feat: Istio RateLimiting, Version bump to 1.11.1, Kiali support
This commit is contained in:
parent
f93d195cd4
commit
b73bee54bb
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio-ingress
|
||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||
type: application
|
||||
version: 0.6.1
|
||||
appVersion: 1.10.3
|
||||
version: 0.7.2
|
||||
appVersion: 1.11.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -13,12 +13,12 @@ maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
version: ">= 0.1.4"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-ingress
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
condition: istio-ingress.enabled
|
||||
- name: istio-private-ingress
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
condition: istio-private-ingress.enabled
|
||||
kubeVersion: ">= 1.18.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-istio-ingress
|
||||
|
||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
|
||||
![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio based Ingress
|
||||
|
||||
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-ingress | 1.10.2 |
|
||||
| | istio-private-ingress | 1.10.2 |
|
||||
| | istio-ingress | 1.11.0 |
|
||||
| | istio-private-ingress | 1.11.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
@ -41,26 +41,28 @@ Kubernetes: `>= 1.18.0`
|
||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
@ -69,7 +71,7 @@ Kubernetes: `>= 1.18.0`
|
||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-ingress.proxyProtocol | bool | `false` | |
|
||||
| istio-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-ingress.telemetry.enabled | bool | `false` | |
|
||||
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
|
||||
@ -83,26 +85,28 @@ Kubernetes: `>= 1.18.0`
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||
@ -111,7 +115,7 @@ Kubernetes: `>= 1.18.0`
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||
| istio-private-ingress.proxyProtocol | bool | `false` | |
|
||||
| istio-private-ingress.proxyProtocol | bool | `true` | |
|
||||
| istio-private-ingress.telemetry.enabled | bool | `false` | |
|
||||
|
||||
## Resources
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-ingress
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
|
@ -21,11 +21,16 @@ nodeAffinity:
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
{{- if eq $val "Exists" }}
|
||||
- key: {{ $key }}
|
||||
operator: Exists
|
||||
{{- else }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
@ -70,6 +75,13 @@ nodeAffinity:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- if $item.namespaces }}
|
||||
namespaces:
|
||||
{{- $ns := split "," $item.namespaces }}
|
||||
{{- range $i, $n := $ns }}
|
||||
- {{ $n | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
@ -125,8 +125,6 @@ spec:
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
@ -200,14 +198,6 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
@ -240,11 +230,6 @@ spec:
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
@ -301,16 +286,6 @@ spec:
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
|
@ -34,9 +34,11 @@ spec:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
|
@ -165,7 +165,7 @@ global:
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.10.3
|
||||
tag: 1.11.1
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-private-ingress
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
|
@ -21,11 +21,16 @@ nodeAffinity:
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
{{- if eq $val "Exists" }}
|
||||
- key: {{ $key }}
|
||||
operator: Exists
|
||||
{{- else }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
@ -70,6 +75,13 @@ nodeAffinity:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- if $item.namespaces }}
|
||||
namespaces:
|
||||
{{- $ns := split "," $item.namespaces }}
|
||||
{{- range $i, $n := $ns }}
|
||||
- {{ $n | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
|
@ -125,8 +125,6 @@ spec:
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
@ -200,14 +198,6 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
@ -240,11 +230,6 @@ spec:
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
@ -301,16 +286,6 @@ spec:
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
|
@ -34,9 +34,11 @@ spec:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
|
@ -165,7 +165,7 @@ global:
|
||||
hub: docker.io/istio
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: 1.10.3
|
||||
tag: 1.11.1
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
|
42
charts/kubezero-istio-ingress/templates/_gateway.tpl
Normal file
42
charts/kubezero-istio-ingress/templates/_gateway.tpl
Normal file
@ -0,0 +1,42 @@
|
||||
{{- define "gatewayServers" }}
|
||||
|
||||
{{- range $port := .ports }}
|
||||
{{- if not $port.noGateway }}
|
||||
|
||||
{{- $eachCert := false }}
|
||||
{{- if $port.tls }}
|
||||
{{- if not $port.tls.httpsRedirect }}
|
||||
{{- $eachCert = true }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $eachCert }}
|
||||
{{- range $cert := $.certificates }}
|
||||
- port:
|
||||
number: {{ $port.port }}
|
||||
name: {{ $port.name }}
|
||||
protocol: {{ default "TCP" $port.gatewayProtocol }}
|
||||
tls:
|
||||
credentialName: {{ $cert.name }}
|
||||
{{- toYaml $port.tls | nindent 4 }}
|
||||
hosts:
|
||||
{{- toYaml $cert.dnsNames | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
- port:
|
||||
number: {{ $port.port }}
|
||||
name: {{ $port.name }}
|
||||
protocol: {{ default "TCP" $port.gatewayProtocol }}
|
||||
{{- with $port.tls }}
|
||||
tls:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
{{- range $cert := $.certificates }}
|
||||
{{- toYaml $cert.dnsNames | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -5,7 +5,7 @@ metadata:
|
||||
name: ingressgateway-listener-tcp-keepalive
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
@ -43,7 +43,7 @@ metadata:
|
||||
name: private-ingressgateway-listener-tcp-keepalive
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
|
@ -1,4 +1,7 @@
|
||||
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
|
||||
# Public Ingress Gateway
|
||||
{{- $gateway := index .Values "istio-ingress" }}
|
||||
|
||||
{{- if and $gateway.enabled $gateway.certificates }}
|
||||
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
||||
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
@ -7,108 +10,10 @@ metadata:
|
||||
name: ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 80
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: {{ $cert.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
istio: private-ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 80
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
# All SSL hosts one entry per ingress-certificate
|
||||
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: {{ $cert.name }}
|
||||
- port:
|
||||
number: 24224
|
||||
name: fluentd-forward
|
||||
protocol: TLS
|
||||
hosts:
|
||||
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
credentialName: {{ $cert.name }}
|
||||
{{- end }}
|
||||
- port:
|
||||
number: 5672
|
||||
name: amqp
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
- port:
|
||||
number: 5671
|
||||
name: amqps
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
- port:
|
||||
number: 6379
|
||||
name: redis
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
- port:
|
||||
number: 6380
|
||||
name: redis-1
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,19 @@
|
||||
# Private Ingress Gateway
|
||||
{{- $gateway := index .Values "istio-private-ingress" }}
|
||||
|
||||
{{- if and $gateway.enabled $gateway.certificates }}
|
||||
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
||||
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
istio: private-ingressgateway
|
||||
servers:
|
||||
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
|
||||
{{- end }}
|
@ -1,7 +1,7 @@
|
||||
# Make sure these values match kuberzero-istio !!!
|
||||
global:
|
||||
#hub: docker.io/istio
|
||||
#tag: 1.10.2
|
||||
#tag: 1.11.0
|
||||
|
||||
logAsJson: true
|
||||
|
||||
@ -50,31 +50,50 @@ istio-ingress:
|
||||
mountPath: /etc/istio/custom-bootstrap
|
||||
configMapName: istio-gateway-bootstrap-config
|
||||
|
||||
# The node selector is normally the list of nodeports, see CloudBender
|
||||
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "30080_30443"
|
||||
node.kubernetes.io/ingress.public: "Exists"
|
||||
# Only nodes who are fronted with matching NLB
|
||||
#affintiy:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: node.kubernetes.io/ingress.public
|
||||
# operator: Exists
|
||||
|
||||
# Map port 80/443 to 8080/8443 so we don't need to root
|
||||
|
||||
# ports is extended as follows:
|
||||
# noGateway: true -> this port does NOT get mapped to a Gateway port
|
||||
# tls: optional gateway port setting
|
||||
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
nodePort: 30021
|
||||
protocol: TCP
|
||||
noGateway: true
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 30080
|
||||
protocol: TCP
|
||||
gatewayProtocol: HTTP2
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 30443
|
||||
protocol: TCP
|
||||
gatewayProtocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
|
||||
certificates:
|
||||
- name: ingress-cert
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
||||
proxyProtocol: false
|
||||
proxyProtocol: true
|
||||
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
@ -124,27 +143,43 @@ istio-private-ingress:
|
||||
mountPath: /etc/istio/custom-bootstrap
|
||||
configMapName: istio-gateway-bootstrap-config
|
||||
|
||||
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "31080_31443"
|
||||
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||
node.kubernetes.io/ingress.private: "Exists"
|
||||
# Only nodes who are fronted with matching NLB
|
||||
#affintiy:
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: node.kubernetes.io/ingress.private
|
||||
# operator: Exists
|
||||
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
nodePort: 31021
|
||||
protocol: TCP
|
||||
noGateway: true
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 31080
|
||||
protocol: TCP
|
||||
gatewayProtocol: HTTP2
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 31443
|
||||
protocol: TCP
|
||||
gatewayProtocol: HTTPS
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
#- name: fluentd-forward
|
||||
# port: 24224
|
||||
# nodePort: 31224
|
||||
# gatewayProtocol: TLS
|
||||
# tls:
|
||||
# mode: SIMPLE
|
||||
#- name: amqps
|
||||
# port: 5671
|
||||
# nodePort: 31671
|
||||
@ -160,7 +195,7 @@ istio-private-ingress:
|
||||
dnsNames: []
|
||||
#- '*.example.com'
|
||||
|
||||
proxyProtocol: false
|
||||
proxyProtocol: true
|
||||
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
|
@ -28,4 +28,5 @@ README.md.gotmpl
|
||||
*.py
|
||||
|
||||
istioctl
|
||||
istio-?.?.?
