|
divisor: 1m
|
||||||
- name: istio-envoy
|
- name: istio-envoy
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: gatewaysdsudspath
|
|
||||||
emptyDir: {}
|
|
||||||
- name: istio-data
|
- name: istio-data
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
@ -335,7 +340,7 @@ spec:
|
|||||||
optional: true
|
optional: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
affinity:
|
affinity:
|
||||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
{{- if $gateway.tolerations }}
|
{{- if $gateway.tolerations }}
|
||||||
tolerations:
|
tolerations:
|
||||||
|
@ -1,79 +0,0 @@
|
|||||||
{{- if .Values.global.meshExpansion.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-gateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "IngressGateways"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
istio: ingressgateway
|
|
||||||
servers:
|
|
||||||
- port:
|
|
||||||
number: 15012
|
|
||||||
protocol: TCP
|
|
||||||
name: tcp-istiod
|
|
||||||
hosts:
|
|
||||||
- "*"
|
|
||||||
- port:
|
|
||||||
number: 15017
|
|
||||||
protocol: TCP
|
|
||||||
name: tcp-istiodwebhook
|
|
||||||
hosts:
|
|
||||||
- "*"
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: VirtualService
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-vs-istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
hosts:
|
|
||||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
gateways:
|
|
||||||
- meshexpansion-gateway
|
|
||||||
tcp:
|
|
||||||
- match:
|
|
||||||
- port: 15012
|
|
||||||
route:
|
|
||||||
- destination:
|
|
||||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
port:
|
|
||||||
number: 15012
|
|
||||||
- match:
|
|
||||||
- port: 15017
|
|
||||||
route:
|
|
||||||
- destination:
|
|
||||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
port:
|
|
||||||
number: 443
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: DestinationRule
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-dr-istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
trafficPolicy:
|
|
||||||
portLevelSettings:
|
|
||||||
- port:
|
|
||||||
number: 15012
|
|
||||||
tls:
|
|
||||||
mode: DISABLE
|
|
||||||
- port:
|
|
||||||
number: 15017
|
|
||||||
tls:
|
|
||||||
mode: DISABLE
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -38,14 +38,6 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if $.Values.global.meshExpansion.enabled }}
|
|
||||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
|
||||||
-
|
|
||||||
{{- range $pkey, $pval := $val }}
|
|
||||||
{{ $pkey}}: {{ $pval }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{ range $app := $gateway.ingressPorts }}
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
-
|
-
|
||||||
port: {{ $app.port }}
|
port: {{ $app.port }}
|
||||||
|
@ -24,6 +24,10 @@ gateways:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
name: https
|
name: https
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
# This is the port where sni routing happens
|
# This is the port where sni routing happens
|
||||||
- port: 15443
|
- port: 15443
|
||||||
targetPort: 15443
|
targetPort: 15443
|
||||||
@ -66,18 +70,6 @@ gateways:
|
|||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
#### MESH EXPANSION PORTS ########
|
|
||||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
|
||||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
|
||||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
|
||||||
# exposing unnecessary ports on the web.
|
|
||||||
# You can remove these ports if you are not using mesh expansion
|
|
||||||
meshExpansionPorts:
|
|
||||||
- port: 15012
|
|
||||||
targetPort: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
####### end MESH EXPANSION PORTS ######
|
|
||||||
|
|
||||||
##############
|
##############
|
||||||
secretVolumes:
|
secretVolumes:
|
||||||
- name: ingressgateway-certs
|
- name: ingressgateway-certs
|
||||||
@ -99,7 +91,7 @@ gateways:
|
|||||||
# A gateway with this mode ensures that pilot generates an additional
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
# set of clusters for internal services but without Istio mTLS, to
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
# enable cross cluster routing.
|
# enable cross cluster routing.
|
||||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
ISTIO_META_ROUTER_MODE: "standard"
|
||||||
|
|
||||||
nodeSelector: {}
|
nodeSelector: {}
|
||||||
tolerations: []
|
tolerations: []
|
||||||
@ -142,6 +134,12 @@ global:
|
|||||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
defaultConfigVisibilitySettings: []
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# Default node selector to be applied to all deployments so that all pods can be
|
||||||
|
# constrained to run a particular nodes. Each component can overwrite these default
|
||||||
|
# values by adding its node selector block in the relevant section below and setting
|
||||||
|
# the desired values.
|
||||||
|
defaultNodeSelector: {}
|
||||||
|
|
||||||
# enable pod disruption budget for the control plane, which is used to
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
defaultPodDisruptionBudget:
|
defaultPodDisruptionBudget:
|
||||||
@ -170,10 +168,10 @@ global:
|
|||||||
# Default hub for Istio images.
|
# Default hub for Istio images.
|
||||||
# Releases are published to docker hub under 'istio' project.
|
# Releases are published to docker hub under 'istio' project.
|
||||||
# Dev builds from prow are on gcr.io
|
# Dev builds from prow are on gcr.io
|
||||||
hub: gcr.io/istio-testing
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: latest
|
tag: 1.9.0
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -206,14 +204,6 @@ global:
|
|||||||
logging:
|
logging:
|
||||||
level: "default:info"
|
level: "default:info"
|
||||||
|
|
||||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
|
||||||
# ingress gateway
|
|
||||||
meshExpansion:
