feat: Istio RateLimiting, Version bump to 1.11.1, Kiali support

2021-08-25 15:58:55 +02:00 · 2021-08-25 15:58:55 +02:00 · b73bee54bb
commit b73bee54bb
parent f93d195cd4
84 changed files with 3709 additions and 1386 deletions
--- a/charts/kubezero-istio-ingress/Chart.yaml
+++ b/charts/kubezero-istio-ingress/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio-ingress
 description: KubeZero Umbrella Chart for Istio based Ingress
 type: application
-version: 0.6.1
+version: 0.7.2
-appVersion: 1.10.3
+appVersion: 1.11.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -13,12 +13,12 @@ maintainers:
  - name: Quarky9
 dependencies:
  - name: kubezero-lib
-    version: ">= 0.1.3"
+    version: ">= 0.1.4"
    repository: https://zero-down-time.github.io/kubezero/
  - name: istio-ingress
-    version: 1.10.3
+    version: 1.11.1
    condition: istio-ingress.enabled
  - name: istio-private-ingress
-    version: 1.10.3
+    version: 1.11.1
    condition: istio-private-ingress.enabled
 kubeVersion: ">= 1.18.0"
--- a/charts/kubezero-istio-ingress/README.md
+++ b/charts/kubezero-istio-ingress/README.md
@ -1,6 +1,6 @@
 # kubezero-istio-ingress
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
+![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
 KubeZero Umbrella Chart for Istio based Ingress
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
 | Repository | Name | Version |
 |------------|------|---------|
-|  | istio-ingress | 1.10.2 |
+|  | istio-ingress | 1.11.0 |
-|  | istio-private-ingress | 1.10.2 |
+|  | istio-private-ingress | 1.11.0 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
 ## Values
@ -41,26 +41,28 @@ Kubernetes: `>= 1.18.0`
 | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` |  |
 | istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` |  |
 | istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` |  |
-| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` |  |
+| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` |  |
 | istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` |  |
 | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` |  |
 | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` |  |
 | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` |  |
 | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` |  |
-| istio-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` |  |
+| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` |  |
 | istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` |  |
 | istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` |  |
 | istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` |  |
 | istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` |  |
@ -69,7 +71,7 @@ Kubernetes: `>= 1.18.0`
 | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` |  |
 | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` |  |
 | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` |  |
-| istio-ingress.proxyProtocol | bool | `false` |  |
+| istio-ingress.proxyProtocol | bool | `true` |  |
 | istio-ingress.telemetry.enabled | bool | `false` |  |
 | istio-private-ingress.certificates[0].dnsNames | list | `[]` |  |
 | istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` |  |
@ -83,26 +85,28 @@ Kubernetes: `>= 1.18.0`
 | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` |  |
-| istio-private-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` |  |
+| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` |  |
@ -111,7 +115,7 @@ Kubernetes: `>= 1.18.0`
 | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` |  |
 | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` |  |
 | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` |  |
-| istio-private-ingress.proxyProtocol | bool | `false` |  |
+| istio-private-ingress.proxyProtocol | bool | `true` |  |
 | istio-private-ingress.telemetry.enabled | bool | `false` |  |
 ## Resources
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-ingress
-version: 1.10.3
+version: 1.11.1
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
@ -21,12 +21,17 @@ nodeAffinity:
        {{- end }}
        {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
        {{- range $key, $val := $nodeSelector }}
        {{- if eq $val "Exists" }}
        - key: {{ $key }}
          operator: Exists
        {{- else }}
        - key: {{ $key }}
          operator: In
          values:
          - {{ $val | quote }}
        {{- end }}
        {{- end }}
 {{- end }}
 {{- define "nodeAffinityPreferredDuringScheduling" }}
  {{- range $key, $val := .global.arch }}
@ -70,6 +75,13 @@ nodeAffinity:
          {{- end }}
          {{- end }}
      topologyKey: {{ $item.topologyKey }}
      {{- if $item.namespaces }}
      namespaces:
      {{- $ns := split "," $item.namespaces }}
      {{- range $i, $n := $ns }}
      - {{ $n | quote }}
      {{- end }}
      {{- end }}
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
@ -125,8 +125,6 @@ spec:
        {{- if .Values.global.logAsJson }}
          - --log_as_json
        {{- end }}
          - --serviceCluster
          - {{ $gateway.name }}
        {{- if .Values.global.sts.servicePort }}
          - --stsPort={{ .Values.global.sts.servicePort }}
        {{- end }}
@ -200,14 +198,6 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: CANONICAL_SERVICE
            valueFrom:
              fieldRef:
                fieldPath: metadata.labels['service.istio.io/canonical-name']
          - name: CANONICAL_REVISION
            valueFrom:
              fieldRef:
                fieldPath: metadata.labels['service.istio.io/canonical-revision']
          - name: ISTIO_META_WORKLOAD_NAME
            value: {{ $gateway.name }}
          - name: ISTIO_META_OWNER
@ -240,11 +230,6 @@ spec:
          - name: ISTIO_META_NETWORK
            value: "{{ .Values.global.network }}"
          {{- end }}
 {{- if $gateway.podAnnotations }}
          - name: "ISTIO_METAJSON_ANNOTATIONS"
            value: |
 {{ toJson $gateway.podAnnotations | indent 16}}
 {{ end }}
          - name: ISTIO_META_CLUSTER_ID
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
          volumeMounts:
@ -301,16 +286,6 @@ spec:
            - path: "annotations"
              fieldRef:
                fieldPath: metadata.annotations
            - path: "cpu-limit"
              resourceFieldRef:
                containerName: istio-proxy
                resource: limits.cpu
                divisor: 1m
            - path: "cpu-request"
              resourceFieldRef:
                containerName: istio-proxy
                resource: requests.cpu
                divisor: 1m
      - name: istio-envoy
        emptyDir: {}
      - name: istio-data
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
@ -34,9 +34,11 @@ spec:
    {{- range $key, $val := $gateway.ports }}
    -
      {{- range $pkey, $pval := $val }}
      {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
      {{ $pkey}}: {{ $pval }}
      {{- end }}
    {{- end }}
    {{- end }}
  {{ range $app := $gateway.ingressPorts }}
    -
--- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
@ -165,7 +165,7 @@ global:
  hub: docker.io/istio
  # Default tag for Istio images.
-  tag: 1.10.3
+  tag: 1.11.1
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-private-ingress
-version: 1.10.3
+version: 1.11.1
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio gateways
 keywords:
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
@ -21,12 +21,17 @@ nodeAffinity:
        {{- end }}
        {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
        {{- range $key, $val := $nodeSelector }}
        {{- if eq $val "Exists" }}
        - key: {{ $key }}
          operator: Exists
        {{- else }}
        - key: {{ $key }}
          operator: In
          values:
          - {{ $val | quote }}
        {{- end }}
        {{- end }}
 {{- end }}
 {{- define "nodeAffinityPreferredDuringScheduling" }}
  {{- range $key, $val := .global.arch }}
@ -70,6 +75,13 @@ nodeAffinity:
          {{- end }}
          {{- end }}
      topologyKey: {{ $item.topologyKey }}
      {{- if $item.namespaces }}
      namespaces:
      {{- $ns := split "," $item.namespaces }}
      {{- range $i, $n := $ns }}
      - {{ $n | quote }}
      {{- end }}
      {{- end }}
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
@ -125,8 +125,6 @@ spec:
        {{- if .Values.global.logAsJson }}
          - --log_as_json
        {{- end }}
          - --serviceCluster
          - {{ $gateway.name }}
        {{- if .Values.global.sts.servicePort }}
          - --stsPort={{ .Values.global.sts.servicePort }}
        {{- end }}
@ -200,14 +198,6 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: spec.serviceAccountName
          - name: CANONICAL_SERVICE
            valueFrom:
              fieldRef:
                fieldPath: metadata.labels['service.istio.io/canonical-name']
          - name: CANONICAL_REVISION
            valueFrom:
              fieldRef:
                fieldPath: metadata.labels['service.istio.io/canonical-revision']
          - name: ISTIO_META_WORKLOAD_NAME
            value: {{ $gateway.name }}
          - name: ISTIO_META_OWNER
@ -240,11 +230,6 @@ spec:
          - name: ISTIO_META_NETWORK
            value: "{{ .Values.global.network }}"
          {{- end }}
 {{- if $gateway.podAnnotations }}
          - name: "ISTIO_METAJSON_ANNOTATIONS"
            value: |
 {{ toJson $gateway.podAnnotations | indent 16}}
 {{ end }}
          - name: ISTIO_META_CLUSTER_ID
            value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
          volumeMounts:
@ -301,16 +286,6 @@ spec:
            - path: "annotations"
              fieldRef:
                fieldPath: metadata.annotations
            - path: "cpu-limit"
              resourceFieldRef:
                containerName: istio-proxy
                resource: limits.cpu
                divisor: 1m
            - path: "cpu-request"
              resourceFieldRef:
                containerName: istio-proxy
                resource: requests.cpu
                divisor: 1m
      - name: istio-envoy
        emptyDir: {}
      - name: istio-data
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
@ -34,9 +34,11 @@ spec:
    {{- range $key, $val := $gateway.ports }}
    -
      {{- range $pkey, $pval := $val }}
      {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
      {{ $pkey}}: {{ $pval }}
      {{- end }}
    {{- end }}
    {{- end }}
  {{ range $app := $gateway.ingressPorts }}
    -
--- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
@ -165,7 +165,7 @@ global:
  hub: docker.io/istio
  # Default tag for Istio images.
-  tag: 1.10.3
+  tag: 1.11.1
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
--- a/charts/kubezero-istio-ingress/templates/_gateway.tpl
+++ b/charts/kubezero-istio-ingress/templates/_gateway.tpl
@ -0,0 +1,42 @@
 {{- define "gatewayServers" }}
 {{- range $port := .ports }}
 {{- if not $port.noGateway }}
 {{- $eachCert := false }}
 {{- if $port.tls }}
 {{- if not $port.tls.httpsRedirect }}
 {{- $eachCert = true }}
 {{- end }}
 {{- end }}
 {{- if $eachCert }}
 {{- range $cert := $.certificates }}
 - port:
    number: {{ $port.port }}
    name: {{ $port.name }}
    protocol: {{ default "TCP" $port.gatewayProtocol }}
  tls:
    credentialName: {{ $cert.name }}
    {{- toYaml $port.tls | nindent 4 }}
  hosts:
  {{- toYaml $cert.dnsNames | nindent 2 }}
 {{- end }}
 {{- else }}
 - port:
    number: {{ $port.port }}
    name: {{ $port.name }}
    protocol: {{ default "TCP" $port.gatewayProtocol }}
  {{- with $port.tls }}
  tls:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  hosts:
  {{- range $cert := $.certificates }}
  {{- toYaml $cert.dnsNames | nindent 2 }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
+++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
@ -5,7 +5,7 @@ metadata:
  name: ingressgateway-listener-tcp-keepalive
  namespace: {{ .Release.Namespace }}
  labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
@ -43,7 +43,7 @@ metadata:
  name: private-ingressgateway-listener-tcp-keepalive
  namespace: {{ .Release.Namespace }}
  labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
--- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
+++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
@ -1,4 +1,7 @@
-{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
+# Public Ingress Gateway
 {{- $gateway := index .Values "istio-ingress" }}
 {{- if and $gateway.enabled $gateway.certificates }}
 # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
 apiVersion: networking.istio.io/v1beta1
@ -7,108 +10,10 @@ metadata:
  name: ingressgateway
  namespace: {{ .Release.Namespace }}
  labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  selector:
    istio: ingressgateway
  servers:
-  - port:
+  {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
      number: 80
      name: http
      protocol: HTTP2
    hosts:
    {{- range $cert := (index .Values "istio-ingress" "certificates") }}
    {{- toYaml $cert.dnsNames | nindent 4 }}
    {{- end }}
    tls:
      httpsRedirect: true
  {{- range $cert := (index .Values "istio-ingress" "certificates") }}
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    {{- toYaml $cert.dnsNames | nindent 4 }}
    tls:
      mode: SIMPLE
      credentialName: {{ $cert.name }}
  {{- end }}
 {{- end }}
 {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
  name: private-ingressgateway
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
  selector:
    istio: private-ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP2
    hosts:
    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
    {{- toYaml $certs.dnsNames | nindent 4 }}
    {{- end }}
    tls:
      httpsRedirect: true
  # All SSL hosts one entry per ingress-certificate
  {{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    {{- toYaml $cert.dnsNames | nindent 4 }}
    tls:
      mode: SIMPLE
      credentialName: {{ $cert.name }}
  - port:
      number: 24224
      name: fluentd-forward
      protocol: TLS
    hosts:
    {{- toYaml $cert.dnsNames | nindent 4 }}
    tls:
      mode: SIMPLE
      credentialName: {{ $cert.name }}
  {{- end }}
  - port:
      number: 5672
      name: amqp
      protocol: TCP
    hosts:
    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
    {{- toYaml $certs.dnsNames | nindent 4 }}
    {{- end }}
  - port:
      number: 5671
      name: amqps
      protocol: TCP
    hosts:
    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
    {{- toYaml $certs.dnsNames | nindent 4 }}
    {{- end }}
  - port:
      number: 6379
      name: redis
      protocol: TCP
    hosts:
    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
    {{- toYaml $certs.dnsNames | nindent 4 }}
    {{- end }}
  - port:
      number: 6380
      name: redis-1
      protocol: TCP
    hosts:
    {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
    {{- toYaml $certs.dnsNames | nindent 4 }}
    {{- end }}
 {{- end }}
--- a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml
+++ b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml
@ -0,0 +1,19 @@
 # Private Ingress Gateway
 {{- $gateway := index .Values "istio-private-ingress" }}
 {{- if and $gateway.enabled $gateway.certificates }}
 # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
 apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
  name: private-ingressgateway
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  selector:
    istio: private-ingressgateway
  servers:
  {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
 {{- end }}
--- a/charts/kubezero-istio-ingress/values.yaml
+++ b/charts/kubezero-istio-ingress/values.yaml
@ -1,7 +1,7 @@
 # Make sure these values match kuberzero-istio !!!
 global:
  #hub: docker.io/istio
-  #tag: 1.10.2
+  #tag: 1.11.0
  logAsJson: true
@ -50,31 +50,50 @@ istio-ingress:
        mountPath: /etc/istio/custom-bootstrap
        configMapName: istio-gateway-bootstrap-config
-      # The node selector is normally the list of nodeports, see CloudBender
+      # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
      nodeSelector:
-        node.kubernetes.io/ingress.public: "30080_30443"
+        node.kubernetes.io/ingress.public: "Exists"
      # Only nodes who are fronted with matching NLB
      #affintiy:
      #  nodeAffinity:
      #    requiredDuringSchedulingIgnoredDuringExecution:
      #      nodeSelectorTerms:
      #      - matchExpressions:
      #        - key: node.kubernetes.io/ingress.public
      #          operator: Exists
      # Map port 80/443 to 8080/8443 so we don't need to root
      # ports is extended as follows:
      # noGateway: true -> this port does NOT get mapped to a Gateway port
      # tls: optional gateway port setting
      # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
      ports:
      - name: status-port
        port: 15021
        nodePort: 30021
-        protocol: TCP
+        noGateway: true
      - name: http2
        port: 80
        targetPort: 8080
        nodePort: 30080
-        protocol: TCP
+        gatewayProtocol: HTTP2
        tls:
          httpsRedirect: true
      - name: https
        port: 443
        targetPort: 8443
        nodePort: 30443
-        protocol: TCP
+        gatewayProtocol: HTTPS
        tls:
          mode: SIMPLE
  certificates:
  - name: ingress-cert
    dnsNames: []
  #  - '*.example.com'
-  proxyProtocol: false
+  proxyProtocol: true
  meshConfig:
   defaultConfig:
@ -124,27 +143,43 @@ istio-private-ingress:
        mountPath: /etc/istio/custom-bootstrap
        configMapName: istio-gateway-bootstrap-config
      # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
      nodeSelector:
-        node.kubernetes.io/ingress.private: "31080_31443"
+        node.kubernetes.io/ingress.private: "Exists"
-        #nodeSelector: "31080_31443_31671_31672_31224"
+      # Only nodes who are fronted with matching NLB
      #affintiy:
      #  nodeAffinity:
      #    requiredDuringSchedulingIgnoredDuringExecution:
      #      nodeSelectorTerms:
      #      - matchExpressions:
      #        - key: node.kubernetes.io/ingress.private
      #          operator: Exists
      ports:
      - name: status-port
        port: 15021
        nodePort: 31021
-        protocol: TCP
+        noGateway: true
      - name: http2
        port: 80
        targetPort: 8080
        nodePort: 31080
-        protocol: TCP
+        gatewayProtocol: HTTP2
        tls:
          httpsRedirect: true
      - name: https
        port: 443
        targetPort: 8443
        nodePort: 31443
-        protocol: TCP
+        gatewayProtocol: HTTPS
        tls:
          mode: SIMPLE
      #- name: fluentd-forward
      #  port: 24224
      #  nodePort: 31224
      #  gatewayProtocol: TLS
      #  tls:
      #    mode: SIMPLE
      #- name: amqps
      #  port: 5671
      #  nodePort: 31671
@ -160,7 +195,7 @@ istio-private-ingress:
    dnsNames: []
    #- '*.example.com'
-  proxyProtocol: false
+  proxyProtocol: true
  meshConfig:
   defaultConfig:
--- a/charts/kubezero-istio/.helmignore
+++ b/charts/kubezero-istio/.helmignore
@ -28,4 +28,5 @@ README.md.gotmpl
 *.py
 istioctl
-istio-?.?.?
+istio
 istio.zdt
--- a/charts/kubezero-istio/Chart.yaml
+++ b/charts/kubezero-istio/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.6.1
+version: 0.7.2
-appVersion: 1.10.3
+appVersion: 1.11.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -13,10 +13,14 @@ maintainers:
  - name: Quarky9
 dependencies:
  - name: kubezero-lib
-    version: ">= 0.1.3"
+    version: ">= 0.1.4"
    repository: https://zero-down-time.github.io/kubezero/
  - name: base
-    version: 1.10.3
+    version: 1.11.1
  - name: istio-discovery
-    version: 1.10.3
+    version: 1.11.1
  - name: kiali-server
    version: 1.38.1
    # repository: https://github.com/kiali/helm-charts/tree/master/docs
    condition: kiali-server.enabled
 kubeVersion: ">= 1.18.0"
--- a/charts/kubezero-istio/README.md
+++ b/charts/kubezero-istio/README.md
@ -1,6 +1,6 @@
 # kubezero-istio
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
+![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
 KubeZero Umbrella Chart for Istio
@ -20,8 +20,9 @@ Kubernetes: `>= 1.18.0`
 | Repository | Name | Version |
 |------------|------|---------|
-|  | base | 1.10.2 |
+|  | base | 1.11.1 |
-|  | istio-discovery | 1.10.2 |
+|  | istio-discovery | 1.11.1 |
 |  | kiali-server | 1.38.1 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
 ## Values
@ -43,6 +44,26 @@ Kubernetes: `>= 1.18.0`
 | istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` |  |
 | istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` |  |
 | istio-discovery.telemetry.enabled | bool | `false` |  |
 | kiali-server.auth.strategy | string | `"anonymous"` |  |
 | kiali-server.deployment.ingress_enabled | bool | `false` |  |
 | kiali-server.deployment.view_only_mode | bool | `true` |  |
 | kiali-server.enabled | bool | `false` |  |
 | kiali-server.external_services.custom_dashboards.enabled | bool | `false` |  |
 | kiali-server.external_services.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus.monitoring:9090"` |  |
 | kiali-server.istio.enabled | bool | `false` |  |
 | kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` |  |
 | kiali-server.server.metrics_enabled | bool | `false` |  |
 | rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` |  |
 | rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` |  |
 | rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` |  |
 | rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` |  |
 | rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` |  |
 | rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` |  |
 | rateLimiting.enabled | bool | `true` |  |
 | rateLimiting.failureModeDeny | bool | `false` |  |
 | rateLimiting.localCacheSize | int | `1048576` |  |
 | rateLimiting.log.format | string | `"json"` |  |
 | rateLimiting.log.level | string | `"warn"` |  |
 ## Resources
--- a/charts/kubezero-istio/charts/base/Chart.yaml
+++ b/charts/kubezero-istio/charts/base/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 name: base
-version: 1.10.3
+version: 1.11.1
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio cluster resources and CRDs
 keywords:
--- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
+++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
--- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
+++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
--- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml
+++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml
@ -1,3 +1,8 @@
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 # DO NOT EDIT!
 # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
 # UPDATED CHART AT manifests/charts/istio-control/istio-discovery
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -149,6 +154,9 @@ rules:
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
  - apiGroups: ["multicluster.x-k8s.io"]
    resources: ["serviceexports"]
    verbs: ["get", "watch", "list"]
 {{- if or .Values.global.externalIstiod }}
  - apiGroups: [""]
    resources: ["configmaps"]
--- a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml
+++ b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml
@ -1,3 +1,8 @@
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 # DO NOT EDIT!
 # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
 # UPDATED CHART AT manifests/charts/istio-control/istio-discovery
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
--- a/charts/kubezero-istio/charts/base/templates/endpoints.yaml
+++ b/charts/kubezero-istio/charts/base/templates/endpoints.yaml
@ -1,5 +1,5 @@
 {{- if .Values.global.remotePilotAddress }}
-  {{- if .Values.pilot.enabled }}
+  {{- if not .Values.global.externalIstiod }}
 apiVersion: v1
 kind: Endpoints
 metadata:
--- a/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml
+++ b/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml
@ -0,0 +1,16 @@
 # This service account aggregates reader permissions for the revisions in a given cluster
 # Should be used for remote secret creation.
 apiVersion: v1
 kind: ServiceAccount
  {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
    {{- end }}
    {{- end }}
 metadata:
  name: istio-reader-service-account
  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
--- a/charts/kubezero-istio/charts/base/templates/role.yaml
+++ b/charts/kubezero-istio/charts/base/templates/role.yaml
@ -1,3 +1,8 @@
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 # DO NOT EDIT!
 # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
 # UPDATED CHART AT manifests/charts/istio-control/istio-discovery
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
--- a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml
+++ b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml
@ -1,3 +1,8 @@
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 # DO NOT EDIT!
 # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
 # UPDATED CHART AT manifests/charts/istio-control/istio-discovery
 # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
--- a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml
@ -1,18 +1,8 @@
-apiVersion: v1
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-kind: ServiceAccount
+# DO NOT EDIT!
-{{- if .Values.global.imagePullSecrets }}
+# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
-imagePullSecrets:
+# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
-{{- range .Values.global.imagePullSecrets }}
+# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  - name: {{ . }}
 {{- end }}
 {{- end }}
 metadata:
  name: istio-reader-service-account
  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
 ---
 apiVersion: v1
 kind: ServiceAccount
  {{- if .Values.global.imagePullSecrets }}
@ -27,4 +17,3 @@ metadata:
  labels:
    app: istiod
    release: {{ .Release.Name }}
 ---
--- a/charts/kubezero-istio/charts/base/templates/services.yaml
+++ b/charts/kubezero-istio/charts/base/templates/services.yaml
@ -1,5 +1,5 @@
 {{- if .Values.global.remotePilotAddress }}
-  {{- if .Values.pilot.enabled }}
+  {{- if not .Values.global.externalIstiod }}
 # when istiod is enabled in remote cluster, we can't use istiod service name
 apiVersion: v1
 kind: Service
--- a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml
+++ b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml
@ -1,40 +0,0 @@
 {{- if .Values.global.configValidation }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: istiod-{{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
    istio: istiod
 webhooks:
  - name: validation.istio.io
    clientConfig:
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:
        name: istiod
        namespace: {{ .Values.global.istioNamespace }}
        path: "/validate"
      {{- end }}
      caBundle: "" # patched at runtime when the webhook is ready.
    rules:
      - operations:
        - CREATE
        - UPDATE
        apiGroups:
        - security.istio.io
        - networking.istio.io
        apiVersions:
        - "*"
        resources:
        - "*"
    # Fail open until the validation webhook is ready. The webhook controller
    # will update this to `Fail` and patch in the `caBundle` when the webhook
    # endpoint is ready.
    failurePolicy: Ignore
    sideEffects: None
    admissionReviewVersions: ["v1beta1", "v1"]
 ---
 {{- end }}
--- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 name: istio-discovery
-version: 1.10.3
+version: 1.11.1
 tillerVersion: ">=2.7.2"
 description: Helm chart for istio control plane
 keywords:
--- a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt
+++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt
@ -4,6 +4,5 @@ MCP and injector should optionally be installed in the same namespace. Alternati
 address of an MCP server can be set.
-Thank you for installing Istio 1.10.  Please take a few minutes to tell us about your install/upgrade experience!
+Thank you for installing Istio 1.11.  Please take a few minutes to tell us about your install/upgrade experience!
-    https://forms.gle/KjkrDnMPByq7akrYA"
+    https://forms.gle/kWULBRjUv7hHci7T6
--- a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml
@ -28,12 +28,6 @@ spec:
    - router
    - --domain
    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
    - --serviceCluster
    {{ if ne "" (index .ObjectMeta.Labels "app") -}}
    - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
    {{ else -}}
    - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
    {{ end -}}
    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
@ -78,14 +72,6 @@ spec:
      valueFrom:
        fieldRef:
          fieldPath: status.hostIP
    - name: CANONICAL_SERVICE
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['service.istio.io/canonical-name']
    - name: CANONICAL_REVISION
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['service.istio.io/canonical-revision']
    - name: PROXY_CONFIG
      value: |
             {{ protoToJSON .ProxyConfig }}
@ -112,11 +98,6 @@ spec:
    - name: ISTIO_META_NETWORK
      value: "{{ .Values.global.network }}"
    {{- end }}
    {{ if .ObjectMeta.Annotations }}
    - name: ISTIO_METAJSON_ANNOTATIONS
      value: |
             {{ toJSON .ObjectMeta.Annotations }}
    {{ end }}
    {{- if .DeploymentMeta.Name }}
    - name: ISTIO_META_WORKLOAD_NAME
      value: "{{ .DeploymentMeta.Name }}"
@ -187,16 +168,6 @@ spec:
        - path: "annotations"
          fieldRef:
            fieldPath: metadata.annotations
        - path: "cpu-limit"
          resourceFieldRef:
            containerName: istio-proxy
            resource: limits.cpu
            divisor: 1m
        - path: "cpu-request"
          resourceFieldRef:
            containerName: istio-proxy
            resource: requests.cpu
            divisor: 1m
  {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
  - name: istio-token
    projected:
--- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
--- a/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml
@ -0,0 +1,234 @@
 {{- $containers := list }}
 {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
 metadata:
  annotations: {
    {{- if eq (len $containers) 1 }}
    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
    kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
    {{ end }}
  }
 spec:
  containers:
  {{- range $index, $container := .Spec.Containers  }}
  {{ if not (eq $container.Name "istio-proxy") }}
  - name: {{ $container.Name }}
    env:
    - name: "GRPC_XDS_BOOTSTRAP"
      value: "/var/lib/istio/data/grpc-bootstrap.json"
    - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
      value: "true"
    volumeMounts:
    - mountPath: /var/lib/istio/data
      name: istio-data
    # UDS channel between istioagent and gRPC client for XDS/SDS
    - mountPath: /etc/istio/proxy
      name: istio-xds
  {{- end }}
  {{- end }}
  - name: istio-proxy
  {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
    image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
  {{- else }}
    image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
  {{- end }}
    args:
    - proxy
    - sidecar
    - --domain
    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
  {{- if .Values.global.sts.servicePort }}
    - --stsPort={{ .Values.global.sts.servicePort }}
  {{- end }}
  {{- if .Values.global.logAsJson }}
    - --log_as_json
  {{- end }}
    env:
    - name: "GRPC_XDS_BOOTSTRAP"
      value: "/var/lib/istio/data/grpc-bootstrap.json"
    - name: ISTIO_META_GENERATOR
      value: grpc
    - name: OUTPUT_CERTS
      value: /var/lib/istio/data
    {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
    - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
      value: "true"
    {{- end }}
    - name: JWT_POLICY
      value: {{ .Values.global.jwtPolicy }}
    - name: PILOT_CERT_PROVIDER
      value: {{ .Values.global.pilotCertProvider }}
    - name: CA_ADDR
    {{- if .Values.global.caAddress }}
      value: {{ .Values.global.caAddress }}
    {{- else }}
      value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
    {{- end }}
    - name: POD_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: POD_NAMESPACE
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace
    - name: INSTANCE_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    - name: SERVICE_ACCOUNT
      valueFrom:
        fieldRef:
          fieldPath: spec.serviceAccountName
    - name: HOST_IP
      valueFrom:
        fieldRef:
          fieldPath: status.hostIP
    - name: PROXY_CONFIG
      value: |
             {{ protoToJSON .ProxyConfig }}
    - name: ISTIO_META_POD_PORTS
      value: |-
        [
        {{- $first := true }}
        {{- range $index1, $c := .Spec.Containers }}
          {{- range $index2, $p := $c.Ports }}
            {{- if (structToJSON $p) }}
            {{if not $first}},{{end}}{{ structToJSON $p }}
            {{- $first = false }}
            {{- end }}
          {{- end}}
        {{- end}}
        ]
    - name: ISTIO_META_APP_CONTAINERS
      value: "{{ $containers | join "," }}"
    - name: ISTIO_META_CLUSTER_ID
      value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
    - name: ISTIO_META_INTERCEPTION_MODE
      value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
    {{- if .Values.global.network }}
    - name: ISTIO_META_NETWORK
      value: "{{ .Values.global.network }}"
    {{- end }}
    {{- if .DeploymentMeta.Name }}
    - name: ISTIO_META_WORKLOAD_NAME
      value: "{{ .DeploymentMeta.Name }}"
    {{ end }}
    {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
    - name: ISTIO_META_OWNER
      value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
    {{- end}}
    {{- if .Values.global.meshID }}
    - name: ISTIO_META_MESH_ID
      value: "{{ .Values.global.meshID }}"
    {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
    - name: ISTIO_META_MESH_ID
      value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
    {{- end }}
    {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain)  }}
    - name: TRUST_DOMAIN
      value: "{{ . }}"
    {{- end }}
    {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
    - name: {{ $key }}
      value: "{{ $value }}"
    {{- end }}
    # grpc uses xds:/// to resolve – no need to resolve VIP
    - name: ISTIO_META_DNS_CAPTURE
      value: "false"
    - name: DISABLE_ENVOY
      value: "true"
    {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
    {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
    readinessProbe:
      httpGet:
        path: /healthz/ready
        port: {{ .Values.global.proxy.statusPort }}
      initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
      periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
      timeoutSeconds: 3
      failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
    {{ end -}}
    resources:
  {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
      requests:
        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
        {{ end }}
        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
        {{ end }}
    {{- end }}
    {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
      limits:
        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
        cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
        {{ end }}
        {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
        memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
        {{ end }}
    {{- end }}
  {{- else }}
    {{- if .Values.global.proxy.resources }}
      {{ toYaml .Values.global.proxy.resources | indent 6 }}
    {{- end }}
  {{- end }}
    volumeMounts:
    {{- if eq .Values.global.pilotCertProvider "istiod" }}
    - mountPath: /var/run/secrets/istio
      name: istiod-ca-cert
    {{- end }}
    - mountPath: /var/lib/istio/data
      name: istio-data
    # UDS channel between istioagent and gRPC client for XDS/SDS
    - mountPath: /etc/istio/proxy
      name: istio-xds
    {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
    - mountPath: /var/run/secrets/tokens
      name: istio-token
    {{- end }}
    - name: istio-podinfo
      mountPath: /etc/istio/pod
    {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
    {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
    - name: "{{  $index }}"
    {{ toYaml $value | indent 6 }}
    {{ end }}
    {{- end }}
  volumes:
  # UDS channel between istioagent and gRPC client for XDS/SDS
  - emptyDir:
      medium: Memory
    name: istio-xds
  - name: istio-data
    emptyDir: {}
  - name: istio-podinfo
    downwardAPI:
      items:
        - path: "labels"
          fieldRef:
            fieldPath: metadata.labels
        - path: "annotations"
          fieldRef:
            fieldPath: metadata.annotations
 {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
  - name: istio-token
    projected:
      sources:
      - serviceAccountToken:
          path: istio-token
          expirationSeconds: 43200
          audience: {{ .Values.global.sds.token.aud }}
 {{- end }}
  {{- if eq .Values.global.pilotCertProvider "istiod" }}
  - name: istiod-ca-cert
    configMap:
      name: istio-ca-root-cert
  {{- end }}
  {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
  {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
  - name: "{{ $index }}"
  {{ toYaml $value | indent 4 }}
  {{ end }}
  {{ end }}
--- a/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml
@ -0,0 +1,58 @@
 spec:
  initContainers:
    - name: grpc-bootstrap-init
      image: busybox:1.28
      volumeMounts:
        - mountPath: /var/lib/grpc/data/
          name: grpc-io-proxyless-bootstrap
      env:
        - name: INSTANCE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
      command:
        - sh
        - "-c"
        - |-
          NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
          echo '
          {
            "xds_servers": [
              {
                "server_uri": "dns:///istiod.istio-system.svc:15010",
                "channel_creds": [{"type": "insecure"}],
                "server_features" : ["xds_v3"]
              }
            ],
            "node": {
              "id": "'${NODE_ID}'",
              "metadata": {
                "GENERATOR": "grpc"
              }
            }
          }' > /var/lib/grpc/data/bootstrap.json
  containers:
  {{- range $index, $container := .Spec.Containers }}
  - name: {{ $container.Name }}
    env:
      - name: GRPC_XDS_BOOTSTRAP
        value: /var/lib/grpc/data/bootstrap.json
      - name: GRPC_GO_LOG_VERBOSITY_LEVEL
        value: "99"
      - name: GRPC_GO_LOG_SEVERITY_LEVEL
        value: info
    volumeMounts:
      - mountPath: /var/lib/grpc/data/
        name: grpc-io-proxyless-bootstrap
  {{- end }}
  volumes:
    - name: grpc-io-proxyless-bootstrap
      emptyDir: {}
--- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml
@ -5,7 +5,6 @@ metadata:
    security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio"  | quote }}
    service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name  | quote }}
    service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest"  | quote }}
    istio.io/rev: {{ .Revision | default "default" | quote }}
  annotations: {
    {{- if eq (len $containers) 1 }}
    kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@ -138,7 +137,7 @@ spec:
    {{- end }}
    restartPolicy: Always
  {{ end -}}
-  {{- if eq .Values.global.proxy.enableCoreDump true }}
+  {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
  - name: enable-core-dump
    args:
    - -c
@ -181,12 +180,6 @@ spec:
    - sidecar
    - --domain
    - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
    - --serviceCluster
    {{ if ne "" (index .ObjectMeta.Labels "app") -}}
    - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
    {{ else -}}
    - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
    {{ end -}}
    - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
    - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
    - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
@ -196,9 +189,9 @@ spec:
  {{- if .Values.global.logAsJson }}
    - --log_as_json
  {{- end }}
-  {{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
+  {{- if gt .EstimatedConcurrency 0 }}
    - --concurrency
-    - "{{ .ProxyConfig.Concurrency.GetValue }}"
+    - "{{ .EstimatedConcurrency }}"
  {{- end -}}
  {{- if .Values.global.proxy.lifecycle }}
    lifecycle:
@ -246,14 +239,6 @@ spec:
      valueFrom:
        fieldRef:
          fieldPath: status.hostIP
    - name: CANONICAL_SERVICE
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['service.istio.io/canonical-name']
    - name: CANONICAL_REVISION
      valueFrom:
        fieldRef:
          fieldPath: metadata.labels['service.istio.io/canonical-revision']
    - name: PROXY_CONFIG
      value: |
             {{ protoToJSON .ProxyConfig }}
@ -280,11 +265,6 @@ spec:
    - name: ISTIO_META_NETWORK
      value: "{{ .Values.global.network }}"
    {{- end }}
    {{ if .ObjectMeta.Annotations }}
    - name: ISTIO_METAJSON_ANNOTATIONS
      value: |
             {{ toJSON .ObjectMeta.Annotations }}
    {{ end }}
    {{- if .DeploymentMeta.Name }}
    - name: ISTIO_META_WORKLOAD_NAME
      value: "{{ .DeploymentMeta.Name }}"
@ -344,7 +324,7 @@ spec:
        drop:
        - ALL
      privileged: {{ .Values.global.proxy.privileged }}
-      readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
+      readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
      runAsGroup: 1337
      fsGroup: 1337
      {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
@ -437,16 +417,6 @@ spec:
        - path: "annotations"
          fieldRef:
            fieldPath: metadata.annotations
        - path: "cpu-limit"
          resourceFieldRef:
            containerName: istio-proxy
            resource: limits.cpu
            divisor: 1m
        - path: "cpu-request"
          resourceFieldRef:
            containerName: istio-proxy
            resource: requests.cpu
            divisor: 1m
  {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
  - name: istio-token
    projected:
--- a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml
@ -0,0 +1,112 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
 rules:
  # sidecar injection controller
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update", "patch"]
  # configuration validation webhook controller
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
  # istio configuration
  # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
  # please proceed with caution
  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
    verbs: ["get", "watch", "list"]
    resources: ["*"]
 {{- if .Values.global.istiod.enableAnalysis }}
  - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
    verbs: ["update"]
    # TODO: should be on just */status but wildcard is not supported
    resources: ["*"]
 {{- end }}
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries" ]
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries/status" ]
  # auto-detect installed CRD definitions
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
  # discovery and routing
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
  # ingress controller
 {{- if .Values.global.istiod.enableAnalysis }}
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions", "networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]
 {{- end}}
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses", "ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]
  # required for CA's namespace controller
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create", "get", "list", "watch", "update"]
  # Istiod and bootstrap.
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "certificatesigningrequests"
      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
    - "kubernetes.io/legacy-unknown"
    verbs: ["approve"]
  # Used by Istiod to verify the JWT tokens
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews"]
    verbs: ["create"]
  # Used by Istiod to verify gateway SDS
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
  # Use for Kubernetes Service APIs
  - apiGroups: ["networking.x-k8s.io"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["networking.x-k8s.io"]
    resources: ["*"] # TODO: should be on just */status but wildcard is not supported
    verbs: ["update"]
  # Needed for multicluster secret reading, possibly ingress certs in the future
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "watch", "list"]
  # Used for MCS serviceexport management
  - apiGroups: ["multicluster.x-k8s.io"]
    resources: ["serviceexports"]
    verbs: ["get", "watch", "list", "create", "delete"]
--- a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml
@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
 subjects:
  - kind: ServiceAccount
    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
    namespace: {{ .Values.global.istioNamespace }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml
@ -49,9 +49,11 @@
      {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
      {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
 {{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
      {{- else }}
        {}
      {{- end }}
      {{- if .Values.global.remotePilotAddress }}
-      {{- if .Values.pilot.enabled }}
+      {{- if not .Values.global.externalIstiod }}
      discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
      {{- else }}
      discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
@ -54,7 +54,7 @@ spec:
 {{ toYaml .Values.pilot.podAnnotations | indent 8 }}
        {{- end }}
    spec:
-      serviceAccountName: istiod-service-account
+      serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 {{- if .Values.global.priorityClassName }}
      priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml
@ -52,6 +52,14 @@ data:
      gateway: |
 {{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
 {{- end }}
 {{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
      grpc-simple: |
 {{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
 {{- end }}
 {{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
      grpc-agent: |
 {{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
 {{- end }}
 {{- with .Values.sidecarInjectorWebhook.templates }}
 {{ toYaml . | trim | indent 6 }}
 {{- end }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml
@ -5,12 +5,12 @@ a unique prefix to each. */}}
 - name: {{.Prefix}}sidecar-injector.istio.io
  clientConfig:
    {{- if .Values.istiodRemote.injectionURL }}
-    url: {{ .Values.istiodRemote.injectionURL }}
+    url: "{{ .Values.istiodRemote.injectionURL }}"
    {{- else }}
    service:
      name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
      namespace: {{ .Release.Namespace }}
-      path: "/inject"
+      path: "{{ .Values.istiodRemote.injectionPath }}"
      port: 443
    {{- end }}
    caBundle: ""
@ -40,59 +40,6 @@ metadata:
    app: sidecar-injector
    release: {{ .Release.Name }}
 webhooks:
 {{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
 {{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
 {{- include "core" . }}
  namespaceSelector:
  {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
    matchExpressions:
    - key: name
      operator: NotIn
      values:
      - {{ .Release.Namespace }}
    - key: istio-injection
      operator: NotIn
      values:
      - disabled
    - key: istio-env
      operator: DoesNotExist
    - key: istio.io/rev
      operator: DoesNotExist
  {{- else if .Values.revision }}
    matchExpressions:
    - key: istio-injection
      operator: DoesNotExist
    - key: istio.io/rev
      operator: In
      values:
      - {{ .Values.revision }}
  {{- else }}
    matchLabels:
      istio-injection: enabled
  {{- end }}
  {{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
  objectSelector:
    {{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
    matchExpressions:
    - key: "sidecar.istio.io/inject"
      operator: NotIn
      values:
      - "false"
    {{- else if .Values.revision }}
    matchExpressions:
    - key: "sidecar.istio.io/inject"
      operator: DoesNotExist
    - key: istio.io/rev
      operator: In
      values:
      - {{ .Values.revision }}
    {{- else }}
    matchLabels:
      "sidecar.istio.io/inject": "true"
    {{- end }}
  {{- end }}
 {{- else }}
 {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
 {{- /* Case 1: namespace selector matches, and object doesn't disable */}}
@ -195,4 +142,3 @@ webhooks:
 {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml
@ -0,0 +1,48 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
 rules:
  - apiGroups:
      - "config.istio.io"
      - "security.istio.io"
      - "networking.istio.io"
      - "authentication.istio.io"
      - "rbac.istio.io"
    resources: ["*"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list" ]
    resources: [ "workloadentries" ]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["replicasets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews"]
    verbs: ["create"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["subjectaccessreviews"]
    verbs: ["create"]
 {{- if .Values.global.externalIstiod }}
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create", "get", "list", "watch", "update"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update", "patch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "update"]
 {{- end}}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml
@ -0,0 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
  labels:
    app: istio-reader
    release: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
 subjects:
  - kind: ServiceAccount
    name: istio-reader-service-account
    namespace: {{ .Values.global.istioNamespace }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml
@ -5,12 +5,12 @@
 - name: {{.Prefix}}sidecar-injector.istio.io
  clientConfig:
    {{- if .Values.istiodRemote.injectionURL }}
-    url: {{ .Values.istiodRemote.injectionURL }}
+    url: "{{ .Values.istiodRemote.injectionURL }}"
    {{- else }}
    service:
      name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
      namespace: {{ .Release.Namespace }}
-      path: "/inject"
+      path: "{{ .Values.istiodRemote.injectionPath }}"
    {{- end }}
    caBundle: ""
  sideEffects: None
--- a/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml
@ -0,0 +1,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
 rules:
 # permissions to verify the webhook is ready and rejecting
 # invalid config. We use --server-dry-run so no config is persisted.
 - apiGroups: ["networking.istio.io"]
  verbs: ["create"]
  resources: ["gateways"]
 # For storing CA secret
 - apiGroups: [""]
  resources: ["secrets"]
  # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
  verbs: ["create", "get", "watch", "list", "update", "delete"]
--- a/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml
@ -0,0 +1,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
 subjects:
  - kind: ServiceAccount
    name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
    namespace: {{ .Values.global.istioNamespace }}
--- a/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: ServiceAccount
  {{- if .Values.global.imagePullSecrets }}
 imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
  - name: {{ . }}
  {{- end }}
  {{- end }}
 metadata:
  name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  namespace: {{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
 ---
--- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml
@ -3,7 +3,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -19,7 +19,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -54,7 +54,7 @@ spec:
      match:
        context: SIDECAR_OUTBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -89,7 +89,7 @@ spec:
      match:
        context: GATEWAY
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -124,7 +124,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -138,7 +138,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener: {}
      patch:
        operation: INSERT_BEFORE
@ -153,7 +153,7 @@ spec:
      match:
        context: SIDECAR_OUTBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        cluster: {}
      patch:
        operation: MERGE
@ -169,7 +169,7 @@ spec:
      match:
        context: GATEWAY
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        cluster: {}
      patch:
        operation: MERGE
@ -187,7 +187,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -201,7 +201,7 @@ spec:
      match:
        context: SIDECAR_OUTBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -247,7 +247,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -271,6 +271,7 @@ spec:
                    {
                      "debug": "false",
                      "stat_prefix": "istio",
                      "disable_host_header_fallback": true,
                      "metrics": [
                        {
                          "dimensions": {
@ -301,7 +302,7 @@ spec:
      match:
        context: GATEWAY
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -349,7 +350,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -363,7 +364,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -415,7 +416,7 @@ spec:
      match:
        context: SIDECAR_OUTBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -459,7 +460,7 @@ spec:
      match:
        context: GATEWAY
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -505,7 +506,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -520,7 +521,7 @@ spec:
      match:
        context: SIDECAR_OUTBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -555,7 +556,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -589,7 +590,7 @@ spec:
      match:
        context: GATEWAY
        proxy:
-          proxyVersion: '^1\.10.*'
+          proxyVersion: '^1\.11.*'
        listener:
          filterChain:
            filter:
@ -623,7 +624,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -638,7 +639,7 @@ spec:
    match:
      context: SIDECAR_OUTBOUND
      proxy:
-        proxyVersion: '^1\.10.*'
+        proxyVersion: '^1\.11.*'
      listener:
        filterChain:
          filter:
@ -671,7 +672,7 @@ spec:
    match:
      context: SIDECAR_INBOUND
      proxy:
-        proxyVersion: '^1\.10.*'
+        proxyVersion: '^1\.11.*'
      listener:
        filterChain:
          filter:
@ -703,7 +704,7 @@ spec:
    match:
      context: GATEWAY
      proxy:
-        proxyVersion: '^1\.10.*'
+        proxyVersion: '^1\.11.*'
      listener:
        filterChain:
          filter:
@ -736,7 +737,7 @@ spec:
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+  name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  {{- if .Values.meshConfig.rootNamespace }}
  namespace: {{ .Values.meshConfig.rootNamespace }}
  {{- else }}
@ -750,7 +751,7 @@ spec:
      match:
        context: SIDECAR_INBOUND
        proxy:
-          proxyVersion: '1\.10.*'
+          proxyVersion: '1\.11.*'
        listener:
          filterChain:
            filter:
--- a/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml
@ -0,0 +1,86 @@
 {{- if .Values.global.configValidation }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
  labels:
    app: istiod
    release: {{ .Release.Name }}
    istio: istiod
    istio.io/rev: {{ .Values.revision | default "default" }}
 webhooks:
  # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
  # are rejecting invalid configs on a per-revision basis.
  - name: rev.validation.istio.io
    clientConfig:
      # Should change from base but cannot for API compat
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:
        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
        namespace: {{ .Values.global.istioNamespace }}
        path: "/validate"
      {{- end }}
      caBundle: "" # patched at runtime when the webhook is ready.
    rules:
      - operations:
          - CREATE
          - UPDATE
        apiGroups:
          - security.istio.io
          - networking.istio.io
        apiVersions:
          - "*"
        resources:
          - "*"
    # Fail open until the validation webhook is ready. The webhook controller
    # will update this to `Fail` and patch in the `caBundle` when the webhook
    # endpoint is ready.
    failurePolicy: Ignore
    sideEffects: None
    admissionReviewVersions: ["v1beta1", "v1"]
    objectSelector:
      matchExpressions:
        - key: istio.io/rev
          operator: In
          values:
          {{- if (eq .Values.revision "") }}
          - "default"
          {{- else }}
          - "{{ .Values.revision }}"
          {{- end }}
  # Webhook handling default validation
  - name: validation.istio.io
    clientConfig:
      # Should change from base but cannot for API compat
      {{- if .Values.base.validationURL }}
      url: {{ .Values.base.validationURL }}
      {{- else }}
      service:
        name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
        namespace: {{ .Values.global.istioNamespace }}
        path: "/validate"
      {{- end }}
      caBundle: ""
    rules:
      - operations:
          - CREATE
          - UPDATE
        apiGroups:
          - security.istio.io
          - networking.istio.io
          - telemetry.istio.io
        apiVersions:
          - "*"
        resources:
          - "*"
    failurePolicy: Ignore
    sideEffects: None
    admissionReviewVersions: ["v1beta1", "v1"]
    objectSelector:
      matchExpressions:
        - key: istio.io/rev
          operator: DoesNotExist
 ---
 {{- end }}
--- a/charts/kubezero-istio/charts/istio-discovery/values.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml
@ -65,10 +65,6 @@ pilot:
 sidecarInjectorWebhook:
  # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
  # requests in Istiod, rather than at the webhook selection level.
  # This is option is intended for migration purposes only and will be removed in Istio 1.10.
  useLegacySelectors: false
  # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
  # always skip the injection on pods that match that label selector, regardless of the global policy.
  # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
@ -130,9 +126,15 @@ sidecarInjectorWebhook:
  # defaultTemplates: ["sidecar", "hello"]
  defaultTemplates: []
 istiodRemote:
-  # Sidecar injector mutating webhook configuration url
+  # Sidecar injector mutating webhook configuration clientConfig.url value.
  # For example: https://$remotePilotAddress:15017/inject
  # The host should not refer to a service running in the cluster; use a service reference by specifying
  # the clientConfig.service field instead.
  injectionURL: ""
  # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
  # Override to pass env variables, for example: /inject/cluster/remote/net/network2
  injectionPath: "/inject"
 telemetry:
  enabled: true
  v2:
@ -237,7 +239,7 @@ global:
  # Dev builds from prow are on gcr.io
  hub: docker.io/istio
  # Default tag for Istio images.
-  tag: 1.10.3
+  tag: 1.11.1
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent.
@ -386,9 +388,14 @@ global:
  # If not set explicitly, default to the Istio discovery address.
  caAddress: ""
-  # External istiod controls all remote clusters: disabled by default
+  # Configure a remote cluster data plane controlled by an external istiod.
  # When set to true, istiod is not deployed locally and only a subset of the other
  # discovery charts are enabled.
  externalIstiod: false
  #  Configure a remote cluster as the config cluster for an external istiod.
  configCluster: false
  # Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
  jwtPolicy: "third-party-jwt"
@ -510,6 +517,9 @@ global:
  # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
  useMCP: false
  # Determines whether this istiod performs resource validation.
  configValidation: true
 base:
  # For istioctl usage to disable istio config crds in base
  enableIstioConfigCRDs: true
--- a/charts/kubezero-istio/charts/kiali-server/Chart.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/Chart.yaml
@ -0,0 +1,20 @@
 apiVersion: v2
 appVersion: v1.38.1
 description: Kiali is an open source project for service mesh observability, refer
  to https://www.kiali.io for details.
 home: https://github.com/kiali/kiali
 icon: https://raw.githubusercontent.com/kiali/kiali.io/master/themes/kiali/static/img/kiali_logo_masthead.png
 keywords:
 - istio
 - kiali
 maintainers:
 - email: kiali-users@googlegroups.com
  name: Kiali
  url: https://kiali.io
 name: kiali-server
 sources:
 - https://github.com/kiali/kiali
 - https://github.com/kiali/kiali-ui
 - https://github.com/kiali/kiali-operator
 - https://github.com/kiali/helm-charts
 version: 1.38.1
--- a/charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt
+++ b/charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt
@ -0,0 +1,5 @@
 Welcome to Kiali! For more details on Kiali, see: https://kiali.io
 The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
 (Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])
--- a/charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl
+++ b/charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl
@ -0,0 +1,143 @@
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Create a default fully qualified instance name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride.
 For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali,
 use fullnameOverride, otherwise use deployment.instance_name.
 */}}
 {{- define "kiali-server.fullname" -}}
 {{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }}
  {{- .Values.fullnameOverride | trunc 63 }}
 {{- else }}
  {{- .Values.deployment.instance_name | trunc 63 }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "kiali-server.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Identifies the log_level with the old verbose_mode and the new log_level considered.
 */}}
 {{- define "kiali-server.logLevel" -}}
 {{- if .Values.deployment.verbose_mode -}}
 {{- .Values.deployment.verbose_mode -}}
 {{- else -}}
 {{- .Values.deployment.logger.log_level -}}
 {{- end -}}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "kiali-server.labels" -}}
 helm.sh/chart: {{ include "kiali-server.chart" . }}
 app: kiali
 {{ include "kiali-server.selectorLabels" . }}
 version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
 app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/part-of: "kiali"
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "kiali-server.selectorLabels" -}}
 app.kubernetes.io/name: kiali
 app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }}
 {{- end }}
 {{/*
 Determine the default login token signing key.
 */}}
 {{- define "kiali-server.login_token.signing_key" -}}
 {{- if .Values.login_token.signing_key }}
  {{- .Values.login_token.signing_key }}
 {{- else }}
  {{- randAlphaNum 16 }}
 {{- end }}
 {{- end }}
 {{/*
 Determine the default web root.