|
||||
istio
|
||||
istio.zdt
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.6.1
|
||||
appVersion: 1.10.3
|
||||
version: 0.7.2
|
||||
appVersion: 1.11.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -13,10 +13,14 @@ maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
version: ">= 0.1.4"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: base
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
- name: istio-discovery
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
- name: kiali-server
|
||||
version: 1.38.1
|
||||
# repository: https://github.com/kiali/helm-charts/tree/master/docs
|
||||
condition: kiali-server.enabled
|
||||
kubeVersion: ">= 1.18.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-istio
|
||||
|
||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
|
||||
![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
@ -20,8 +20,9 @@ Kubernetes: `>= 1.18.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | base | 1.10.2 |
|
||||
| | istio-discovery | 1.10.2 |
|
||||
| | base | 1.11.1 |
|
||||
| | istio-discovery | 1.11.1 |
|
||||
| | kiali-server | 1.38.1 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
@ -43,6 +44,26 @@ Kubernetes: `>= 1.18.0`
|
||||
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||
| kiali-server.auth.strategy | string | `"anonymous"` | |
|
||||
| kiali-server.deployment.ingress_enabled | bool | `false` | |
|
||||
| kiali-server.deployment.view_only_mode | bool | `true` | |
|
||||
| kiali-server.enabled | bool | `false` | |
|
||||
| kiali-server.external_services.custom_dashboards.enabled | bool | `false` | |
|
||||
| kiali-server.external_services.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus.monitoring:9090"` | |
|
||||
| kiali-server.istio.enabled | bool | `false` | |
|
||||
| kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
|
||||
| kiali-server.server.metrics_enabled | bool | `false` | |
|
||||
| rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` | |
|
||||
| rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | |
|
||||
| rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` | |
|
||||
| rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` | |
|
||||
| rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | |
|
||||
| rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | |
|
||||
| rateLimiting.enabled | bool | `true` | |
|
||||
| rateLimiting.failureModeDeny | bool | `false` | |
|
||||
| rateLimiting.localCacheSize | int | `1048576` | |
|
||||
| rateLimiting.log.format | string | `"json"` | |
|
||||
| rateLimiting.log.level | string | `"warn"` | |
|
||||
|
||||
## Resources
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: base
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||
keywords:
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,8 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
@ -149,6 +154,9 @@ rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["multicluster.x-k8s.io"]
|
||||
resources: ["serviceexports"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
{{- if or .Values.global.externalIstiod }}
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
|
@ -1,3 +1,8 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
@ -1,5 +1,5 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if .Values.pilot.enabled }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
|
@ -0,0 +1,16 @@
|
||||
# This service account aggregates reader permissions for the revisions in a given cluster
|
||||
# Should be used for remote secret creation.
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
@ -1,3 +1,8 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
|
@ -1,3 +1,8 @@
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
@ -1,18 +1,8 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
---
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
# DO NOT EDIT!
|
||||
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
|
||||
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
|
||||
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
@ -27,4 +17,3 @@ metadata:
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
---
|
||||
|
@ -1,5 +1,5 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if .Values.pilot.enabled }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
# when istiod is enabled in remote cluster, we can't use istiod service name
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
@ -1,40 +0,0 @@
|
||||
{{- if .Values.global.configValidation }}
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
istio: istiod
|
||||
webhooks:
|
||||
- name: validation.istio.io
|
||||
clientConfig:
|
||||
{{- if .Values.base.validationURL }}
|
||||
url: {{ .Values.base.validationURL }}
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
path: "/validate"
|
||||
{{- end }}
|
||||
caBundle: "" # patched at runtime when the webhook is ready.
|
||||
rules:
|
||||
- operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
apiGroups:
|
||||
- security.istio.io
|
||||
- networking.istio.io
|
||||
apiVersions:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
# Fail open until the validation webhook is ready. The webhook controller
|
||||
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
||||
# endpoint is ready.
|
||||
failurePolicy: Ignore
|
||||
sideEffects: None
|
||||
admissionReviewVersions: ["v1beta1", "v1"]
|
||||
---
|
||||
{{- end }}
|
@ -1,6 +1,6 @@
|
||||
apiVersion: v1
|
||||
name: istio-discovery
|
||||
version: 1.10.3
|
||||
version: 1.11.1
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for istio control plane
|
||||
keywords:
|
||||
|
@ -4,6 +4,5 @@ MCP and injector should optionally be installed in the same namespace. Alternati
|
||||
address of an MCP server can be set.
|
||||
|
||||
|
||||
Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience!
|
||||
https://forms.gle/KjkrDnMPByq7akrYA"
|
||||
|
||||
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience!
|
||||
https://forms.gle/kWULBRjUv7hHci7T6
|
||||
|
@ -28,12 +28,6 @@ spec:
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --serviceCluster
|
||||
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||
{{ else -}}
|
||||
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||
{{ end -}}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
@ -78,14 +72,6 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
@ -112,11 +98,6 @@ spec:
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{ if .ObjectMeta.Annotations }}
|
||||
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||
value: |
|
||||
{{ toJSON .ObjectMeta.Annotations }}
|
||||
{{ end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
@ -187,16 +168,6 @@ spec:
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,234 @@
|
||||
{{- $containers := list }}
|
||||
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
|
||||
metadata:
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||
{{ end }}
|
||||
}
|
||||
spec:
|
||||
containers:
|
||||
{{- range $index, $container := .Spec.Containers }}
|
||||
{{ if not (eq $container.Name "istio-proxy") }}
|
||||
- name: {{ $container.Name }}
|
||||
env:
|
||||
- name: "GRPC_XDS_BOOTSTRAP"
|
||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
||||
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
|
||||
value: "true"
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-xds
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
args:
|
||||
- proxy
|
||||
- sidecar
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
env:
|
||||
- name: "GRPC_XDS_BOOTSTRAP"
|
||||
value: "/var/lib/istio/data/grpc-bootstrap.json"
|
||||
- name: ISTIO_META_GENERATOR
|
||||
value: grpc
|
||||
- name: OUTPUT_CERTS
|
||||
value: /var/lib/istio/data
|
||||
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
||||
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
||||
value: "true"
|
||||
{{- end }}
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{ $containers | join "," }}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
# grpc uses xds:/// to resolve – no need to resolve VIP
|
||||
- name: ISTIO_META_DNS_CAPTURE
|
||||
value: "false"
|
||||
- name: DISABLE_ENVOY
|
||||
value: "true"
|
||||
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: {{ .Values.global.proxy.statusPort }}
|
||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
||||
{{ end -}}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-xds
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 6 }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
# UDS channel between istioagent and gRPC client for XDS/SDS
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-xds
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 4 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
@ -0,0 +1,58 @@
|
||||
spec:
|
||||
initContainers:
|
||||
- name: grpc-bootstrap-init
|
||||
image: busybox:1.28
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/grpc/data/
|
||||
name: grpc-io-proxyless-bootstrap
|
||||
env:
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
command:
|
||||
- sh
|
||||
- "-c"
|
||||
- |-
|
||||
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
|
||||
echo '
|
||||
{
|
||||
"xds_servers": [
|
||||
{
|
||||
"server_uri": "dns:///istiod.istio-system.svc:15010",
|
||||
"channel_creds": [{"type": "insecure"}],
|
||||
"server_features" : ["xds_v3"]
|
||||
}
|
||||
],
|
||||
"node": {
|
||||
"id": "'${NODE_ID}'",
|
||||
"metadata": {
|
||||
"GENERATOR": "grpc"
|
||||
}
|
||||
}
|
||||
}' > /var/lib/grpc/data/bootstrap.json
|
||||
containers:
|
||||
{{- range $index, $container := .Spec.Containers }}
|
||||
- name: {{ $container.Name }}