|
|
||||||
enabled: false
|
|
||||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
|
||||||
# will be exposed on an internal gateway
|
|
||||||
useILB: false
|
|
||||||
|
|
||||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
# will not be killed because of low priority class.
|
# will not be killed because of low priority class.
|
||||||
@ -318,11 +308,10 @@ global:
|
|||||||
servicePort: 0
|
servicePort: 0
|
||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
# Deprecated, use meshConfig.trustDomain
|
||||||
# trustDomain: ""
|
trustDomain: ""
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
enablePrometheusMerge: true
|
enablePrometheusMerge: true
|
||||||
# trustDomain: ""
|
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
proxyMetadata: {}
|
proxyMetadata: {}
|
||||||
tracing:
|
tracing:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-private-ingress
|
name: istio-private-ingress
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
{{- define "nodeaffinity" }}
|
{{ define "nodeaffinity" }}
|
||||||
nodeAffinity:
|
nodeAffinity:
|
||||||
requiredDuringSchedulingIgnoredDuringExecution:
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
@ -41,6 +41,7 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
@ -101,12 +102,6 @@ spec:
|
|||||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
protocol: {{ $val.protocol | default "TCP" }}
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $.Values.global.meshExpansion.enabled }}
|
|
||||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
|
||||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
|
||||||
protocol: {{ $val.protocol | default "TCP" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
- containerPort: 15090
|
- containerPort: 15090
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
name: http-envoy-prom
|
name: http-envoy-prom
|
||||||
@ -220,6 +215,10 @@ spec:
|
|||||||
- name: TRUST_DOMAIN
|
- name: TRUST_DOMAIN
|
||||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
{{- range $key, $val := $gateway.env }}
|
{{- range $key, $val := $gateway.env }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: {{ $val }}
|
value: {{ $val }}
|
||||||
@ -228,10 +227,10 @@ spec:
|
|||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: "{{ $value }}"
|
value: "{{ $value }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
{{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
{{- if and (not $network_set) .Values.global.network }}
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
- name: ISTIO_META_NETWORK
|
- name: ISTIO_META_NETWORK
|
||||||
value: {{ .Values.global.network }}
|
value: "{{ .Values.global.network }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
@ -254,8 +253,6 @@ spec:
|
|||||||
mountPath: /var/run/secrets/tokens
|
mountPath: /var/run/secrets/tokens
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: gatewaysdsudspath
|
|
||||||
mountPath: /var/run/ingress_gateway
|
|
||||||
{{- if .Values.global.mountMtlsCerts }}
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
- name: istio-certs
|
- name: istio-certs
|
||||||
@ -296,10 +293,18 @@ spec:
|
|||||||
- path: "annotations"
|
- path: "annotations"
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.annotations
|
fieldPath: metadata.annotations
|
||||||
|
- path: "cpu-limit"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: limits.cpu
|
||||||
|
divisor: 1m
|
||||||
|
- path: "cpu-request"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: requests.cpu
|
||||||
|
divisor: 1m
|
||||||
- name: istio-envoy
|
- name: istio-envoy
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: gatewaysdsudspath
|
|
||||||
emptyDir: {}
|
|
||||||
- name: istio-data
|
- name: istio-data
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
@ -335,7 +340,7 @@ spec:
|
|||||||
optional: true
|
optional: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
affinity:
|
affinity:
|
||||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
|
||||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
{{- if $gateway.tolerations }}
|
{{- if $gateway.tolerations }}
|
||||||
tolerations:
|
tolerations:
|
||||||
|
@ -1,79 +0,0 @@
|
|||||||
{{- if .Values.global.meshExpansion.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: Gateway
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-gateway
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "IngressGateways"
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
istio: ingressgateway
|
|
||||||
servers:
|
|
||||||
- port:
|
|
||||||
number: 15012
|
|
||||||
protocol: TCP
|
|
||||||
name: tcp-istiod
|
|
||||||
hosts:
|
|
||||||
- "*"
|
|
||||||
- port:
|
|
||||||
number: 15017
|
|
||||||
protocol: TCP
|
|
||||||
name: tcp-istiodwebhook
|
|
||||||
hosts:
|
|
||||||
- "*"
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: VirtualService
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-vs-istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
hosts:
|
|
||||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
gateways:
|
|
||||||
- meshexpansion-gateway
|
|
||||||
tcp:
|
|
||||||
- match:
|
|
||||||
- port: 15012
|
|
||||||
route:
|
|
||||||
- destination:
|
|
||||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
port:
|
|
||||||
number: 15012
|
|
||||||
- match:
|
|
||||||
- port: 15017
|
|
||||||
route:
|
|
||||||
- destination:
|
|
||||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
port:
|
|
||||||
number: 443
|
|
||||||
---
|
|
||||||
|
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
|
||||||
kind: DestinationRule
|
|
||||||
metadata:
|
|
||||||
name: meshexpansion-dr-istiod
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
spec:
|
|
||||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
|
||||||
trafficPolicy:
|
|
||||||
portLevelSettings:
|
|
||||||
- port:
|
|
||||||
number: 15012
|
|
||||||
tls:
|
|
||||||
mode: DISABLE
|
|
||||||
- port:
|
|
||||||
number: 15017
|
|
||||||
tls:
|
|
||||||
mode: DISABLE
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -38,14 +38,6 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if $.Values.global.meshExpansion.enabled }}
|
|
||||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
|
||||||
-
|
|
||||||
{{- range $pkey, $pval := $val }}
|
|
||||||
{{ $pkey}}: {{ $pval }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{ range $app := $gateway.ingressPorts }}
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
-
|
-
|
||||||
port: {{ $app.port }}
|
port: {{ $app.port }}
|
||||||
|
@ -24,6 +24,10 @@ gateways:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
name: https
|
name: https
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
# This is the port where sni routing happens
|
# This is the port where sni routing happens
|
||||||
- port: 15443
|
- port: 15443
|
||||||
targetPort: 15443
|
targetPort: 15443
|
||||||
@ -66,18 +70,6 @@ gateways:
|
|||||||
podAnnotations: {}
|
podAnnotations: {}
|
||||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
#### MESH EXPANSION PORTS ########
|
|
||||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
|
||||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
|
||||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
|
||||||
# exposing unnecessary ports on the web.
|
|
||||||
# You can remove these ports if you are not using mesh expansion
|
|
||||||
meshExpansionPorts:
|
|
||||||
- port: 15012
|
|
||||||
targetPort: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
####### end MESH EXPANSION PORTS ######
|
|
||||||
|
|
||||||
##############
|
##############
|
||||||
secretVolumes:
|
secretVolumes:
|
||||||
- name: ingressgateway-certs
|
- name: ingressgateway-certs
|
||||||
@ -99,7 +91,7 @@ gateways:
|
|||||||
# A gateway with this mode ensures that pilot generates an additional
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
# set of clusters for internal services but without Istio mTLS, to
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
# enable cross cluster routing.
|
# enable cross cluster routing.
|
||||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
ISTIO_META_ROUTER_MODE: "standard"
|
||||||
|
|
||||||
nodeSelector: {}
|
nodeSelector: {}
|
||||||
tolerations: []
|
tolerations: []
|
||||||
@ -142,6 +134,12 @@ global:
|
|||||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
defaultConfigVisibilitySettings: []
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# Default node selector to be applied to all deployments so that all pods can be
|
||||||
|
# constrained to run a particular nodes. Each component can overwrite these default
|
||||||
|
# values by adding its node selector block in the relevant section below and setting
|
||||||
|
# the desired values.
|
||||||
|
defaultNodeSelector: {}
|
||||||
|
|
||||||
# enable pod disruption budget for the control plane, which is used to
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
defaultPodDisruptionBudget:
|
defaultPodDisruptionBudget:
|
||||||
@ -170,10 +168,10 @@ global:
|
|||||||
# Default hub for Istio images.
|
# Default hub for Istio images.
|
||||||
# Releases are published to docker hub under 'istio' project.
|
# Releases are published to docker hub under 'istio' project.
|
||||||
# Dev builds from prow are on gcr.io
|
# Dev builds from prow are on gcr.io
|
||||||
hub: gcr.io/istio-testing
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: latest
|
tag: 1.9.0
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -206,14 +204,6 @@ global:
|
|||||||
logging:
|
logging:
|
||||||
level: "default:info"
|
level: "default:info"
|
||||||
|
|
||||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
|
||||||
# ingress gateway
|
|
||||||
meshExpansion:
|
|
||||||
enabled: false
|
|
||||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
|
||||||
# will be exposed on an internal gateway
|
|
||||||
useILB: false
|
|
||||||
|
|
||||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
# will not be killed because of low priority class.
|
# will not be killed because of low priority class.
|
||||||
@ -318,11 +308,10 @@ global:
|
|||||||
servicePort: 0
|
servicePort: 0
|
||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
# Deprecated, use meshConfig.trustDomain
|
||||||
# trustDomain: ""
|
trustDomain: ""
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
enablePrometheusMerge: true
|
enablePrometheusMerge: true
|
||||||
# trustDomain: ""
|
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
proxyMetadata: {}
|
proxyMetadata: {}
|
||||||
tracing:
|
tracing:
|
||||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.4.2
|
version: 0.5.0
|
||||||
appVersion: 1.8.2
|
appVersion: 1.9.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,7 +16,7 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: base
|
- name: base
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
- name: istio-discovery
|
- name: istio-discovery
|
||||||
version: 1.2.0
|
version: 1.9.0
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: base
|
name: base
|
||||||
version: 1.1.0
|
version: 1.9.0
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1287,6 +1287,10 @@ spec:
|
|||||||
description: Applies only to sidecars.
|
description: Applies only to sidecars.
|
||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
|
destinationPort:
|
||||||
|
description: The destination_port value used by a
|
||||||
|
filter chain's match condition.
|
||||||
|
type: integer
|
||||||
filter:
|
filter:
|
||||||
description: The name of a specific filter to apply
|
description: The name of a specific filter to apply
|
||||||
the patch to.
|
the patch to.
|
||||||
@ -2817,6 +2821,11 @@ spec:
|
|||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: istio-pilot
|
||||||
|
chart: istio
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
name: workloadgroups.networking.istio.io
|
name: workloadgroups.networking.istio.io
|
||||||
spec:
|
spec:
|
||||||
additionalPrinterColumns:
|
additionalPrinterColumns:
|
||||||
@ -2884,11 +2893,11 @@ spec:
|
|||||||
- exec
|
- exec
|
||||||
properties:
|
properties:
|
||||||
exec:
|
exec:
|
||||||
description: health is determined by how the command that is executed
|
description: Health is determined by how the command that is executed
|
||||||
exited.
|
exited.
|
||||||
properties:
|
properties:
|
||||||
command:
|
command:
|
||||||
description: command to run.
|
description: Command to run.
|
||||||
items:
|
items:
|
||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
@ -2906,7 +2915,7 @@ spec:
|
|||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
httpHeaders:
|
httpHeaders:
|
||||||
description: headers the proxy will pass on to make the request.
|
description: Headers the proxy will pass on to make the request.
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
name:
|
name:
|
||||||
@ -2922,7 +2931,7 @@ spec:
|
|||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
port:
|
port:
|
||||||
description: port on which the endpoint lives.
|
description: Port on which the endpoint lives.
|
||||||
type: integer
|
type: integer
|
||||||
scheme:
|
scheme:
|
||||||
format: string
|
format: string
|
||||||
@ -2943,7 +2952,7 @@ spec:
|
|||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
description: health is determined by if the proxy is able to connect.
|
description: Health is determined by if the proxy is able to connect.
|
||||||
properties:
|
properties:
|
||||||
host:
|
host:
|
||||||
format: string
|
format: string
|
||||||
@ -3048,6 +3057,7 @@ spec:
|
|||||||
- CUSTOM
|
- CUSTOM
|
||||||
type: string
|
type: string
|
||||||
provider:
|
provider:
|
||||||
|
description: Specifies detailed configuration of the CUSTOM action.
|
||||||
properties:
|
properties:
|
||||||
name:
|
name:
|
||||||
description: Specifies the name of the extension provider.
|
description: Specifies the name of the extension provider.
|
||||||
@ -3243,6 +3253,19 @@ metadata:
|
|||||||
release: istio
|
release: istio
|
||||||
name: peerauthentications.security.istio.io
|
name: peerauthentications.security.istio.io
|
||||||
spec:
|
spec:
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .spec.mtls.mode
|
||||||
|
description: Defines the mTLS mode used for peer authentication.