 */}}
 {{- define "kiali-server.server.web_root" -}}
 {{- if .Values.server.web_root  }}
  {{- .Values.server.web_root | trimSuffix "/" }}
 {{- else }}
  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
    {{- "/" }}
  {{- else }}
    {{- "/kiali" }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Determine the default identity cert file. There is no default if on k8s; only on OpenShift.
 */}}
 {{- define "kiali-server.identity.cert_file" -}}
 {{- if hasKey .Values.identity "cert_file" }}
  {{- .Values.identity.cert_file }}
 {{- else }}
  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
    {{- "/kiali-cert/tls.crt" }}
  {{- else }}
    {{- "" }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Determine the default identity private key file. There is no default if on k8s; only on OpenShift.
 */}}
 {{- define "kiali-server.identity.private_key_file" -}}
 {{- if hasKey .Values.identity "private_key_file" }}
  {{- .Values.identity.private_key_file }}
 {{- else }}
  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
    {{- "/kiali-cert/tls.key" }}
  {{- else }}
    {{- "" }}
  {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Determine the istio namespace - default is where Kiali is installed.
 */}}
 {{- define "kiali-server.istio_namespace" -}}
 {{- if .Values.istio_namespace }}
  {{- .Values.istio_namespace }}
 {{- else }}
  {{- .Release.Namespace }}
 {{- end }}
 {{- end }}
 {{/*
 Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift.
 */}}
 {{- define "kiali-server.auth.strategy" -}}
 {{- if .Values.auth.strategy }}
  {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }}
    {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }}
  {{- end }}
  {{- .Values.auth.strategy }}
 {{- else }}
  {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
    {{- if not .Values.kiali_route_url }}
      {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }}
    {{- end }}
    {{- "openshift" }}
  {{- else }}
    {{- "token" }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml
@ -0,0 +1,13 @@
 {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "kiali-server.fullname" . }}-cabundle
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
 ...
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml
@ -0,0 +1,25 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 data:
  config.yaml: |
    {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}}
    {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }}
    {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}}
    {{- $_ := set $cm.deployment "namespace" .Release.Namespace }}
    {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}}
    {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }}
    {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }}
    {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }}
    {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }}
    {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }}
    {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }}
    {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }}
    {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }}
    {{- toYaml $cm | nindent 4 }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml
@ -0,0 +1,165 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.deployment.replicas }}
  selector:
    matchLabels:
      {{- include "kiali-server.selectorLabels" . | nindent 6 }}
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      name: {{ include "kiali-server.fullname" . }}
      labels:
        {{- include "kiali-server.labels" . | nindent 8 }}
        {{- if .Values.deployment.pod_labels }}
        {{- toYaml .Values.deployment.pod_labels | nindent 8 }}
        {{- end }}
      annotations:
        {{- if .Values.server.metrics_enabled }}
        prometheus.io/scrape: "true"
        prometheus.io/port: {{ .Values.server.metrics_port | quote }}
        {{- else }}
        prometheus.io/scrape: "false"
        prometheus.io/port: ""
        {{- end }}
        kiali.io/dashboards: go,kiali
        {{- if .Values.deployment.pod_annotations }}
        {{- toYaml .Values.deployment.pod_annotations | nindent 8 }}
        {{- end }}
    spec:
      serviceAccountName: {{ include "kiali-server.fullname" . }}
      {{- if .Values.deployment.priority_class_name }}
      priorityClassName: {{ .Values.deployment.priority_class_name | quote }}
      {{- end }}
      {{- if .Values.deployment.image_pull_secrets }}
      imagePullSecrets:
      {{- range .Values.deployment.image_pull_secrets }}
      - name: {{ . }}
      {{- end }}
      {{- end }}
      containers:
      - image: "{{ .Values.deployment.image_name }}:{{ .Values.deployment.image_version }}"
        imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }}
        name: {{ include "kiali-server.fullname" . }}
        command:
        - "/opt/kiali/kiali"
        - "-config"
        - "/kiali-configuration/config.yaml"
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
        ports:
        - name: api-port
          containerPort: {{ .Values.server.port | default 20001 }}
        {{- if .Values.server.metrics_enabled }}
        - name: http-metrics
          containerPort: {{ .Values.server.metrics_port | default 9090 }}
        {{- end }}
        readinessProbe:
          httpGet:
            path: {{ include "kiali-server.server.web_root" . | trimSuffix "/"  }}/healthz
            port: api-port
            {{- if (include "kiali-server.identity.cert_file" .) }}
            scheme: HTTPS
            {{- else }}
            scheme: HTTP
            {{- end }}
          initialDelaySeconds: 5
          periodSeconds: 30
        livenessProbe:
          httpGet:
            path: {{ include "kiali-server.server.web_root" . | trimSuffix "/"  }}/healthz
            port: api-port
            {{- if (include "kiali-server.identity.cert_file" .) }}
            scheme: HTTPS
            {{- else }}
            scheme: HTTP
            {{- end }}
          initialDelaySeconds: 5
          periodSeconds: 30
        env:
        - name: ACTIVE_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LOG_LEVEL
          value: "{{ include "kiali-server.logLevel" . }}"
        - name: LOG_FORMAT
          value: "{{ .Values.deployment.logger.log_format }}"
        - name: LOG_TIME_FIELD_FORMAT
          value: "{{ .Values.deployment.logger.time_field_format }}" 
        - name: LOG_SAMPLER_RATE
          value: "{{ .Values.deployment.logger.sampler_rate }}"
        volumeMounts:
        - name: {{ include "kiali-server.fullname" . }}-configuration
          mountPath: "/kiali-configuration"
        - name: {{ include "kiali-server.fullname" . }}-cert
          mountPath: "/kiali-cert"
        - name: {{ include "kiali-server.fullname" . }}-secret
          mountPath: "/kiali-secret"
        - name: {{ include "kiali-server.fullname" . }}-cabundle
          mountPath: "/kiali-cabundle"
        {{- if .Values.deployment.resources }}
        resources:
        {{- toYaml .Values.deployment.resources | nindent 10 }}
        {{- end }}
      volumes:
      - name: {{ include "kiali-server.fullname" . }}-configuration
        configMap:
          name: {{ include "kiali-server.fullname" . }}
      - name: {{ include "kiali-server.fullname" . }}-cert
        secret:
          {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
          secretName: {{ include "kiali-server.fullname" . }}-cert-secret
          {{- else }}
          secretName: istio.{{ include "kiali-server.fullname" . }}-service-account
          {{- end }}
          {{- if not (include "kiali-server.identity.cert_file" .) }}
          optional: true
          {{- end }}
      - name: {{ include "kiali-server.fullname" . }}-secret
        secret:
          secretName: {{ .Values.deployment.secret_name }}
          optional: true
      - name: {{ include "kiali-server.fullname" . }}-cabundle
        configMap:
          name: {{ include "kiali-server.fullname" . }}-cabundle
      {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
          optional: true
      {{- end }}
      {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }}
      affinity:
        {{- if .Values.deployment.affinity.node }}
        nodeAffinity:
        {{- toYaml .Values.deployment.affinity.node | nindent 10 }}
        {{- end }}
        {{- if .Values.deployment.affinity.pod }}
        podAffinity:
        {{- toYaml .Values.deployment.affinity.pod | nindent 10 }}
        {{- end }}
        {{- if .Values.deployment.affinity.pod_anti }}
        podAntiAffinity:
        {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }}
        {{- end }}
      {{- end }}
      {{- if .Values.deployment.tolerations }}
      tolerations:
      {{- toYaml .Values.deployment.tolerations | nindent 8 }}
      {{- end }}
      {{- if .Values.deployment.node_selector }}
      nodeSelector:
      {{- toYaml .Values.deployment.node_selector | nindent 8 }}
      {{- end }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml
@ -0,0 +1,17 @@
 {{- if .Values.deployment.hpa.spec }}
 ---
 apiVersion: {{ .Values.deployment.hpa.api_version }}
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: {{ include "kiali-server.fullname" . }}
  {{- toYaml .Values.deployment.hpa.spec | nindent 2 }}
 ...
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml
@ -0,0 +1,56 @@
 {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
 {{- if .Values.deployment.ingress_enabled }}
 ---
 {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
 apiVersion: networking.k8s.io/v1
 {{- else }}
 apiVersion: networking.k8s.io/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
  annotations:
    {{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}
    {{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
    {{- else }}
    # For ingress-nginx versions older than 0.20.0 use secure-backends.
    # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948)
    # For ingress-nginx versions 0.20.0 and later use backend-protocol.
    {{- if (include "kiali-server.identity.cert_file" .) }}
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    {{- else }}
    nginx.ingress.kubernetes.io/secure-backends: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    {{- end }}
    {{- end }}
 spec:
  {{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
  {{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
  {{- else }}
  rules:
  - http:
      paths:
      - path: {{ include "kiali-server.server.web_root" . }}
        {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
        pathType: Prefix
        backend:
          service:
            name: {{ include "kiali-server.fullname" . }}
            port:
              number: {{ .Values.server.port }}
        {{- else }}
        backend:
          serviceName: {{ include "kiali-server.fullname" . }}
          servicePort: {{ .Values.server.port }}
        {{- end }}
    {{- if not (empty .Values.server.web_fqdn) }}
    host: {{ .Values.server.web_fqdn }}
    {{- end }}
  {{- end }}
 ...
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml
@ -0,0 +1,17 @@
 {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
 {{- if .Values.kiali_route_url }}
 ---
 apiVersion: oauth.openshift.io/v1
 kind: OAuthClient
 metadata:
  name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 redirectURIs:
 - {{ .Values.kiali_route_url }}
 grantMethod: auto
 allowAnyScope: true
 ...