|
||||
env:
|
||||
- name: GRPC_XDS_BOOTSTRAP
|
||||
value: /var/lib/grpc/data/bootstrap.json
|
||||
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
|
||||
value: "99"
|
||||
- name: GRPC_GO_LOG_SEVERITY_LEVEL
|
||||
value: info
|
||||
volumeMounts:
|
||||
- mountPath: /var/lib/grpc/data/
|
||||
name: grpc-io-proxyless-bootstrap
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: grpc-io-proxyless-bootstrap
|
||||
emptyDir: {}
|
@ -5,7 +5,6 @@ metadata:
|
||||
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
|
||||
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
|
||||
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
|
||||
istio.io/rev: {{ .Revision | default "default" | quote }}
|
||||
annotations: {
|
||||
{{- if eq (len $containers) 1 }}
|
||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||
@ -138,7 +137,7 @@ spec:
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
{{ end -}}
|
||||
{{- if eq .Values.global.proxy.enableCoreDump true }}
|
||||
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
||||
- name: enable-core-dump
|
||||
args:
|
||||
- -c
|
||||
@ -181,12 +180,6 @@ spec:
|
||||
- sidecar
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --serviceCluster
|
||||
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||
{{ else -}}
|
||||
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||
{{ end -}}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
|
||||
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
|
||||
@ -196,9 +189,9 @@ spec:
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
|
||||
{{- if gt .EstimatedConcurrency 0 }}
|
||||
- --concurrency
|
||||
- "{{ .ProxyConfig.Concurrency.GetValue }}"
|
||||
- "{{ .EstimatedConcurrency }}"
|
||||
{{- end -}}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
@ -246,14 +239,6 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
@ -280,11 +265,6 @@ spec:
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{ if .ObjectMeta.Annotations }}
|
||||
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||
value: |
|
||||
{{ toJSON .ObjectMeta.Annotations }}
|
||||
{{ end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
@ -344,7 +324,7 @@ spec:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: {{ .Values.global.proxy.privileged }}
|
||||
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
|
||||
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
|
||||
runAsGroup: 1337
|
||||
fsGroup: 1337
|
||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||
@ -437,16 +417,6 @@ spec:
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- path: "cpu-limit"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: limits.cpu
|
||||
divisor: 1m
|
||||
- path: "cpu-request"
|
||||
resourceFieldRef:
|
||||
containerName: istio-proxy
|
||||
resource: requests.cpu
|
||||
divisor: 1m
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
|
@ -0,0 +1,112 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# sidecar injection controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
|
||||
# configuration validation webhook controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
|
||||
# istio configuration
|
||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
||||
# please proceed with caution
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
resources: ["*"]
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||
verbs: ["update"]
|
||||
# TODO: should be on just */status but wildcard is not supported
|
||||
resources: ["*"]
|
||||
{{- end }}
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries/status" ]
|
||||
|
||||
# auto-detect installed CRD definitions
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# discovery and routing
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# ingress controller
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
{{- end}}
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses", "ingressclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
|
||||
# required for CA's namespace controller
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
|
||||
# Istiod and bootstrap.
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "certificatesigningrequests"
|
||||
- "certificatesigningrequests/approval"
|
||||
- "certificatesigningrequests/status"
|
||||
verbs: ["update", "create", "get", "delete", "watch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "signers"
|
||||
resourceNames:
|
||||
- "kubernetes.io/legacy-unknown"
|
||||
verbs: ["approve"]
|
||||
|
||||
# Used by Istiod to verify the JWT tokens
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Used by Istiod to verify gateway SDS
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Use for Kubernetes Service APIs
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
||||
verbs: ["update"]
|
||||
|
||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
# Used for MCS serviceexport management
|
||||
- apiGroups: ["multicluster.x-k8s.io"]
|
||||
resources: ["serviceexports"]
|
||||
verbs: ["get", "watch", "list", "create", "delete"]
|
@ -0,0 +1,15 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -49,9 +49,11 @@
|
||||
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
||||
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
|
||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
|
||||
{{- else }}
|
||||
{}
|
||||
{{- end }}
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if .Values.pilot.enabled }}
|
||||
{{- if not .Values.global.externalIstiod }}
|
||||
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
||||
{{- else }}
|
||||
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012
|
||||
|
@ -54,7 +54,7 @@ spec:
|
||||
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: istiod-service-account
|
||||
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
|
@ -52,6 +52,14 @@ data:
|
||||
gateway: |
|
||||
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
|
||||
grpc-simple: |
|
||||
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
|
||||
grpc-agent: |
|
||||
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.sidecarInjectorWebhook.templates }}
|
||||
{{ toYaml . | trim | indent 6 }}
|
||||
{{- end }}
|
||||
|
@ -5,12 +5,12 @@ a unique prefix to each. */}}
|
||||
- name: {{.Prefix}}sidecar-injector.istio.io
|
||||
clientConfig:
|
||||
{{- if .Values.istiodRemote.injectionURL }}
|
||||
url: {{ .Values.istiodRemote.injectionURL }}
|
||||
url: "{{ .Values.istiodRemote.injectionURL }}"
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: "/inject"
|
||||
path: "{{ .Values.istiodRemote.injectionPath }}"
|
||||
port: 443
|
||||
{{- end }}
|
||||
caBundle: ""
|
||||
@ -40,60 +40,7 @@ metadata:
|
||||
app: sidecar-injector
|
||||
release: {{ .Release.Name }}
|
||||
webhooks:
|
||||
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
|
||||
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
|
||||
{{- include "core" . }}
|
||||
namespaceSelector:
|
||||
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||
matchExpressions:
|
||||
- key: name
|
||||
operator: NotIn
|
||||
values:
|
||||
- {{ .Release.Namespace }}
|
||||
- key: istio-injection
|
||||
operator: NotIn
|
||||
values:
|
||||
- disabled
|
||||
- key: istio-env
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: DoesNotExist
|
||||
{{- else if .Values.revision }}
|
||||
matchExpressions:
|
||||
- key: istio-injection
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Values.revision }}
|
||||
{{- else }}
|
||||
matchLabels:
|
||||
istio-injection: enabled
|
||||
{{- end }}
|
||||
{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
|
||||
objectSelector:
|
||||
{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
|
||||
matchExpressions:
|
||||
- key: "sidecar.istio.io/inject"
|
||||
operator: NotIn
|
||||
values:
|
||||
- "false"
|
||||
{{- else if .Values.revision }}
|
||||
matchExpressions:
|
||||
- key: "sidecar.istio.io/inject"
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Values.revision }}
|
||||
{{- else }}
|
||||
matchLabels:
|
||||
"sidecar.istio.io/inject": "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
|
||||
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
||||
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
||||
|
||||
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
|
||||
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
|
||||
@ -195,4 +142,3 @@ webhooks:
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,48 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "config.istio.io"
|
||||
- "security.istio.io"
|
||||
- "networking.istio.io"
|
||||
- "authentication.istio.io"
|
||||
- "rbac.istio.io"
|
||||
resources: ["*"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["replicasets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
{{- if .Values.global.externalIstiod }}
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
{{- end}}
|
@ -0,0 +1,15 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -5,12 +5,12 @@
|
||||
- name: {{.Prefix}}sidecar-injector.istio.io
|
||||
clientConfig:
|
||||
{{- if .Values.istiodRemote.injectionURL }}
|
||||
url: {{ .Values.istiodRemote.injectionURL }}
|
||||
url: "{{ .Values.istiodRemote.injectionURL }}"
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: "/inject"
|
||||
path: "{{ .Values.istiodRemote.injectionPath }}"
|
||||
{{- end }}
|
||||
caBundle: ""
|
||||
sideEffects: None
|
||||
@ -110,4 +110,4 @@ webhooks:
|
||||
operator: DoesNotExist
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -0,0 +1,20 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# permissions to verify the webhook is ready and rejecting
|
||||
# invalid config. We use --server-dry-run so no config is persisted.
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: ["create"]
|
||||
resources: ["gateways"]
|
||||
|
||||
# For storing CA secret
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
||||
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
@ -0,0 +1,16 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
---
|
@ -3,7 +3,7 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -19,7 +19,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -54,7 +54,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -89,7 +89,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -124,7 +124,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -138,7 +138,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener: {}
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
@ -153,7 +153,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
cluster: {}
|
||||
patch:
|
||||
operation: MERGE
|
||||
@ -169,7 +169,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
cluster: {}
|
||||
patch:
|
||||
operation: MERGE
|
||||
@ -187,7 +187,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -201,7 +201,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -247,7 +247,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -271,6 +271,7 @@ spec:
|
||||
{
|
||||
"debug": "false",
|
||||
"stat_prefix": "istio",
|
||||
"disable_host_header_fallback": true,
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
@ -301,7 +302,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -349,7 +350,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -363,7 +364,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -415,7 +416,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -459,7 +460,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -505,7 +506,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -520,7 +521,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -555,7 +556,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -589,7 +590,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -623,7 +624,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -638,7 +639,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -671,7 +672,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -703,7 +704,7 @@ spec:
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.10.*'
|
||||
proxyVersion: '^1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
@ -736,7 +737,7 @@ spec:
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
@ -750,7 +751,7 @@ spec:
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '1\.10.*'
|
||||
proxyVersion: '1\.11.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
@ -0,0 +1,86 @@
|
||||
{{- if .Values.global.configValidation }}
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
istio: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
webhooks:
|
||||
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
|
||||
# are rejecting invalid configs on a per-revision basis.
|
||||
- name: rev.validation.istio.io
|
||||
clientConfig:
|
||||
# Should change from base but cannot for API compat
|
||||
{{- if .Values.base.validationURL }}
|
||||
url: {{ .Values.base.validationURL }}
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
path: "/validate"
|
||||
{{- end }}
|
||||
caBundle: "" # patched at runtime when the webhook is ready.
|
||||
rules:
|
||||
- operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
apiGroups:
|
||||
- security.istio.io
|
||||
- networking.istio.io
|
||||
apiVersions:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
# Fail open until the validation webhook is ready. The webhook controller
|
||||
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
||||
# endpoint is ready.
|
||||
failurePolicy: Ignore
|
||||
sideEffects: None
|
||||
admissionReviewVersions: ["v1beta1", "v1"]
|
||||
objectSelector:
|
||||
matchExpressions:
|
||||
- key: istio.io/rev
|
||||
operator: In
|
||||
values:
|
||||
{{- if (eq .Values.revision "") }}
|
||||
- "default"
|
||||
{{- else }}
|
||||
- "{{ .Values.revision }}"
|
||||
{{- end }}
|
||||
# Webhook handling default validation
|
||||
- name: validation.istio.io
|
||||
clientConfig:
|
||||
# Should change from base but cannot for API compat
|
||||
{{- if .Values.base.validationURL }}
|
||||
url: {{ .Values.base.validationURL }}
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
path: "/validate"
|
||||
{{- end }}
|
||||
caBundle: ""
|
||||
rules:
|
||||
- operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
apiGroups:
|
||||
- security.istio.io
|
||||
- networking.istio.io
|
||||
- telemetry.istio.io
|
||||
apiVersions:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
failurePolicy: Ignore
|
||||
sideEffects: None
|
||||
admissionReviewVersions: ["v1beta1", "v1"]
|
||||
objectSelector:
|
||||
matchExpressions:
|
||||
- key: istio.io/rev
|
||||
operator: DoesNotExist
|
||||
---
|
||||
{{- end }}
|
@ -65,10 +65,6 @@ pilot:
|
||||
|
||||
|
||||
sidecarInjectorWebhook:
|
||||
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
|
||||
# requests in Istiod, rather than at the webhook selection level.
|
||||
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
|
||||
useLegacySelectors: false
|
||||
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
||||
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
||||
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
||||
@ -116,8 +112,8 @@ sidecarInjectorWebhook:
|
||||
templates: {}
|
||||
|
||||
# Default templates specifies a set of default templates that are used in sidecar injection.
|
||||
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
|
||||
# To inject other additional templates, define it using the `templates` option, and add it to
|
||||
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
|
||||
# To inject other additional templates, define it using the `templates` option, and add it to
|
||||
# the default templates list.
|
||||
# For example:
|
||||
#
|
||||
@ -130,9 +126,15 @@ sidecarInjectorWebhook:
|
||||
# defaultTemplates: ["sidecar", "hello"]
|
||||
defaultTemplates: []
|
||||
istiodRemote:
|
||||
# Sidecar injector mutating webhook configuration url
|
||||
# Sidecar injector mutating webhook configuration clientConfig.url value.
|
||||
# For example: https://$remotePilotAddress:15017/inject
|
||||
# The host should not refer to a service running in the cluster; use a service reference by specifying
|
||||
# the clientConfig.service field instead.
|
||||
injectionURL: ""
|
||||
|
||||
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
|
||||
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
|
||||
injectionPath: "/inject"
|
||||
telemetry:
|
||||
enabled: true
|
||||
v2:
|
||||
@ -237,7 +239,7 @@ global:
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: docker.io/istio
|
||||
# Default tag for Istio images.
|
||||
tag: 1.10.3
|
||||
tag: 1.11.1
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
@ -386,9 +388,14 @@ global:
|
||||
# If not set explicitly, default to the Istio discovery address.
|
||||
caAddress: ""
|
||||
|
||||
# External istiod controls all remote clusters: disabled by default
|
||||
# Configure a remote cluster data plane controlled by an external istiod.
|
||||
# When set to true, istiod is not deployed locally and only a subset of the other
|
||||
# discovery charts are enabled.
|
||||
externalIstiod: false
|
||||
|
||||
# Configure a remote cluster as the config cluster for an external istiod.
|
||||
configCluster: false
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
@ -510,6 +517,9 @@ global:
|
||||
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
||||
useMCP: false
|
||||
|
||||
# Determines whether this istiod performs resource validation.
|
||||
configValidation: true
|
||||
|
||||
base:
|
||||
# For istioctl usage to disable istio config crds in base
|
||||
enableIstioConfigCRDs: true
|
||||
|
20
charts/kubezero-istio/charts/kiali-server/Chart.yaml
Normal file
20
charts/kubezero-istio/charts/kiali-server/Chart.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: v2
|
||||
appVersion: v1.38.1
|
||||
description: Kiali is an open source project for service mesh observability, refer
|
||||
to https://www.kiali.io for details.
|
||||
home: https://github.com/kiali/kiali
|
||||
icon: https://raw.githubusercontent.com/kiali/kiali.io/master/themes/kiali/static/img/kiali_logo_masthead.png
|
||||
keywords:
|
||||
- istio
|
||||
- kiali
|
||||
maintainers:
|
||||
- email: kiali-users@googlegroups.com
|
||||
name: Kiali
|
||||
url: https://kiali.io
|
||||
name: kiali-server
|
||||
sources:
|
||||
- https://github.com/kiali/kiali
|
||||
- https://github.com/kiali/kiali-ui
|
||||
- https://github.com/kiali/kiali-operator
|
||||
- https://github.com/kiali/helm-charts
|
||||
version: 1.38.1
|
@ -0,0 +1,5 @@
|
||||
Welcome to Kiali! For more details on Kiali, see: https://kiali.io
|
||||
|
||||
The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
|
||||
|
||||
(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])
|
143
charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl
Normal file
143
charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl
Normal file
@ -0,0 +1,143 @@
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified instance name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride.
|
||||
For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali,
|
||||
use fullnameOverride, otherwise use deployment.instance_name.
|
||||
*/}}
|
||||
{{- define "kiali-server.fullname" -}}
|
||||
{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }}
|
||||
{{- .Values.fullnameOverride | trunc 63 }}
|
||||
{{- else }}
|
||||
{{- .Values.deployment.instance_name | trunc 63 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "kiali-server.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Identifies the log_level with the old verbose_mode and the new log_level considered.
|
||||
*/}}
|
||||
{{- define "kiali-server.logLevel" -}}
|
||||
{{- if .Values.deployment.verbose_mode -}}
|
||||
{{- .Values.deployment.verbose_mode -}}
|
||||
{{- else -}}
|
||||
{{- .Values.deployment.logger.log_level -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "kiali-server.labels" -}}
|
||||
helm.sh/chart: {{ include "kiali-server.chart" . }}
|
||||
app: kiali
|
||||
{{ include "kiali-server.selectorLabels" . }}
|
||||
version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/part-of: "kiali"
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "kiali-server.selectorLabels" -}}
|
||||
app.kubernetes.io/name: kiali
|
||||
app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the default login token signing key.
|
||||
*/}}
|
||||
{{- define "kiali-server.login_token.signing_key" -}}
|
||||
{{- if .Values.login_token.signing_key }}
|
||||
{{- .Values.login_token.signing_key }}
|
||||
{{- else }}
|
||||
{{- randAlphaNum 16 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the default web root.
|
||||
*/}}
|
||||
{{- define "kiali-server.server.web_root" -}}
|
||||
{{- if .Values.server.web_root }}
|
||||
{{- .Values.server.web_root | trimSuffix "/" }}
|
||||
{{- else }}
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- "/" }}
|
||||
{{- else }}
|
||||
{{- "/kiali" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the default identity cert file. There is no default if on k8s; only on OpenShift.
|
||||
*/}}
|
||||
{{- define "kiali-server.identity.cert_file" -}}
|
||||
{{- if hasKey .Values.identity "cert_file" }}
|
||||
{{- .Values.identity.cert_file }}
|
||||
{{- else }}
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- "/kiali-cert/tls.crt" }}
|
||||
{{- else }}
|
||||
{{- "" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the default identity private key file. There is no default if on k8s; only on OpenShift.
|
||||
*/}}
|
||||
{{- define "kiali-server.identity.private_key_file" -}}
|
||||
{{- if hasKey .Values.identity "private_key_file" }}
|
||||
{{- .Values.identity.private_key_file }}
|
||||
{{- else }}
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- "/kiali-cert/tls.key" }}
|
||||
{{- else }}
|
||||
{{- "" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the istio namespace - default is where Kiali is installed.
|
||||
*/}}
|
||||
{{- define "kiali-server.istio_namespace" -}}
|
||||
{{- if .Values.istio_namespace }}
|
||||
{{- .Values.istio_namespace }}
|
||||
{{- else }}
|
||||
{{- .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift.
|
||||
*/}}
|
||||
{{- define "kiali-server.auth.strategy" -}}
|
||||
{{- if .Values.auth.strategy }}
|
||||
{{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }}
|
||||
{{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }}
|
||||
{{- end }}
|
||||
{{- .Values.auth.strategy }}
|
||||
{{- else }}
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- if not .Values.kiali_route_url }}
|
||||
{{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }}
|
||||
{{- end }}
|
||||
{{- "openshift" }}
|
||||
{{- else }}
|
||||
{{- "token" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,13 @@
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}-cabundle
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
service.beta.openshift.io/inject-cabundle: "true"
|
||||
...
|
||||
{{- end }}
|
@ -0,0 +1,25 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
{{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}}
|
||||
{{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }}
|
||||
{{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}}
|
||||
{{- $_ := set $cm.deployment "namespace" .Release.Namespace }}
|
||||
{{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}}
|
||||
{{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }}
|
||||
{{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }}
|
||||
{{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }}
|
||||
{{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }}
|
||||
{{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }}
|
||||
{{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }}
|
||||
{{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }}
|
||||
{{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }}
|
||||
{{- toYaml $cm | nindent 4 }}
|
||||
...
|
@ -0,0 +1,165 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.deployment.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "kiali-server.selectorLabels" . | nindent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 1
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 8 }}
|
||||
{{- if .Values.deployment.pod_labels }}
|
||||
{{- toYaml .Values.deployment.pod_labels | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.server.metrics_enabled }}
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: {{ .Values.server.metrics_port | quote }}
|
||||
{{- else }}
|
||||
prometheus.io/scrape: "false"
|
||||
prometheus.io/port: ""
|
||||
{{- end }}
|
||||
kiali.io/dashboards: go,kiali
|
||||
{{- if .Values.deployment.pod_annotations }}
|
||||
{{- toYaml .Values.deployment.pod_annotations | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "kiali-server.fullname" . }}
|
||||
{{- if .Values.deployment.priority_class_name }}
|
||||
priorityClassName: {{ .Values.deployment.priority_class_name | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.image_pull_secrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.deployment.image_pull_secrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- image: "{{ .Values.deployment.image_name }}:{{ .Values.deployment.image_version }}"
|
||||
imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }}
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
command:
|
||||
- "/opt/kiali/kiali"
|
||||
- "-config"
|
||||
- "/kiali-configuration/config.yaml"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
ports:
|
||||
- name: api-port
|
||||
containerPort: {{ .Values.server.port | default 20001 }}
|
||||
{{- if .Values.server.metrics_enabled }}
|
||||
- name: http-metrics
|
||||
containerPort: {{ .Values.server.metrics_port | default 9090 }}
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz
|
||||
port: api-port
|
||||
{{- if (include "kiali-server.identity.cert_file" .) }}
|
||||
scheme: HTTPS
|
||||
{{- else }}
|
||||
scheme: HTTP
|
||||
{{- end }}
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 30
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz
|
||||
port: api-port
|
||||
{{- if (include "kiali-server.identity.cert_file" .) }}
|
||||
scheme: HTTPS
|
||||
{{- else }}
|
||||
scheme: HTTP
|
||||
{{- end }}
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 30
|
||||
env:
|
||||
- name: ACTIVE_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: LOG_LEVEL
|
||||
value: "{{ include "kiali-server.logLevel" . }}"
|
||||
- name: LOG_FORMAT
|
||||
value: "{{ .Values.deployment.logger.log_format }}"
|
||||
- name: LOG_TIME_FIELD_FORMAT
|
||||
value: "{{ .Values.deployment.logger.time_field_format }}"
|
||||
- name: LOG_SAMPLER_RATE
|
||||
value: "{{ .Values.deployment.logger.sampler_rate }}"
|
||||
volumeMounts:
|
||||
- name: {{ include "kiali-server.fullname" . }}-configuration
|
||||
mountPath: "/kiali-configuration"
|
||||
- name: {{ include "kiali-server.fullname" . }}-cert
|
||||
mountPath: "/kiali-cert"
|
||||
- name: {{ include "kiali-server.fullname" . }}-secret
|
||||
mountPath: "/kiali-secret"
|
||||
- name: {{ include "kiali-server.fullname" . }}-cabundle
|
||||
mountPath: "/kiali-cabundle"
|
||||
{{- if .Values.deployment.resources }}
|
||||
resources:
|
||||
{{- toYaml .Values.deployment.resources | nindent 10 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: {{ include "kiali-server.fullname" . }}-configuration
|
||||
configMap:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
- name: {{ include "kiali-server.fullname" . }}-cert
|
||||
secret:
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
secretName: {{ include "kiali-server.fullname" . }}-cert-secret
|
||||
{{- else }}
|
||||
secretName: istio.{{ include "kiali-server.fullname" . }}-service-account
|
||||
{{- end }}
|
||||
{{- if not (include "kiali-server.identity.cert_file" .) }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: {{ include "kiali-server.fullname" . }}-secret
|
||||
secret:
|
||||
secretName: {{ .Values.deployment.secret_name }}
|
||||
optional: true
|
||||
- name: {{ include "kiali-server.fullname" . }}-cabundle
|
||||
configMap:
|
||||
name: {{ include "kiali-server.fullname" . }}-cabundle
|
||||
{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }}
|
||||
affinity:
|
||||
{{- if .Values.deployment.affinity.node }}
|
||||
nodeAffinity:
|
||||
{{- toYaml .Values.deployment.affinity.node | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.affinity.pod }}
|
||||
podAffinity:
|
||||
{{- toYaml .Values.deployment.affinity.pod | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.affinity.pod_anti }}
|
||||
podAntiAffinity:
|
||||
{{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml .Values.deployment.tolerations | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.node_selector }}
|
||||
nodeSelector:
|
||||
{{- toYaml .Values.deployment.node_selector | nindent 8 }}
|
||||
{{- end }}
|
||||
...
|
17
charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml
Normal file
17
charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
{{- if .Values.deployment.hpa.spec }}
|
||||
---
|
||||
apiVersion: {{ .Values.deployment.hpa.api_version }}
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
{{- toYaml .Values.deployment.hpa.spec | nindent 2 }}
|
||||
...
|
||||
{{- end }}
|
@ -0,0 +1,56 @@
|
||||
{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
|
||||
{{- if .Values.deployment.ingress_enabled }}
|
||||
---
|
||||
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
{{- else }}
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
{{- end }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}
|
||||
{{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
|
||||
{{- else }}
|
||||
# For ingress-nginx versions older than 0.20.0 use secure-backends.
|
||||
# (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948)
|
||||
# For ingress-nginx versions 0.20.0 and later use backend-protocol.
|
||||
{{- if (include "kiali-server.identity.cert_file" .) }}
|
||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
{{- else }}
|
||||
nginx.ingress.kubernetes.io/secure-backends: "false"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
|
||||
{{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
|
||||
{{- else }}
|
||||
rules:
|
||||
- http:
|
||||
paths:
|
||||
- path: {{ include "kiali-server.server.web_root" . }}
|
||||
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
port:
|
||||
number: {{ .Values.server.port }}
|
||||
{{- else }}
|
||||
backend:
|
||||
serviceName: {{ include "kiali-server.fullname" . }}
|
||||
servicePort: {{ .Values.server.port }}
|
||||
{{- end }}
|
||||
{{- if not (empty .Values.server.web_fqdn) }}
|
||||
host: {{ .Values.server.web_fqdn }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
...
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,17 @@
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- if .Values.kiali_route_url }}
|
||||
---
|
||||
apiVersion: oauth.openshift.io/v1
|
||||
kind: OAuthClient
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
redirectURIs:
|
||||
- {{ .Values.kiali_route_url }}
|
||||
grantMethod: auto
|
||||
allowAnyScope: true
|
||||
...
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,15 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}-controlplane
|
||||
namespace: {{ include "kiali-server.istio_namespace" . }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- list
|
||||
...
|
@ -0,0 +1,89 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}-viewer
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
- endpoints
|
||||
- pods/log
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- namespaces
|
||||
- pods
|
||||
- replicationcontrollers
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods/portforward
|
||||
verbs:
|
||||
- create
|
||||
- post
|
||||
- apiGroups: ["extensions", "apps"]
|
||||
resources:
|
||||
- daemonsets
|
||||
- deployments
|
||||
- replicasets
|
||||
- statefulsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: ["batch"]
|
||||
resources:
|
||||
- cronjobs
|
||||
- jobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- networking.istio.io
|
||||
- security.istio.io
|
||||
resources: ["*"]
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: ["apps.openshift.io"]
|
||||
resources:
|
||||
- deploymentconfigs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: ["project.openshift.io"]
|
||||
resources:
|
||||
- projects
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources:
|
||||
- routes
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: ["iter8.tools"]
|
||||
resources:
|
||||
- experiments
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
...
|
@ -0,0 +1,99 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
- endpoints
|
||||
- pods/log
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- namespaces
|
||||
- pods
|
||||
- replicationcontrollers
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- patch
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods/portforward
|
||||
verbs:
|
||||
- create
|
||||
- post
|
||||
- apiGroups: ["extensions", "apps"]
|
||||
resources:
|
||||
- daemonsets
|
||||
- deployments
|
||||
- replicasets
|
||||
- statefulsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- patch
|
||||
- apiGroups: ["batch"]
|
||||
resources:
|
||||
- cronjobs
|
||||
- jobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- patch
|
||||
- apiGroups:
|
||||
- networking.istio.io
|
||||
- security.istio.io
|
||||
resources: ["*"]
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- apiGroups: ["apps.openshift.io"]
|
||||
resources:
|
||||
- deploymentconfigs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- patch
|
||||
- apiGroups: ["project.openshift.io"]
|
||||
resources:
|
||||
- projects
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources:
|
||||
- routes
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups: ["iter8.tools"]
|
||||
resources:
|
||||
- experiments
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- create
|
||||
- delete
|
||||
- patch
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
...
|
@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}-controlplane
|
||||
namespace: {{ include "kiali-server.istio_namespace" . }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "kiali-server.fullname" . }}-controlplane
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
...
|
@ -0,0 +1,20 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
{{- if .Values.deployment.view_only_mode }}
|
||||
name: {{ include "kiali-server.fullname" . }}-viewer
|
||||
{{- else }}
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
...
|
@ -0,0 +1,30 @@
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
{{- if .Values.deployment.ingress_enabled }}
|
||||
# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm
|
||||
---
|
||||
apiVersion: route.openshift.io/v1
|
||||
kind: Route
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
{{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}}
|
||||
annotations:
|
||||
{{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
|
||||
{{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
|
||||
{{- else }}
|
||||
tls:
|
||||
termination: reencrypt
|
||||
insecureEdgeTerminationPolicy: Redirect
|
||||
to:
|
||||
kind: Service
|
||||
targetPort: {{ .Values.server.port }}
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
{{- end }}
|
||||
...
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,45 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
|
||||
service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret
|
||||
{{- end }}
|
||||
{{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }}
|
||||
{{- if empty .Values.server.web_port }}
|
||||
kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ default "" .Values.server.web_root }}
|
||||
{{- else }}
|
||||
kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{(default "" .Values.server.web_root) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.deployment.service_annotations }}
|
||||
{{- toYaml .Values.deployment.service_annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.deployment.service_type }}
|
||||
type: {{ .Values.deployment.service_type }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- if (include "kiali-server.identity.cert_file" .) }}
|
||||
- name: tcp
|
||||
{{- else }}
|
||||
- name: http
|
||||
{{- end }}
|
||||
protocol: TCP
|
||||
port: {{ .Values.server.port }}
|
||||
{{- if .Values.server.metrics_enabled }}
|
||||
- name: http-metrics
|
||||
protocol: TCP
|
||||
port: {{ .Values.server.metrics_port }}
|
||||
{{- end }}
|
||||
selector:
|
||||
{{- include "kiali-server.selectorLabels" . | nindent 4 }}
|
||||
{{- if .Values.deployment.additional_service_yaml }}
|
||||
{{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }}
|
||||
{{- end }}
|
||||
...
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "kiali-server.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kiali-server.labels" . | nindent 4 }}
|
||||
...
|
82
charts/kubezero-istio/charts/kiali-server/values.yaml
Normal file
82
charts/kubezero-istio/charts/kiali-server/values.yaml
Normal file
@ -0,0 +1,82 @@
|
||||
# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead.
|
||||
# This is only supported for backward compatibility and will be removed in a future version.
|
||||
# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali",
|
||||
# then 'deployment.instance_name' will take the value of 'fullnameOverride' value.
|
||||
# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used.
|
||||
fullnameOverride: "kiali"
|
||||
|
||||
# This is required for "openshift" auth strategy.
|
||||
# You have to know ahead of time what your Route URL will be because
|
||||
# right now the helm chart can't figure this out at runtime (it would
|
||||
# need to wait for the Kiali Route to be deployed and for OpenShift
|
||||
# to start it up). If someone knows how to update this helm chart to
|
||||
# do this, a PR would be welcome.
|
||||
kiali_route_url: ""
|
||||
|
||||
#
|
||||
# Settings that mimic the Kiali CR which are placed in the ConfigMap.
|
||||
# Note that only those values used by the Helm Chart will be here.
|
||||
#
|
||||
|
||||
istio_namespace: "" # default is where Kiali is installed
|
||||
|
||||
auth:
|
||||
openid: {}
|
||||
openshift: {}
|
||||
strategy: ""
|
||||
|
||||
deployment:
|
||||
# This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
|
||||
# For more control over what the Kial Service Account can see, use the Kiali Operator
|
||||
accessible_namespaces:
|
||||
- "**"
|
||||
additional_service_yaml: {}
|
||||
affinity:
|
||||
node: {}
|
||||
pod: {}
|
||||
pod_anti: {}
|
||||
hpa:
|
||||
api_version: "autoscaling/v2beta2"
|
||||
spec: {}
|
||||
image_name: quay.io/kiali/kiali
|
||||
image_pull_policy: "Always"
|
||||
image_pull_secrets: []
|
||||
image_version: v1.38.1
|
||||
ingress_enabled: true
|
||||
instance_name: "kiali"
|
||||
logger:
|
||||
log_format: "text"
|
||||
log_level: "info"
|
||||
time_field_format: "2006-01-02T15:04:05Z07:00"
|
||||
sampler_rate: "1"
|
||||
node_selector: {}
|
||||
override_ingress_yaml:
|
||||
metadata: {}
|
||||
pod_annotations: {}
|
||||
pod_labels: {}
|
||||
priority_class_name: ""
|
||||
replicas: 1
|
||||
resources: {}
|
||||
secret_name: "kiali"
|
||||
service_annotations: {}
|
||||
service_type: ""
|
||||
tolerations: []
|
||||
version_label: v1.38.1
|
||||
view_only_mode: false
|
||||
|
||||
external_services:
|
||||
custom_dashboards:
|
||||
enabled: true
|
||||
|
||||
identity: {}
|
||||
#cert_file:
|
||||
#private_key_file:
|
||||
|
||||
login_token:
|
||||
signing_key: ""
|
||||
|
||||
server:
|
||||
port: 20001
|
||||
metrics_enabled: true
|
||||
metrics_port: 9090
|
||||
web_root: ""
|
@ -4,18 +4,18 @@ folder: Istio
|
||||
condition: 'index .Values "istio-discovery" "telemetry" "enabled"'
|
||||
dashboards:
|
||||
- name: istio-control-plane
|
||||
url: https://grafana.com/api/dashboards/7645/revisions/60/download
|
||||
url: https://grafana.com/api/dashboards/7645/revisions/82/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-mesh
|
||||
url: https://grafana.com/api/dashboards/7639/revisions/60/download
|
||||
url: https://grafana.com/api/dashboards/7639/revisions/82/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-service
|
||||
url: https://grafana.com/api/dashboards/7636/revisions/60/download
|
||||
url: https://grafana.com/api/dashboards/7636/revisions/82/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-workload
|
||||
url: https://grafana.com/api/dashboards/7630/revisions/60/download
|
||||
url: https://grafana.com/api/dashboards/7630/revisions/82/download
|
||||
tags:
|
||||
- Istio
|
||||
|
File diff suppressed because one or more lines are too long
18
charts/kubezero-istio/templates/kiali/istio-service.yaml
Normal file
18
charts/kubezero-istio/templates/kiali/istio-service.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
{{- if (index .Values "kiali-server" "istio" "enabled") }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: {{ .Release.Name }}-kiali
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
hosts:
|
||||
- {{ index .Values "kiali-server" "istio" "url" }}
|
||||
gateways:
|
||||
- {{ index .Values "kiali-server" "istio" "gateway" }}
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: kiali
|
||||
{{- end }}
|
@ -0,0 +1,106 @@
|
||||
{{- if .Values.rateLimiting.enabled }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ratelimit-statsd-exporter-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
data:
|
||||
config.yaml: |
|
||||
defaults:
|
||||
ttl: 1m # Resets the metrics every minute
|
||||
mappings:
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.near_limit"
|
||||
name: "ratelimit_service_rate_limit_near_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.over_limit"
|
||||
name: "ratelimit_service_rate_limit_over_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.total_hits"
|
||||
name: "ratelimit_service_rate_limit_total_hits"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.within_limit"
|
||||
name: "ratelimit_service_rate_limit_within_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.*.near_limit"
|
||||
name: "ratelimit_service_rate_limit_near_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
key2: "$3"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.*.over_limit"
|
||||
name: "ratelimit_service_rate_limit_over_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
key2: "$3"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.*.total_hits"
|
||||
name: "ratelimit_service_rate_limit_total_hits"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
key2: "$3"
|
||||
- match:
|
||||
"ratelimit.service.rate_limit.*.*.*.within_limit"
|
||||
name: "ratelimit_service_rate_limit_within_limit"
|
||||
timer_type: "histogram"
|
||||
labels:
|
||||
domain: "$1"
|
||||
key1: "$2"
|
||||
key2: "$3"
|
||||
- match:
|
||||
"ratelimit.service.call.should_rate_limit.*"
|
||||
name: "ratelimit_service_should_rate_limit_error"
|
||||
match_metric_type: counter
|
||||
labels:
|
||||
err_type: "$1"
|
||||
- match:
|
||||
"ratelimit_server.*.total_requests"
|
||||
name: "ratelimit_service_total_requests"
|
||||
match_metric_type: counter
|
||||
labels:
|
||||
grpc_method: "$1"
|
||||
- match:
|
||||
"ratelimit_server.*.response_time"
|
||||
name: "ratelimit_service_response_time_seconds"
|
||||
timer_type: histogram
|
||||
labels:
|
||||
grpc_method: "$1"
|
||||
- match:
|
||||
"ratelimit.service.config_load_success"
|
||||
name: "ratelimit_service_config_load_success"
|
||||
match_metric_type: counter
|
||||
ttl: 3m
|
||||
- match:
|
||||
"ratelimit.service.config_load_error"
|
||||
name: "ratelimit_service_config_load_error"
|
||||
match_metric_type: counter
|
||||
ttl: 3m
|
||||
- match: "."
|
||||
match_type: "regex"
|
||||
action: "drop"
|
||||
name: "dropped"
|
||||
{{- end }}
|
19
charts/kubezero-istio/templates/ratelimit/config.yaml
Normal file
19
charts/kubezero-istio/templates/ratelimit/config.yaml
Normal file
@ -0,0 +1,19 @@
|
||||
{{- if .Values.rateLimiting.enabled }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ratelimit-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
data:
|
||||
ingress.yaml: |
|
||||
domain: ingress
|
||||
descriptors:
|
||||
{{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }}
|
||||
|
||||
private-ingress.yaml: |
|
||||
domain: private-ingress
|
||||
descriptors:
|
||||
{{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }}
|
||||
{{- end }}
|
@ -0,0 +1,116 @@
|
||||
{{- if .Values.rateLimiting.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-ratelimit
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.filters.http.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: envoy.filters.http.ratelimit
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
|
||||
domain: ingress
|
||||
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
|
||||
timeout: 0.5s
|
||||
rate_limit_service:
|
||||
grpc_service:
|
||||
envoy_grpc:
|
||||
cluster_name: rate_limit_cluster
|
||||
transport_api_version: V3
|
||||
- applyTo: CLUSTER
|
||||
match:
|
||||
cluster:
|
||||
service: ratelimit.default.svc.cluster.local
|
||||
patch:
|
||||
operation: ADD
|
||||
value:
|
||||
name: rate_limit_cluster
|
||||
type: STRICT_DNS
|
||||
connect_timeout: 0.5s
|
||||
lb_policy: ROUND_ROBIN
|
||||
http2_protocol_options: {}
|
||||
load_assignment:
|
||||
cluster_name: rate_limit_cluster
|
||||
endpoints:
|
||||
- lb_endpoints:
|
||||
- endpoint:
|
||||
address:
|
||||
socket_address:
|
||||
address: ratelimit.istio-system
|
||||
port_value: 8081
|
||||
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: private-ingressgateway-ratelimit
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: private-ingressgateway
|
||||
configPatches:
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.filters.http.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: envoy.filters.http.ratelimit
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
|
||||
domain: private-ingress
|
||||
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
|
||||
timeout: 0.5s
|
||||
rate_limit_service:
|
||||
grpc_service:
|
||||
envoy_grpc:
|
||||
cluster_name: rate_limit_cluster
|
||||
transport_api_version: V3
|
||||
- applyTo: CLUSTER
|
||||
match:
|
||||
cluster:
|
||||
service: ratelimit.default.svc.cluster.local
|
||||
patch:
|
||||
operation: ADD
|
||||
value:
|
||||
name: rate_limit_cluster
|
||||
type: STRICT_DNS
|
||||
connect_timeout: 0.5s
|
||||
lb_policy: ROUND_ROBIN
|
||||
http2_protocol_options: {}
|
||||
load_assignment:
|
||||
cluster_name: rate_limit_cluster
|
||||
endpoints:
|
||||
- lb_endpoints:
|
||||
- endpoint:
|
||||
address:
|
||||
socket_address:
|
||||
address: ratelimit.istio-system
|
||||
port_value: 8081
|
||||
{{- end }}
|
@ -0,0 +1,154 @@
|
||||
{{- if .Values.rateLimiting.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: ratelimit-redis
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: ratelimit-redis
|
||||
spec:
|
||||
ports:
|
||||
- name: redis
|
||||
port: 6379
|
||||
selector:
|
||||
app: ratelimit-redis
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: ratelimit-redis
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ratelimit-redis
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ratelimit-redis
|
||||
spec:
|
||||
containers:
|
||||
- image: redis:6-alpine
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: redis
|
||||
ports:
|
||||
- name: redis
|
||||
containerPort: 6379
|
||||
restartPolicy: Always
|
||||
serviceAccountName: ""
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: ratelimit
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: ratelimit
|
||||
spec:
|
||||
ports:
|
||||
#- name: http-port
|
||||
# port: 8080
|
||||
# targetPort: 8080
|
||||
# protocol: TCP
|
||||
- name: grpc-port
|
||||
port: 8081
|
||||
targetPort: 8081
|
||||
protocol: TCP
|
||||
#- name: http-debug
|
||||
# port: 6070
|
||||
# targetPort: 6070
|
||||
# protocol: TCP
|
||||
- name: http-monitoring
|
||||
port: 9102
|
||||
targetPort: 9102
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: ratelimit
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: ratelimit
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ratelimit
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ratelimit
|
||||
spec:
|
||||
containers:
|
||||
- image: envoyproxy/ratelimit:b42701cb # 2021/08/12
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: ratelimit
|
||||
command: ["/bin/ratelimit"]
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: {{ default "WARN" .Values.rateLimiting.log.level }}
|
||||
- name: LOG_FORMAT
|
||||
value: {{ default "text" .Values.rateLimiting.log.format }}
|
||||
- name: REDIS_SOCKET_TYPE
|
||||
value: tcp
|
||||
- name: REDIS_URL
|
||||
value: ratelimit-redis:6379
|
||||
- name: USE_STATSD
|
||||
value: "true"
|
||||
- name: STATSD_HOST
|
||||
value: "localhost"
|
||||
- name: STATSD_PORT
|
||||
value: "9125"
|
||||
- name: RUNTIME_ROOT
|
||||
value: /data
|
||||
- name: RUNTIME_SUBDIRECTORY
|
||||
value: ratelimit
|
||||
- name: RUNTIME_WATCH_ROOT
|
||||
value: "false"
|
||||
- name: RUNTIME_IGNOREDOTFILES
|
||||
value: "true"
|
||||
- name: LOCAL_CACHE_SIZE_IN_BYTES
|
||||
value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}"
|
||||
ports:
|
||||
#- containerPort: 8080
|
||||
- containerPort: 8081
|
||||
#- containerPort: 6070
|
||||
volumeMounts:
|
||||
- name: ratelimit-config
|
||||
mountPath: /data/ratelimit/config
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 32Mi
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: 256Mi
|
||||
- name: statsd-exporter
|
||||
image: docker.io/prom/statsd-exporter:v0.21.0
|
||||
imagePullPolicy: Always
|
||||
args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
|
||||
ports:
|
||||
- containerPort: 9125
|
||||
# - containerPort: 9102
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 32Mi
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 64Mi
|
||||
volumeMounts:
|
||||
- name: statsd-exporter-config
|
||||
mountPath: /etc/statsd-exporter
|
||||
volumes:
|
||||
- name: ratelimit-config
|
||||
configMap:
|
||||
name: ratelimit-config
|
||||
- name: statsd-exporter-config
|
||||
configMap:
|
||||
name: ratelimit-statsd-exporter-config
|
||||
{{- end }}
|
@ -0,0 +1,17 @@
|
||||
{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: istio-rate-limiting
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
jobLabel: istio
|
||||
targetLabels: [app]
|
||||
selector:
|
||||
matchExpressions:
|
||||
- {key: app, operator: In, values: [ratelimit]}
|
||||
endpoints:
|
||||
- port: http-monitoring
|
||||
{{- end }}
|
@ -5,7 +5,7 @@ metadata:
|
||||
name: istio-component-monitor
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
||||
spec:
|
||||
jobLabel: istio
|
||||
targetLabels: [app]
|
||||
|
@ -4,7 +4,8 @@ set -ex
|
||||
### TODO
|
||||
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
|
||||
|
||||
export ISTIO_VERSION=1.10.3
|
||||
export ISTIO_VERSION=1.11.1
|
||||
export KIALI_VERSION=1.38.1
|
||||
|
||||
rm -rf istio
|
||||
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
|
||||
@ -12,8 +13,11 @@ mv istio-${ISTIO_VERSION} istio
|
||||
|
||||
# remove unused old telemetry filters
|
||||
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
|
||||
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml
|
||||
|
||||
# Patch
|
||||
#exit 0
|
||||
#diff -tubr istio istio.zdt/
|
||||
patch -p0 -i zdt.patch --no-backup-if-mismatch
|
||||
|
||||
### Create kubezero istio charts
|
||||
@ -38,3 +42,7 @@ sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio
|
||||
|
||||
# Fetch dashboards from Grafana.com and update ZDT CM
|
||||
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
|
||||
|
||||
# Kiali
|
||||
rm -rf charts/kiali-server
|
||||
curl -sL https://github.com/kiali/helm-charts/blob/master/docs/kiali-server-${KIALI_VERSION}.tgz?raw=true | tar xz -C charts
|
||||
|
@ -1,6 +1,6 @@
|
||||
global:
|
||||
# hub: docker.io/istio
|
||||
# tag: 1.10.2
|
||||
# tag: 1.11.0
|
||||
|
||||
logAsJson: true
|
||||
|
||||
@ -39,3 +39,56 @@ istio-discovery:
|
||||
tcpKeepalive:
|
||||
interval: 60s
|
||||
time: 120s
|
||||
|
||||
kiali-server:
|
||||
enabled: false
|
||||
|
||||
auth:
|
||||
strategy: anonymous
|
||||
|
||||
deployment:
|
||||
ingress_enabled: false
|
||||
view_only_mode: true
|
||||
|
||||
server:
|
||||
metrics_enabled: false
|
||||
|
||||
external_services:
|
||||
custom_dashboards:
|
||||
enabled: false
|
||||
|
||||
prometheus:
|
||||
url: "http://metrics-kube-prometheus-st-prometheus.monitoring:9090"
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
gateway: istio-ingress/private-ingressgateway
|
||||
#url: "kiali.example.com"
|
||||
|
||||
|
||||
rateLimiting:
|
||||
enabled: true
|
||||
|
||||
log:
|
||||
level: warn
|
||||
format: json
|
||||
|
||||
# 1MB local cache for already reached limits to reduce calls to Redis
|
||||
localCacheSize: 1048576
|
||||
|
||||
# Wether to block requests if ratelimiting is down
|
||||
failureModeDeny: false
|
||||
|
||||
# rate limit descriptors for each domain, examples 10 req/s per sourceIP
|
||||
descriptors:
|
||||
ingress:
|
||||
- key: remote_address
|
||||
rate_limit:
|
||||
unit: second
|
||||
requests_per_unit: 10
|
||||
|
||||
privateIngress:
|
||||
- key: remote_address
|
||||
rate_limit:
|
||||
unit: second
|
||||
requests_per_unit: 10
|
||||
|
@ -1,7 +1,27 @@
|
||||
diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
|
||||
--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-20 12:20:04.401862116 +0200
|
||||
@@ -17,6 +17,8 @@
|
||||
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl
|
||||
--- istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-07-15 07:32:30.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-08-10 15:49:57.298616463 +0200
|
||||
@@ -21,11 +21,16 @@
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
+ {{- if eq $val "Exists" }}
|
||||
+ - key: {{ $key }}
|
||||
+ operator: Exists
|
||||
+ {{- else }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
+ {{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
|
||||
--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200
|
||||
@@ -16,6 +16,8 @@
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
@ -10,7 +30,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
@@ -69,6 +71,7 @@
|
||||
@@ -65,6 +67,7 @@
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
@ -18,7 +38,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
@@ -140,6 +143,11 @@
|
||||
@@ -136,6 +139,11 @@
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
@ -30,9 +50,24 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
diff -turN istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
|
||||
--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-19 21:55:45.461749267 +0200
|
||||
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/service.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml
|
||||
--- istio/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-07-15 07:32:30.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-08-10 19:58:01.037876557 +0200
|
||||
@@ -34,9 +34,11 @@
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
+ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
+ {{- end }}
|
||||
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
diff -tubr istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
|
||||
--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200
|
||||
+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200
|
||||
@@ -60,6 +60,11 @@
|
||||
{{- end }}
|
||||
securityContext:
|
||||
|
Loading…
Reference in New Issue
Block a user