|
||||||
|
name: Mode
|
||||||
|
type: string
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||||
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
group: security.istio.io
|
group: security.istio.io
|
||||||
names:
|
names:
|
||||||
categories:
|
categories:
|
||||||
|
@ -1289,6 +1289,10 @@ spec:
|
|||||||
description: Applies only to sidecars.
|
description: Applies only to sidecars.
|
||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
|
destinationPort:
|
||||||
|
description: The destination_port value used by a
|
||||||
|
filter chain's match condition.
|
||||||
|
type: integer
|
||||||
filter:
|
filter:
|
||||||
description: The name of a specific filter to apply
|
description: The name of a specific filter to apply
|
||||||
the patch to.
|
the patch to.
|
||||||
@ -2819,6 +2823,11 @@ spec:
|
|||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: istio-pilot
|
||||||
|
chart: istio
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
name: workloadgroups.networking.istio.io
|
name: workloadgroups.networking.istio.io
|
||||||
spec:
|
spec:
|
||||||
additionalPrinterColumns:
|
additionalPrinterColumns:
|
||||||
@ -2886,11 +2895,11 @@ spec:
|
|||||||
- exec
|
- exec
|
||||||
properties:
|
properties:
|
||||||
exec:
|
exec:
|
||||||
description: health is determined by how the command that is executed
|
description: Health is determined by how the command that is executed
|
||||||
exited.
|
exited.
|
||||||
properties:
|
properties:
|
||||||
command:
|
command:
|
||||||
description: command to run.
|
description: Command to run.
|
||||||
items:
|
items:
|
||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
@ -2908,7 +2917,7 @@ spec:
|
|||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
httpHeaders:
|
httpHeaders:
|
||||||
description: headers the proxy will pass on to make the request.
|
description: Headers the proxy will pass on to make the request.
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
name:
|
name:
|
||||||
@ -2924,7 +2933,7 @@ spec:
|
|||||||
format: string
|
format: string
|
||||||
type: string
|
type: string
|
||||||
port:
|
port:
|
||||||
description: port on which the endpoint lives.
|
description: Port on which the endpoint lives.
|
||||||
type: integer
|
type: integer
|
||||||
scheme:
|
scheme:
|
||||||
format: string
|
format: string
|
||||||
@ -2945,7 +2954,7 @@ spec:
|
|||||||
format: int32
|
format: int32
|
||||||
type: integer
|
type: integer
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
description: health is determined by if the proxy is able to connect.
|
description: Health is determined by if the proxy is able to connect.
|
||||||
properties:
|
properties:
|
||||||
host:
|
host:
|
||||||
format: string
|
format: string
|
||||||
@ -3050,6 +3059,7 @@ spec:
|
|||||||
- CUSTOM
|
- CUSTOM
|
||||||
type: string
|
type: string
|
||||||
provider:
|
provider:
|
||||||
|
description: Specifies detailed configuration of the CUSTOM action.
|
||||||
properties:
|
properties:
|
||||||
name:
|
name:
|
||||||
description: Specifies the name of the extension provider.
|
description: Specifies the name of the extension provider.
|
||||||
@ -3245,6 +3255,19 @@ metadata:
|
|||||||
release: istio
|
release: istio
|
||||||
name: peerauthentications.security.istio.io
|
name: peerauthentications.security.istio.io
|
||||||
spec:
|
spec:
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .spec.mtls.mode
|
||||||
|
description: Defines the mTLS mode used for peer authentication.
|
||||||
|
name: Mode
|
||||||
|
type: string
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||||
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
group: security.istio.io
|
group: security.istio.io
|
||||||
names:
|
names:
|
||||||
categories:
|
categories:
|
||||||
@ -3528,7 +3551,7 @@ rules:
|
|||||||
# sidecar injection controller
|
# sidecar injection controller
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
verbs: ["get", "list", "watch", "patch"]
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
|
||||||
# configuration validation webhook controller
|
# configuration validation webhook controller
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
@ -3628,6 +3651,12 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["networking.istio.io"]
|
||||||
|
verbs: [ "get", "watch", "list" ]
|
||||||
|
resources: [ "workloadentries" ]
|
||||||
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
|
resources: ["customresourcedefinitions"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
resources: ["endpointslices"]
|
resources: ["endpointslices"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
@ -9,7 +9,7 @@ rules:
|
|||||||
# sidecar injection controller
|
# sidecar injection controller
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
verbs: ["get", "list", "watch", "patch"]
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
|
||||||
# configuration validation webhook controller
|
# configuration validation webhook controller
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
@ -123,6 +123,12 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["networking.istio.io"]
|
||||||
|
verbs: [ "get", "watch", "list" ]
|
||||||
|
resources: [ "workloadentries" ]
|
||||||
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
|
resources: ["customresourcedefinitions"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
- apiGroups: ["discovery.k8s.io"]
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
resources: ["endpointslices"]
|
resources: ["endpointslices"]
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
@ -135,13 +141,13 @@ rules:
|
|||||||
- apiGroups: ["authorization.k8s.io"]
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
resources: ["subjectaccessreviews"]
|
resources: ["subjectaccessreviews"]
|
||||||
verbs: ["create"]
|
verbs: ["create"]
|
||||||
{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }}
|
{{- if or .Values.global.externalIstiod }}
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["configmaps"]
|
resources: ["configmaps"]
|
||||||
verbs: ["create", "get", "list", "watch", "update"]
|
verbs: ["create", "get", "list", "watch", "update"]
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
verbs: ["get", "list", "watch", "patch"]
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
resources: ["validatingwebhookconfigurations"]
|
resources: ["validatingwebhookconfigurations"]
|
||||||
verbs: ["get", "list", "watch", "update"]
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
@ -12,6 +12,8 @@ global:
|
|||||||
enableAnalysis: false
|
enableAnalysis: false
|
||||||
|
|
||||||
configValidation: true
|
configValidation: true
|
||||||
|
externalIstiod: false
|
||||||
|
remotePilotAddress: ""
|
||||||
|
|
||||||
base:
|
base:
|
||||||
# Used for helm2 to add the CRDs to templates.
|
# Used for helm2 to add the CRDs to templates.
|
||||||
@ -20,3 +22,6 @@ base:
|
|||||||
# Validation webhook configuration url
|
# Validation webhook configuration url
|
||||||
# For example: https://$remotePilotAddress:15017/validate
|
# For example: https://$remotePilotAddress:15017/validate
|
||||||
validationURL: ""
|
validationURL: ""
|
||||||
|
|
||||||
|
# For istioctl usage to disable istio config crds in base
|
||||||
|
enableIstioConfigCRDs: true
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-discovery
|
name: istio-discovery
|
||||||
version: 1.2.0
|
version: 1.9.0
|
||||||
appVersion: 1.2.0
|
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for istio control plane
|
description: Helm chart for istio control plane
|
||||||
keywords:
|
keywords:
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,35 @@
|
|||||||
template: |
|
{{- $containers := list }}
|
||||||
|
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
|
||||||
|
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||||
|
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||||
|
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||||
|
annotations: {
|
||||||
|
{{- if eq (len $containers) 1 }}
|
||||||
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
{{ end }}
|
||||||
|
{{- if .Values.istio_cni.enabled }}
|
||||||
|
{{- if not .Values.istio_cni.chained }}
|
||||||
|
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}',
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
|
||||||
|
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
|
||||||
|
{{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
|
||||||
|
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}",
|
||||||
|
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
||||||
|
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
|
||||||
|
{{- end }}
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
||||||
|
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
|
||||||
|
{{- end }}
|
||||||
|
{{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
spec:
|
||||||
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
||||||
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
|
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
||||||
{{ if .Values.istio_cni.enabled -}}
|
{{ if .Values.istio_cni.enabled -}}
|
||||||
@ -8,8 +37,8 @@ template: |
|
|||||||
{{ else -}}
|
{{ else -}}
|
||||||
- name: istio-init
|
- name: istio-init
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
{{- if contains "/" .Values.global.proxy_init.image }}
|
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
||||||
image: "{{ .Values.global.proxy_init.image }}"
|
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
||||||
{{- else }}
|
{{- else }}
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -81,7 +110,7 @@ template: |
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{- if .Values.global.proxy.resources }}
|
{{- if .Values.global.proxy.resources }}
|
||||||
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
securityContext:
|
securityContext:
|
||||||
@ -115,8 +144,8 @@ template: |
|
|||||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
command:
|
command:
|
||||||
- /bin/sh
|
- /bin/sh
|
||||||
{{- if contains "/" .Values.global.proxy_init.image }}
|
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
|
||||||
image: "{{ .Values.global.proxy_init.image }}"
|
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
|
||||||
{{- else }}
|
{{- else }}
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -159,6 +188,7 @@ template: |
|
|||||||
{{ end -}}
|
{{ end -}}
|
||||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||||
{{- if .Values.global.sts.servicePort }}
|
{{- if .Values.global.sts.servicePort }}
|
||||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -171,7 +201,7 @@ template: |
|
|||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.global.proxy.lifecycle }}
|
{{- if .Values.global.proxy.lifecycle }}
|
||||||
lifecycle:
|
lifecycle:
|
||||||
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
|
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
|
||||||
{{- else if $holdProxy }}
|
{{- else if $holdProxy }}
|
||||||
lifecycle:
|
lifecycle:
|
||||||
postStart:
|
postStart:
|
||||||
@ -236,7 +266,7 @@ template: |
|
|||||||
{{- end}}
|
{{- end}}
|
||||||
]
|
]
|
||||||
- name: ISTIO_META_APP_CONTAINERS
|
- name: ISTIO_META_APP_CONTAINERS
|
||||||
value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}"
|
value: "{{ $containers | join "," }}"
|
||||||
- name: ISTIO_META_CLUSTER_ID
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||||
- name: ISTIO_META_INTERCEPTION_MODE
|
- name: ISTIO_META_INTERCEPTION_MODE
|
||||||
@ -341,7 +371,7 @@ template: |
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{- if .Values.global.proxy.resources }}
|
{{- if .Values.global.proxy.resources }}
|
||||||
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -378,7 +408,7 @@ template: |
|
|||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||||
- name: "{{ $index }}"
|
- name: "{{ $index }}"
|
||||||
{{ toYaml $value | indent 4 }}
|
{{ toYaml $value | indent 6 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -402,6 +432,16 @@ template: |
|
|||||||
- path: "annotations"
|
- path: "annotations"
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.annotations
|
fieldPath: metadata.annotations
|
||||||
|
- path: "cpu-limit"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: limits.cpu
|
||||||
|
divisor: 1m
|
||||||
|
- path: "cpu-request"
|
||||||
|
resourceFieldRef:
|
||||||
|
containerName: istio-proxy
|
||||||
|
resource: requests.cpu
|
||||||
|
divisor: 1m
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
- name: istio-token
|
- name: istio-token
|
||||||
projected:
|
projected:
|
||||||
@ -430,7 +470,7 @@ template: |
|
|||||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||||
- name: "{{ $index }}"
|
- name: "{{ $index }}"
|
||||||
{{ toYaml $value | indent 2 }}
|
{{ toYaml $value | indent 4 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||||
@ -439,25 +479,13 @@ template: |
|
|||||||
optional: true
|
optional: true
|
||||||
secretName: lightstep.cacert
|
secretName: lightstep.cacert
|
||||||
{{- end }}
|
{{- end }}
|
||||||
podRedirectAnnot:
|
|
||||||
{{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }}
|
|
||||||
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}'
|
|
||||||
{{- end }}
|
|
||||||
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
|
||||||
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
|
||||||
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
|
||||||
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
|
|
||||||
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
|
||||||
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
|
||||||
{{- end }}
|
|
||||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
|
||||||
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
|
||||||
{{- end }}
|
|
||||||
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
|
||||||
{{- if .Values.global.imagePullSecrets }}
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
imagePullSecrets:
|
imagePullSecrets:
|
||||||
{{- range .Values.global.imagePullSecrets }}
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
- name: {{ . }}
|
- name: {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
@ -4,6 +4,12 @@
|
|||||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
|
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
|
||||||
|
|
||||||
|
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||||
|
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||||
|
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
||||||
|
# is processed as if it were declared in the leaf namespace.
|
||||||
|
rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }}
|
||||||
|
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
{{- if .Values.global.meshID }}
|
{{- if .Values.global.meshID }}
|
||||||
meshId: {{ .Values.global.meshID }}
|
meshId: {{ .Values.global.meshID }}
|
||||||
@ -47,10 +53,13 @@
|
|||||||
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
|
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
|
||||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
|
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.global.remotePilotAddress }}
|
{{- if .Values.global.remotePilotAddress }}
|
||||||
|
{{- if .Values.pilot.enabled }}
|
||||||
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -37,6 +37,7 @@ spec:
|
|||||||
app: istiod
|
app: istiod
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
operator.istio.io/component: "Pilot"
|
operator.istio.io/component: "Pilot"
|
||||||
{{- if eq .Values.revision ""}}
|
{{- if eq .Values.revision ""}}
|
||||||
istio: pilot
|
istio: pilot
|
||||||
@ -101,8 +102,6 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
- containerPort: 15017
|
- containerPort: 15017
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- containerPort: 15053
|
|
||||||
protocol: TCP
|
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /ready
|
path: /ready
|
||||||
@ -148,14 +147,6 @@ spec:
|
|||||||
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
||||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
||||||
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
||||||
{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }}
|
|
||||||
- name: INJECTION_WEBHOOK_CONFIG_NAME
|
|
||||||
{{- if eq .Release.Namespace "istio-system" }}
|
|
||||||
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- else }}
|
|
||||||
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
- name: ISTIOD_ADDR
|
- name: ISTIOD_ADDR
|
||||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
||||||
- name: PILOT_ENABLE_ANALYSIS
|
- name: PILOT_ENABLE_ANALYSIS
|
||||||
@ -164,11 +155,9 @@ spec:
|
|||||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
- name: EXTERNAL_ISTIOD
|
- name: EXTERNAL_ISTIOD
|
||||||
value: "{{ $.Values.global.externalIstiod | default "false" }}"
|
value: "{{ $.Values.global.externalIstiod | default "false" }}"
|
||||||
- name: CENTRAL_ISTIOD
|
{{- if not .Values.telemetry.v2.enabled }}
|
||||||
value: "{{ $.Values.global.centralIstiod | default "false" }}"
|
|
||||||
{{- if .Values.telemetry.v2.enabled }}
|
|
||||||
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
||||||
value: "true"
|
value: "false"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
resources:
|
resources:
|
||||||
{{- if .Values.pilot.resources }}
|
{{- if .Values.pilot.resources }}
|
||||||
|
@ -20,6 +20,15 @@ data:
|
|||||||
# New fields should not use Values - it is a 'primary' config object, users should be able
|
# New fields should not use Values - it is a 'primary' config object, users should be able
|
||||||
# to fine tune it or use it with kube-inject.
|
# to fine tune it or use it with kube-inject.
|
||||||
config: |-
|
config: |-
|
||||||
|
# defaultTemplates defines the default template to use for pods that do not explicitly specify a template
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.defaultTemplates }}
|
||||||
|
defaultTemplates:
|
||||||
|
{{- range .Values.sidecarInjectorWebhook.defaultTemplates}}
|
||||||
|
- {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
defaultTemplates: [sidecar]
|
||||||
|
{{- end }}
|
||||||
policy: {{ .Values.global.proxy.autoInject }}
|
policy: {{ .Values.global.proxy.autoInject }}
|
||||||
alwaysInjectSelector:
|
alwaysInjectSelector:
|
||||||
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
||||||
@ -29,7 +38,18 @@ data:
|
|||||||
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
||||||
"{{ $key }}": "{{ $val }}"
|
"{{ $key }}": "{{ $val }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template
|
||||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }}
|
which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined".
|
||||||
|
This should make it obvious that their installation is broken.
|
||||||
|
*/}}
|
||||||
|
template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }}
|
||||||
|
templates:
|
||||||
|
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }}
|
||||||
|
sidecar: |
|
||||||
|
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.sidecarInjectorWebhook.templates }}
|
||||||
|
{{ toYaml . | trim | indent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,21 +1,8 @@
|
|||||||
# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds)
|
{{- /* Core defines the common configuration used by all webhook segments */}}
|
||||||
{{- if not .Values.global.operatorManageWebhooks }}
|
{{- define "core" }}
|
||||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign
|
||||||
kind: MutatingWebhookConfiguration
|
a unique prefix to each. */}}
|
||||||
metadata:
|
- name: {{.Prefix}}sidecar-injector.istio.io
|
||||||
{{- if eq .Release.Namespace "istio-system"}}
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{ else }}
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
|
||||||
operator.istio.io/component: "Pilot"
|
|
||||||
app: sidecar-injector
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
webhooks:
|
|
||||||
- name: sidecar-injector.istio.io
|
|
||||||
clientConfig:
|
clientConfig:
|
||||||
{{- if .Values.istiodRemote.injectionURL }}
|
{{- if .Values.istiodRemote.injectionURL }}
|
||||||
url: {{ .Values.istiodRemote.injectionURL }}
|
url: {{ .Values.istiodRemote.injectionURL }}
|
||||||
@ -34,6 +21,27 @@ webhooks:
|
|||||||
resources: ["pods"]
|
resources: ["pods"]
|
||||||
failurePolicy: Fail
|
failurePolicy: Fail
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
{{- end }}
|
||||||
|
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
|
||||||
|
{{- if not .Values.global.operatorManageWebhooks }}
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
app: sidecar-injector
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
webhooks:
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
|
||||||
|
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
@ -82,4 +90,100 @@ webhooks:
|
|||||||
"sidecar.istio.io/inject": "true"
|
"sidecar.istio.io/inject": "true"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
|
||||||
|
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
||||||
|
{{- if .Values.revision }}
|
||||||
|
|
||||||
|
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
|
||||||
|
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "{{ .Values.revision }}"
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "{{ .Values.revision }}"
|
||||||
|
|
||||||
|
{{- else }}
|
||||||
|
{{- /* "default" revision */}}
|
||||||
|
|
||||||
|
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- enabled
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "true"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||||
|
{{- /* Special case 3: no labels at all */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -19,11 +19,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -54,11 +54,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -89,11 +89,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -124,7 +124,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -138,7 +138,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener: {}
|
listener: {}
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
@ -153,7 +153,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -169,7 +169,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -187,7 +187,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -201,13 +201,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -223,7 +223,8 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
{
|
{
|
||||||
{{- if .Values.global.multiCluster.clusterName }}
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
@ -232,7 +233,6 @@ spec:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
@ -255,13 +255,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -277,16 +277,16 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||||
{
|
{
|
||||||
{{- if .Values.global.multiCluster.clusterName }}
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
"source_cluster": "downstream_peer.cluster_id",
|
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
"source_cluster": "downstream_peer.cluster_id"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||||
@ -309,13 +309,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -331,7 +331,9 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||||
{
|
{
|
||||||
"disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }},
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
|
"disable_host_header_fallback": true,
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
@ -340,7 +342,6 @@ spec:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
@ -364,7 +365,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -378,11 +379,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -398,16 +399,16 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||||
{
|
{
|
||||||
{{- if .Values.global.multiCluster.clusterName }}
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
"source_cluster": "downstream_peer.cluster_id",
|
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
"source_cluster": "downstream_peer.cluster_id"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||||
@ -430,11 +431,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -450,7 +451,8 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
{
|
{
|
||||||
{{- if .Values.global.multiCluster.clusterName }}
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
@ -459,7 +461,6 @@ spec:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
@ -482,11 +483,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -502,7 +503,8 @@ spec:
|
|||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||||
{
|
{
|
||||||
{{- if .Values.global.multiCluster.clusterName }}
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"metrics": [
|
"metrics": [
|
||||||
{
|
{
|
||||||
"dimensions": {
|
"dimensions": {
|
||||||
@ -511,7 +513,6 @@ spec:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
{{- end }}
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
@ -536,7 +537,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -551,13 +552,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -586,13 +587,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -620,13 +621,13 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "envoy.router"
|
name: "envoy.filters.http.router"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -654,7 +655,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -669,11 +670,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -702,11 +703,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -734,11 +735,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.tcp_proxy"
|
name: "envoy.filters.network.tcp_proxy"
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
value:
|
value:
|
||||||
@ -767,7 +768,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -781,11 +782,11 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '1\.8.*'
|
proxyVersion: '1\.9.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
name: "envoy.http_connection_manager"
|
name: "envoy.filters.network.http_connection_manager"
|
||||||
subFilter:
|
subFilter:
|
||||||
name: "istio.stackdriver"
|
name: "istio.stackdriver"
|
||||||
patch:
|
patch:
|
@ -65,6 +65,10 @@ pilot:
|
|||||||
|
|
||||||
|
|
||||||
sidecarInjectorWebhook:
|
sidecarInjectorWebhook:
|
||||||
|
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
|
||||||
|
# requests in Istiod, rather than at the webhook selection level.
|
||||||
|
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
|
||||||
|
useLegacySelectors: true
|
||||||
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
||||||
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
||||||
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
||||||
@ -90,13 +94,41 @@ sidecarInjectorWebhook:
|
|||||||
# Only one environment should have this enabled.
|
# Only one environment should have this enabled.
|
||||||
enableNamespacesByDefault: false
|
enableNamespacesByDefault: false
|
||||||
|
|
||||||
# Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
|
# Enable objectSelector to filter out pods with no need for sidecar before calling istiod.
|
||||||
# It is disabled by default since this function will only work after k8s v1.15.
|
# It is enabled by default as the minimum supported Kubernetes version is 1.15+
|
||||||
objectSelector:
|
objectSelector:
|
||||||
enabled: false
|
enabled: true
|
||||||
autoInject: true
|
autoInject: true
|
||||||
|
|
||||||
rewriteAppHTTPProbe: true
|
rewriteAppHTTPProbe: true
|
||||||
|
|
||||||
|
# Templates defines a set of custom injection templates that can be used. For example, defining:
|
||||||
|
#
|
||||||
|
# templates:
|
||||||
|
# hello: |
|
||||||
|
# metadata:
|
||||||
|
# labels:
|
||||||
|
# hello: world
|
||||||
|
#
|
||||||
|
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
|
||||||
|
# being injected with the hello=world labels.
|
||||||
|
# This is intended for advanced configuration only; most users should use the built in template
|
||||||
|
templates: {}
|
||||||
|
|
||||||
|
# Default templates specifies a set of default templates that are used in sidecar injection.
|
||||||
|
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
|
||||||
|
# To inject other additional templates, define it using the `templates` option, and add it to
|
||||||
|
# the default templates list.
|
||||||
|
# For example:
|
||||||
|
#
|
||||||
|
# templates:
|
||||||
|
# hello: |
|
||||||
|
# metadata:
|
||||||
|
# labels:
|
||||||
|
# hello: world
|
||||||
|
#
|
||||||
|
# defaultTemplates: ["sidecar", "hello"]
|
||||||
|
defaultTemplates: []
|
||||||
istiodRemote:
|
istiodRemote:
|
||||||
# Sidecar injector mutating webhook configuration url
|
# Sidecar injector mutating webhook configuration url
|
||||||
# For example: https://$remotePilotAddress:15017/inject
|
# For example: https://$remotePilotAddress:15017/inject
|
||||||
@ -150,26 +182,20 @@ ownerName: ""
|
|||||||
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
|
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
|
||||||
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
|
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
|
||||||
meshConfig:
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
# Config for the default ProxyConfig.
|
# Config for the default ProxyConfig.
|
||||||
# Initially using directly the proxy metadata - can also be activated using annotations
|
# Initially using directly the proxy metadata - can also be activated using annotations
|
||||||
# on the pod. This is an unsupported low-level API, pending review and decisions on
|
# on the pod. This is an unsupported low-level API, pending review and decisions on
|
||||||
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
|
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
|
||||||
# and gradual adoption by setting capture only on specific workloads. It also allows
|
# and gradual adoption by setting capture only on specific workloads. It also allows
|
||||||
# VMs to use other DNS options, like dnsmasq or unbound.
|
# VMs to use other DNS options, like dnsmasq or unbound.
|
||||||
defaultConfig:
|
|
||||||
proxyMetadata:
|
|
||||||
# If empty, agent will not start :15013 DNS listener and will not attempt
|
|
||||||
# to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in
|
|
||||||
# istiod and the dns-over-tls listener.
|
|
||||||
# DNS_AGENT: DNS-TLS
|
|
||||||
DNS_AGENT: ""
|
|
||||||
|
|
||||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||||
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
||||||
# is processed as if it were declared in the leaf namespace.
|
# is processed as if it were declared in the leaf namespace.
|
||||||
rootNamespace: "istio-system"
|
|
||||||
|
rootNamespace:
|
||||||
|
|
||||||
# TODO: the intent is to eventually have this enabled by default when security is used.
|
# TODO: the intent is to eventually have this enabled by default when security is used.
|
||||||
# It is not clear if user should normally need to configure - the metadata is typically
|
# It is not clear if user should normally need to configure - the metadata is typically
|
||||||
@ -180,6 +206,8 @@ meshConfig:
|
|||||||
# No hurry to do this in 1.6, we're trying to prove the code.
|
# No hurry to do this in 1.6, we're trying to prove the code.
|
||||||
|
|
||||||
global:
|
global:
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
# enable pod disruption budget for the control plane, which is used to
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
defaultPodDisruptionBudget:
|
defaultPodDisruptionBudget:
|
||||||
@ -199,15 +227,12 @@ global:
|
|||||||
# cpu: 100m
|
# cpu: 100m
|
||||||
# memory: 128Mi
|
# memory: 128Mi
|
||||||
|
|
||||||
# Used to locate istiod.
|
|
||||||
istioNamespace: istio-system
|
|
||||||
|
|
||||||
# Default hub for Istio images.
|
# Default hub for Istio images.
|
||||||
# Releases are published to docker hub under 'istio' project.
|
# Releases are published to docker hub under 'istio' project.
|
||||||
# Dev builds from prow are on gcr.io
|
# Dev builds from prow are on gcr.io
|
||||||
hub: gcr.io/istio-testing
|
hub: docker.io/istio
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: latest
|
tag: 1.9.0
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -353,12 +378,11 @@ global:
|
|||||||
|
|
||||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
# If not set explicitly, default to the Istio discovery address.
|
||||||
caAddress: ""
|
caAddress: ""
|
||||||
|
|
||||||
# External istiod controls all remote clusters: disabled by default
|
# External istiod controls all remote clusters: disabled by default
|
||||||
externalIstiod: false
|
externalIstiod: false
|
||||||
# Central istiod controls all remote clusters: disabled by default
|
|
||||||
centralIstiod: false
|
|
||||||
|
|
||||||
# Configure the policy for validating JWT.
|
# Configure the policy for validating JWT.
|
||||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
@ -483,3 +507,6 @@ global:
|
|||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
# Deprecated, use meshConfig.trustDomain
|
||||||
trustDomain: ""
|
trustDomain: ""
|
||||||
|
base:
|
||||||
|
# For istioctl usage to disable istio config crds in base
|
||||||
|
enableIstioConfigCRDs: true
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
export ISTIO_VERSION=1.8.2
|
export ISTIO_VERSION=1.9.0
|
||||||
|
|
||||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||||
NAME="istio-$ISTIO_VERSION"
|
NAME="istio-$ISTIO_VERSION"
|
||||||
@ -16,10 +16,10 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/
|
|||||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/
|
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/
|
||||||
|
|
||||||
# Patch for istiod to control plane
|
# Patch for istiod to control plane
|
||||||
patch -p3 -i istio-discovery.patch
|
patch -p3 -i istio-discovery.patch --no-backup-if-mismatch
|
||||||
|
|
||||||
# remove unused old telemetry filters
|
# remove unused old telemetry filters
|
||||||
rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml
|
rm -f charts/istio-discovery/templates/telemetryv2_1.[678].yaml
|
||||||
|
|
||||||
# Ingress charts
|
# Ingress charts
|
||||||
rm -rf ../kubezero-istio-ingress/charts/istio-*
|
rm -rf ../kubezero-istio-ingress/charts/istio-*
|
||||||
@ -30,8 +30,8 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero
|
|||||||
sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
|
sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
|
||||||
|
|
||||||
# Patch for ingress for extended termination grace period
|
# Patch for ingress for extended termination grace period
|
||||||
patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
|
patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml --no-backup-if-mismatch
|
||||||
patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
|
patch -i ingress-terminationgraceperiod.patch ../kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml --no-backup-if-mismatch
|
||||||
|
|
||||||
# Get matching istioctl
|
# Get matching istioctl
|
||||||
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
global:
|
global:
|
||||||
hub: docker.io/istio
|
# hub: docker.io/istio
|
||||||
tag: 1.8.2
|
# tag: 1.9.0
|
||||||
|
|
||||||
logAsJson: true
|
logAsJson: true
|
||||||
jwtPolicy: first-party-jwt
|
jwtPolicy: first-party-jwt
|
||||||
|
Loading…
Reference in New Issue
Block a user