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml
@ -0,0 +1,15 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "kiali-server.fullname" . }}-controlplane
  namespace: {{ include "kiali-server.istio_namespace" . }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
  resources:
  - secrets
  verbs:
  - list
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml
@ -0,0 +1,89 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ include "kiali-server.fullname" . }}-viewer
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
  resources:
  - configmaps
  - endpoints
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups: [""]
  resources:
  - namespaces
  - pods
  - replicationcontrollers
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups: [""]
  resources:
  - pods/portforward
  verbs:
  - create
  - post
 - apiGroups: ["extensions", "apps"]
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
 - apiGroups: ["batch"]
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - networking.istio.io
  - security.istio.io
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
 - apiGroups: ["apps.openshift.io"]
  resources:
  - deploymentconfigs
  verbs:
  - get
  - list
  - watch
 - apiGroups: ["project.openshift.io"]
  resources:
  - projects
  verbs:
  - get
 - apiGroups: ["route.openshift.io"]
  resources:
  - routes
  verbs:
  - get
 - apiGroups: ["iter8.tools"]
  resources:
  - experiments
  verbs:
  - get
  - list
  - watch
 - apiGroups: ["authentication.k8s.io"]
  resources:
  - tokenreviews
  verbs:
  - create
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/role.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/role.yaml
@ -0,0 +1,99 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
  resources:
  - configmaps
  - endpoints
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups: [""]
  resources:
  - namespaces
  - pods
  - replicationcontrollers
  - services
  verbs:
  - get
  - list
  - watch
  - patch
 - apiGroups: [""]
  resources:
  - pods/portforward
  verbs:
  - create
  - post
 - apiGroups: ["extensions", "apps"]
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
  - patch
 - apiGroups: ["batch"]
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
  - patch
 - apiGroups:
  - networking.istio.io
  - security.istio.io
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - patch
 - apiGroups: ["apps.openshift.io"]
  resources:
  - deploymentconfigs
  verbs:
  - get
  - list
  - watch
  - patch
 - apiGroups: ["project.openshift.io"]
  resources:
  - projects
  verbs:
  - get
 - apiGroups: ["route.openshift.io"]
  resources:
  - routes
  verbs:
  - get
 - apiGroups: ["iter8.tools"]
  resources:
  - experiments
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - patch
 - apiGroups: ["authentication.k8s.io"]
  resources:
  - tokenreviews
  verbs:
  - create
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml
@ -0,0 +1,17 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "kiali-server.fullname" . }}-controlplane
  namespace: {{ include "kiali-server.istio_namespace" . }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "kiali-server.fullname" . }}-controlplane
 subjects:
 - kind: ServiceAccount
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml
@ -0,0 +1,20 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  {{- if .Values.deployment.view_only_mode }}
  name: {{ include "kiali-server.fullname" . }}-viewer
  {{- else }}
  name: {{ include "kiali-server.fullname" . }}
  {{- end }}
 subjects:
 - kind: ServiceAccount
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/route.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/route.yaml
@ -0,0 +1,30 @@
 {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
 {{- if .Values.deployment.ingress_enabled }}
 # As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm
 ---
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
    {{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}}
    annotations:
    {{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
    {{- end }}
 spec:
  {{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
  {{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
  {{- else }}
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
  to:
    kind: Service
    targetPort: {{ .Values.server.port }}
    name: {{ include "kiali-server.fullname" . }}
  {{- end }}
 ...
 {{- end }}
 {{- end }}
--- a/charts/kubezero-istio/charts/kiali-server/templates/service.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/service.yaml
@ -0,0 +1,45 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
  annotations:
    {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
    service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret
    {{- end }}
    {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }}
    {{- if empty .Values.server.web_port }}
    kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ default "" .Values.server.web_root }}
    {{- else }}
    kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{(default "" .Values.server.web_root) }}
    {{- end }}
    {{- end }}
    {{- if .Values.deployment.service_annotations }}
    {{- toYaml .Values.deployment.service_annotations | nindent 4  }}
    {{- end }}
 spec:
  {{- if .Values.deployment.service_type }}
  type: {{ .Values.deployment.service_type }}
  {{- end }}
  ports:
  {{- if (include "kiali-server.identity.cert_file" .) }}
  - name: tcp
  {{- else }}
  - name: http
  {{- end }}
    protocol: TCP
    port: {{ .Values.server.port }}
  {{- if .Values.server.metrics_enabled }}
  - name: http-metrics
    protocol: TCP
    port: {{ .Values.server.metrics_port }}
  {{- end }}
  selector:
    {{- include "kiali-server.selectorLabels" . | nindent 4 }}
  {{- if .Values.deployment.additional_service_yaml }}
  {{- toYaml .Values.deployment.additional_service_yaml | nindent 2  }}
  {{- end }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml
@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "kiali-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kiali-server.labels" . | nindent 4 }}
 ...
--- a/charts/kubezero-istio/charts/kiali-server/values.yaml
+++ b/charts/kubezero-istio/charts/kiali-server/values.yaml
@ -0,0 +1,82 @@
 # 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead.
 # This is only supported for backward compatibility and will be removed in a future version.
 # If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali",
 # then 'deployment.instance_name' will take the value of 'fullnameOverride' value.
 # Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used.
 fullnameOverride: "kiali"
 # This is required for "openshift" auth strategy.
 # You have to know ahead of time what your Route URL will be because
 # right now the helm chart can't figure this out at runtime (it would
 # need to wait for the Kiali Route to be deployed and for OpenShift
 # to start it up). If someone knows how to update this helm chart to
 # do this, a PR would be welcome.
 kiali_route_url: ""
 #
 # Settings that mimic the Kiali CR which are placed in the ConfigMap.
 # Note that only those values used by the Helm Chart will be here.
 #
 istio_namespace: "" # default is where Kiali is installed
 auth:
  openid: {}
  openshift: {}
  strategy: ""
 deployment:
  # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
  # For more control over what the Kial Service Account can see, use the Kiali Operator
  accessible_namespaces:
  - "**"
  additional_service_yaml: {}
  affinity:
    node: {}
    pod: {}
    pod_anti: {}
  hpa:
    api_version: "autoscaling/v2beta2"
    spec: {}
  image_name: quay.io/kiali/kiali
  image_pull_policy: "Always"
  image_pull_secrets: []
  image_version: v1.38.1
  ingress_enabled: true
  instance_name: "kiali"
  logger:
    log_format: "text"
    log_level: "info"
    time_field_format: "2006-01-02T15:04:05Z07:00"
    sampler_rate: "1"
  node_selector: {}
  override_ingress_yaml:
    metadata: {}
  pod_annotations: {}
  pod_labels: {}
  priority_class_name: ""
  replicas: 1
  resources: {}
  secret_name: "kiali"
  service_annotations: {}
  service_type: ""
  tolerations: []
  version_label: v1.38.1
  view_only_mode: false
 external_services:
  custom_dashboards:
    enabled: true
 identity: {}
  #cert_file:
  #private_key_file:
 login_token:
  signing_key: ""
 server:
  port: 20001
  metrics_enabled: true
  metrics_port: 9090
  web_root: ""
--- a/charts/kubezero-istio/dashboards.yaml
+++ b/charts/kubezero-istio/dashboards.yaml
@ -4,18 +4,18 @@ folder: Istio
 condition: 'index .Values "istio-discovery" "telemetry" "enabled"'
 dashboards:
 - name: istio-control-plane
-  url: https://grafana.com/api/dashboards/7645/revisions/60/download
+  url: https://grafana.com/api/dashboards/7645/revisions/82/download
  tags:
  - Istio
 - name: istio-mesh
-  url: https://grafana.com/api/dashboards/7639/revisions/60/download
+  url: https://grafana.com/api/dashboards/7639/revisions/82/download
  tags:
  - Istio
 - name: istio-service
-  url: https://grafana.com/api/dashboards/7636/revisions/60/download
+  url: https://grafana.com/api/dashboards/7636/revisions/82/download
  tags:
  - Istio
 - name: istio-workload
-  url: https://grafana.com/api/dashboards/7630/revisions/60/download
+  url: https://grafana.com/api/dashboards/7630/revisions/82/download
  tags:
  - Istio
--- a/charts/kubezero-istio/templates/grafana-dashboards.yaml
+++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml
--- a/charts/kubezero-istio/templates/kiali/istio-service.yaml
+++ b/charts/kubezero-istio/templates/kiali/istio-service.yaml
@ -0,0 +1,18 @@
 {{- if (index .Values "kiali-server" "istio" "enabled") }}
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: {{ .Release.Name }}-kiali
  namespace: {{ .Release.Namespace }}
  labels:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
  hosts:
  - {{ index .Values "kiali-server" "istio" "url" }}
  gateways:
  - {{ index .Values "kiali-server" "istio" "gateway" }}
  http:
  - route:
    - destination:
        host: kiali
 {{- end }}
--- a/charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml
+++ b/charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml
@ -0,0 +1,106 @@
 {{- if .Values.rateLimiting.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ratelimit-statsd-exporter-config
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 data:
  config.yaml: |
    defaults:
      ttl: 1m # Resets the metrics every minute
    mappings:
      - match:
          "ratelimit.service.rate_limit.*.*.near_limit"
        name: "ratelimit_service_rate_limit_near_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
      - match:
          "ratelimit.service.rate_limit.*.*.over_limit"
        name: "ratelimit_service_rate_limit_over_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
      - match:
          "ratelimit.service.rate_limit.*.*.total_hits"
        name: "ratelimit_service_rate_limit_total_hits"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
      - match:
          "ratelimit.service.rate_limit.*.*.within_limit"
        name: "ratelimit_service_rate_limit_within_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
      - match:
          "ratelimit.service.rate_limit.*.*.*.near_limit"
        name: "ratelimit_service_rate_limit_near_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
          key2: "$3"
      - match:
          "ratelimit.service.rate_limit.*.*.*.over_limit"
        name: "ratelimit_service_rate_limit_over_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
          key2: "$3"
      - match:
          "ratelimit.service.rate_limit.*.*.*.total_hits"
        name: "ratelimit_service_rate_limit_total_hits"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
          key2: "$3"
      - match:
          "ratelimit.service.rate_limit.*.*.*.within_limit"
        name: "ratelimit_service_rate_limit_within_limit"
        timer_type: "histogram"
        labels:
          domain: "$1"
          key1: "$2"
          key2: "$3"
      - match:
          "ratelimit.service.call.should_rate_limit.*"
        name: "ratelimit_service_should_rate_limit_error"
        match_metric_type: counter
        labels:
          err_type: "$1"
      - match:
          "ratelimit_server.*.total_requests"
        name: "ratelimit_service_total_requests"
        match_metric_type: counter
        labels:
          grpc_method: "$1"
      - match:
          "ratelimit_server.*.response_time"
        name: "ratelimit_service_response_time_seconds"
        timer_type: histogram
        labels:
          grpc_method: "$1"
      - match:
          "ratelimit.service.config_load_success"
        name: "ratelimit_service_config_load_success"
        match_metric_type: counter
        ttl: 3m
      - match:
          "ratelimit.service.config_load_error"
        name: "ratelimit_service_config_load_error"
        match_metric_type: counter
        ttl: 3m
      - match: "."
        match_type: "regex"
        action: "drop"
        name: "dropped"
 {{- end }}
--- a/charts/kubezero-istio/templates/ratelimit/config.yaml
+++ b/charts/kubezero-istio/templates/ratelimit/config.yaml
@ -0,0 +1,19 @@
 {{- if .Values.rateLimiting.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ratelimit-config
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 data:
  ingress.yaml: |
    domain: ingress
    descriptors:
    {{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }}
  private-ingress.yaml: |
    domain: private-ingress
    descriptors:
    {{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }}
 {{- end }}
--- a/charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml
+++ b/charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml
@ -0,0 +1,116 @@
 {{- if .Values.rateLimiting.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: ingressgateway-ratelimit
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.ratelimit
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            domain: ingress
            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
            timeout: 0.5s
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  cluster_name: rate_limit_cluster
              transport_api_version: V3
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.default.svc.cluster.local
      patch:
        operation: ADD
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 0.5s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            cluster_name: rate_limit_cluster
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                     socket_address:
                      address: ratelimit.istio-system
                      port_value: 8081
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
  name: private-ingressgateway-ratelimit
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  workloadSelector:
    labels:
      istio: private-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.ratelimit
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
            domain:  private-ingress
            failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
            timeout: 0.5s
            rate_limit_service:
              grpc_service:
                envoy_grpc:
                  cluster_name: rate_limit_cluster
              transport_api_version: V3
    - applyTo: CLUSTER
      match:
        cluster:
          service: ratelimit.default.svc.cluster.local
      patch:
        operation: ADD
        value:
          name: rate_limit_cluster
          type: STRICT_DNS
          connect_timeout: 0.5s
          lb_policy: ROUND_ROBIN
          http2_protocol_options: {}
          load_assignment:
            cluster_name: rate_limit_cluster
            endpoints:
            - lb_endpoints:
              - endpoint:
                  address:
                     socket_address:
                      address: ratelimit.istio-system
                      port_value: 8081
 {{- end }}
--- a/charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml
+++ b/charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml
@ -0,0 +1,154 @@
 {{- if .Values.rateLimiting.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: ratelimit-redis
  namespace: {{ .Release.Namespace }}
  labels:
    app: ratelimit-redis
 spec:
  ports:
  - name: redis
    port: 6379
  selector:
    app: ratelimit-redis
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ratelimit-redis
  namespace: {{ .Release.Namespace }}
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratelimit-redis
  template:
    metadata:
      labels:
        app: ratelimit-redis
    spec:
      containers:
      - image: redis:6-alpine
        imagePullPolicy: IfNotPresent
        name: redis
        ports:
        - name: redis
          containerPort: 6379
      restartPolicy: Always
      serviceAccountName: ""
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: ratelimit
  namespace: {{ .Release.Namespace }}
  labels:
    app: ratelimit
 spec:
  ports:
  #- name: http-port
  #  port: 8080
  #  targetPort: 8080
  #  protocol: TCP
  - name: grpc-port
    port: 8081
    targetPort: 8081
    protocol: TCP
  #- name: http-debug
  #  port: 6070
  #  targetPort: 6070
  #  protocol: TCP
  - name: http-monitoring
    port: 9102
    targetPort: 9102
    protocol: TCP
  selector:
    app: ratelimit
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ratelimit
  namespace: {{ .Release.Namespace }}
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ratelimit
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: ratelimit
    spec:
      containers:
      - image: envoyproxy/ratelimit:b42701cb # 2021/08/12
        imagePullPolicy: IfNotPresent
        name: ratelimit
        command: ["/bin/ratelimit"]
        env:
        - name: LOG_LEVEL
          value: {{ default "WARN" .Values.rateLimiting.log.level }}
        - name: LOG_FORMAT
          value: {{ default "text" .Values.rateLimiting.log.format }}
        - name: REDIS_SOCKET_TYPE
          value: tcp
        - name: REDIS_URL
          value: ratelimit-redis:6379
        - name: USE_STATSD
          value: "true"
        - name: STATSD_HOST
          value: "localhost"
        - name: STATSD_PORT
          value: "9125"
        - name: RUNTIME_ROOT
          value: /data
        - name: RUNTIME_SUBDIRECTORY
          value: ratelimit
        - name: RUNTIME_WATCH_ROOT
          value: "false"
        - name: RUNTIME_IGNOREDOTFILES
          value: "true"
        - name: LOCAL_CACHE_SIZE_IN_BYTES
          value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}"
        ports:
        #- containerPort: 8080
        - containerPort: 8081
        #- containerPort: 6070
        volumeMounts:
        - name: ratelimit-config
          mountPath: /data/ratelimit/config
        resources:
          requests:
            cpu: 50m
            memory: 32Mi
          limits:
            cpu: 1
            memory: 256Mi
      - name: statsd-exporter
        image: docker.io/prom/statsd-exporter:v0.21.0
        imagePullPolicy: Always
        args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
        ports:
          - containerPort: 9125
        #  - containerPort: 9102
        resources:
          requests:
            cpu: 50m
            memory: 32Mi
          limits:
            cpu: 200m
            memory: 64Mi
        volumeMounts:
          - name: statsd-exporter-config
            mountPath: /etc/statsd-exporter
      volumes:
      - name: ratelimit-config
        configMap:
          name: ratelimit-config
      - name: statsd-exporter-config
        configMap:
          name: ratelimit-statsd-exporter-config
 {{- end }}
--- a/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml
+++ b/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml
@ -0,0 +1,17 @@
 {{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: istio-rate-limiting
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  jobLabel: istio
  targetLabels: [app]
  selector:
    matchExpressions:
    - {key: app, operator: In, values: [ratelimit]}
  endpoints:
  - port: http-monitoring
 {{- end }}
--- a/charts/kubezero-istio/templates/servicemonitor.yaml
+++ b/charts/kubezero-istio/templates/servicemonitor.yaml
@ -5,7 +5,7 @@ metadata:
  name: istio-component-monitor
  namespace: {{ .Release.Namespace }}
  labels:
-{{ include "kubezero-lib.labels" . | indent 4 }}
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
 spec:
  jobLabel: istio
  targetLabels: [app]
--- a/charts/kubezero-istio/update.sh
+++ b/charts/kubezero-istio/update.sh
@ -4,7 +4,8 @@ set -ex
 ### TODO
 # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
-export ISTIO_VERSION=1.10.3
+export ISTIO_VERSION=1.11.1
 export KIALI_VERSION=1.38.1
 rm -rf istio
 curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
@ -12,8 +13,11 @@ mv istio-${ISTIO_VERSION} istio
 # remove unused old telemetry filters
 rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
 rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml
 # Patch
 #exit 0
 #diff -tubr istio istio.zdt/
 patch -p0 -i zdt.patch --no-backup-if-mismatch
 ### Create kubezero istio charts
@ -38,3 +42,7 @@ sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio
 # Fetch dashboards from Grafana.com and update ZDT CM
 ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
 # Kiali
 rm -rf charts/kiali-server
 curl -sL https://github.com/kiali/helm-charts/blob/master/docs/kiali-server-${KIALI_VERSION}.tgz?raw=true | tar xz -C charts
--- a/charts/kubezero-istio/values.yaml
+++ b/charts/kubezero-istio/values.yaml
@ -1,6 +1,6 @@
 global:
  # hub: docker.io/istio
-  # tag: 1.10.2
+  # tag: 1.11.0
  logAsJson: true
@ -39,3 +39,56 @@ istio-discovery:
    tcpKeepalive:
      interval: 60s
      time: 120s
 kiali-server:
  enabled: false
  auth:
    strategy: anonymous
  deployment:
    ingress_enabled: false
    view_only_mode: true
  server:
    metrics_enabled: false
  external_services:
    custom_dashboards:
      enabled: false
    prometheus:
      url: "http://metrics-kube-prometheus-st-prometheus.monitoring:9090"
  istio:
    enabled: false
    gateway: istio-ingress/private-ingressgateway
    #url: "kiali.example.com"
 rateLimiting:
  enabled: true
  log:
    level: warn
    format: json
  # 1MB local cache for already reached limits to reduce calls to Redis
  localCacheSize: 1048576
  # Wether to block requests if ratelimiting is down
  failureModeDeny: false
  # rate limit descriptors for each domain, examples 10 req/s per sourceIP
  descriptors:
    ingress:
    - key: remote_address
      rate_limit:
        unit: second
        requests_per_unit: 10
    privateIngress:
    - key: remote_address
      rate_limit:
        unit: second
        requests_per_unit: 10
--- a/charts/kubezero-istio/zdt.patch
+++ b/charts/kubezero-istio/zdt.patch
@ -1,7 +1,27 @@
-diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
+diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl
--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml	2021-04-11 01:57:29.000000000 +0200
+--- istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl	2021-07-15 07:32:30.000000000 +0200
-+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml	2021-04-20 12:20:04.401862116 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl	2021-08-10 15:49:57.298616463 +0200
-@@ -17,6 +17,8 @@
+@@ -21,11 +21,16 @@
         {{- end }}
         {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
         {{- range $key, $val := $nodeSelector }}
 +        {{- if eq $val "Exists" }}
 +        - key: {{ $key }}
 +          operator: Exists
 +        {{- else }}
         - key: {{ $key }}
           operator: In
           values:
           - {{ $val | quote }}
         {{- end }}
 +        {{- end }}
 {{- end }}
 {{- define "nodeAffinityPreferredDuringScheduling" }}
 diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
 --- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml	2021-07-15 07:32:30.000000000 +0200
 +++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml	2021-08-10 15:46:23.216421660 +0200
@@ -16,6 +16,8 @@
 {{- if $gateway.replicaCount }}
   replicas: {{ $gateway.replicaCount }}
 {{- end }}
@ -10,7 +30,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
 {{- end }}
   selector:
     matchLabels:
-@@ -69,6 +71,7 @@
+@@ -65,6 +67,7 @@
 {{- if .Values.global.priorityClassName }}
       priorityClassName: "{{ .Values.global.priorityClassName }}"
 {{- end }}
@ -18,7 +38,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
 {{- if .Values.global.proxy.enableCoreDump }}
       initContainers:
         - name: enable-core-dump
-@@ -140,6 +143,11 @@
+@@ -136,6 +139,11 @@
             privileged: false
             readOnlyRootFilesystem: true
         {{- end }}
@ -30,9 +50,24 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
           readinessProbe:
             failureThreshold: 30
             httpGet:
-diff -turN istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
+diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/service.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml
--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml	2021-04-11 01:57:29.000000000 +0200
+--- istio/manifests/charts/gateways/istio-ingress/templates/service.yaml	2021-07-15 07:32:30.000000000 +0200
-+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml	2021-04-19 21:55:45.461749267 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml	2021-08-10 19:58:01.037876557 +0200
@@ -34,9 +34,11 @@
     {{- range $key, $val := $gateway.ports }}
     -
       {{- range $pkey, $pval := $val }}
 +      {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
       {{ $pkey}}: {{ $pval }}
       {{- end }}
     {{- end }}
 +    {{- end }}
   {{ range $app := $gateway.ingressPorts }}
     -
 diff -tubr istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
 --- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml	2021-07-15 07:32:30.000000000 +0200
 +++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml	2021-08-10 15:46:23.216421660 +0200
@@ -60,6 +60,11 @@
 {{- end }}
       securityContext: