First try adding argoCD day 2
This commit is contained in:
parent
35b1570d18
commit
cd24b9fa1a
@ -1,6 +1,6 @@
|
||||
# kubezero-argo-cd
|
||||
|
||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
|
||||
![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
|
||||
|
||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
|
||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.17.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 |
|
||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
|
||||
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
||||
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
||||
| argo-cd.dex.enabled | bool | `false` | |
|
||||
| argo-cd.global.image.tag | string | `"v1.7.8"` | |
|
||||
| argo-cd.global.image.tag | string | `"v1.7.10"` | |
|
||||
| argo-cd.installCRDs | bool | `false` | |
|
||||
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||
| argo-cd.istio.ipBlocks | list | `[]` | |
|
||||
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
||||
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
||||
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
||||
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
||||
@ -53,8 +48,10 @@ Kubernetes: `>= 1.17.0`
|
||||
| argo-cd.server.metrics.enabled | bool | `false` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
||||
| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||
| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||
| istio.ipBlocks | list | `[]` | |
|
||||
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
|
||||
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
||||
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
||||
|
@ -1,26 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kubezero
|
||||
namespace: argocd
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
project: kubezero
|
||||
source:
|
||||
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
|
||||
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
|
||||
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
|
||||
|
||||
helm:
|
||||
values: |
|
||||
{{- toYaml .Values.kubezero | nindent 8 }}
|
||||
|
||||
destination:
|
||||
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
||||
namespace: argocd
|
||||
|
||||
{{- if .Values.kubezero.global.syncPolicy }}
|
||||
syncPolicy:
|
||||
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
|
||||
{{- end }}
|
@ -1,5 +1,5 @@
|
||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
||||
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||
{{- if .Values.istio.enabled }}
|
||||
{{- if .Values.istio.ipBlocks }}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
@ -16,7 +16,7 @@ spec:
|
||||
- from:
|
||||
- source:
|
||||
notIpBlocks:
|
||||
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||
{{- with .Values.istio.ipBlocks }}
|
||||
{{- . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
to:
|
||||
|
@ -1,4 +1,4 @@
|
||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
||||
{{- if .Values.istio.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
@ -7,7 +7,7 @@ metadata:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
gateways:
|
||||
- {{ index .Values "argo-cd" "istio" "gateway" }}
|
||||
- {{ .Values.istio.gateway }}
|
||||
hosts:
|
||||
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
||||
http:
|
||||
@ -18,13 +18,13 @@ spec:
|
||||
prefix: argocd-client
|
||||
route:
|
||||
- destination:
|
||||
host: {{ .Release.Name }}-argocd-server
|
||||
host: argocd-server
|
||||
port:
|
||||
number: 443
|
||||
- name: http
|
||||
route:
|
||||
- destination:
|
||||
host: {{ .Release.Name }}-argocd-server
|
||||
host: argocd-server
|
||||
port:
|
||||
number: 80
|
||||
{{- end }}
|
||||
|
@ -44,7 +44,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -62,7 +61,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -105,7 +103,6 @@ argo-cd:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
|
||||
@ -119,9 +116,9 @@ argo-cd:
|
||||
dex:
|
||||
enabled: false
|
||||
|
||||
istio:
|
||||
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||
enabled: false
|
||||
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||
gateway: istio-system/ingressgateway
|
||||
ipBlocks: []
|
||||
istio:
|
||||
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||
enabled: false
|
||||
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||
gateway: istio-ingress/ingressgateway
|
||||
ipBlocks: []
|
||||
|
@ -3,7 +3,7 @@ name: kubezero-aws-ebs-csi-driver
|
||||
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||
type: application
|
||||
version: 0.3.2
|
||||
appVersion: 0.7.0
|
||||
appVersion: 0.7.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
sources:
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-aws-ebs-csi-driver
|
||||
|
||||
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
|
||||
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
apiVersion: v1
|
||||
appVersion: "0.7.0"
|
||||
appVersion: "0.7.1"
|
||||
name: aws-ebs-csi-driver
|
||||
description: A Helm chart for AWS EBS CSI Driver
|
||||
version: 0.6.0
|
||||
version: 0.6.1
|
||||
kubeVersion: ">=1.13.0-0"
|
||||
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||
sources:
|
||||
|
@ -6,7 +6,7 @@ replicaCount: 2
|
||||
|
||||
image:
|
||||
repository: amazon/aws-ebs-csi-driver
|
||||
tag: "v0.7.0"
|
||||
tag: "v0.7.1"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
sidecars:
|
||||
|
@ -40,10 +40,11 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| cert-manager.enabled | bool | `true` | |
|
||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
||||
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
|
||||
| cert-manager.podAnnotations | object | `{}` | |
|
||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
|
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
apiVersion: v2
|
||||
name: kubezero-istio-ingress
|
||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||
type: application
|
||||
version: 0.1.0
|
||||
appVersion: 1.8.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
- kubezero
|
||||
- istio
|
||||
maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-ingress
|
||||
version: 1.1.0
|
||||
condition: istio-ingress.enabled
|
||||
- name: istio-private-ingress
|
||||
version: 1.1.0
|
||||
condition: istio-private-ingress.enabled
|
||||
kubeVersion: ">= 1.17.0"
|
96
charts/kubezero-istio-ingress/README.md
Normal file
96
charts/kubezero-istio-ingress/README.md
Normal file
@ -0,0 +1,96 @@
|
||||
# kubezero-istio-ingress
|
||||
|
||||
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio based Ingress
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.17.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-ingress | 1.1.0 |
|
||||
| | istio-private-ingress | 1.1.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.hub | string | `"docker.io/istio"` | |
|
||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| global.tag | string | `"1.8.0"` | |
|
||||
| istio-ingress.dnsNames | list | `[]` | |
|
||||
| istio-ingress.enabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
| istio-private-ingress.dnsNames | list | `[]` | |
|
||||
| istio-private-ingress.enabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
@ -0,0 +1,24 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
|
||||
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||
|
||||
{{ template "chart.homepageLine" . }}
|
||||
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
## Resources
|
||||
|
||||
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
name: istio-ingress
|
||||
version: 1.1.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
@ -0,0 +1,43 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
112
charts/kubezero-istio-ingress/charts/istio-ingress/README.md
Normal file
112
charts/kubezero-istio-ingress/charts/istio-ingress/README.md
Normal file
@ -0,0 +1,112 @@
|
||||
# istio-ingress
|
||||
|
||||
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||
|
||||
Helm chart for deploying Istio gateways
|
||||
|
||||
## Source Code
|
||||
|
||||
* <http://github.com/istio/istio>
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
|
||||
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
|
||||
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
|
||||
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
|
||||
| gateways.istio-ingressgateway.customService | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
|
||||
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
|
||||
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
|
||||
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
|
||||
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
|
||||
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
|
||||
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
|
||||
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
|
||||
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
|
||||
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
|
||||
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
|
||||
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
|
||||
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
|
||||
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
|
||||
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
|
||||
| global.arch.amd64 | int | `2` | |
|
||||
| global.arch.ppc64le | int | `2` | |
|
||||
| global.arch.s390x | int | `2` | |
|
||||
| global.caAddress | string | `""` | |
|
||||
| global.defaultConfigVisibilitySettings | list | `[]` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||
| global.defaultTolerations | list | `[]` | |
|
||||
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||
| global.imagePullPolicy | string | `""` | |
|
||||
| global.imagePullSecrets | list | `[]` | |
|
||||
| global.istioNamespace | string | `"istio-system"` | |
|
||||
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||
| global.logAsJson | bool | `false` | |
|
||||
| global.logging.level | string | `"default:info"` | |
|
||||
| global.meshExpansion.enabled | bool | `false` | |
|
||||
| global.meshExpansion.useILB | bool | `false` | |
|
||||
| global.meshID | string | `""` | |
|
||||
| global.mountMtlsCerts | bool | `false` | |
|
||||
| global.multiCluster.clusterName | string | `""` | |
|
||||
| global.multiCluster.enabled | bool | `false` | |
|
||||
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
|
||||
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
|
||||
| global.network | string | `""` | |
|
||||
| global.pilotCertProvider | string | `"istiod"` | |
|
||||
| global.priorityClassName | string | `""` | |
|
||||
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||
| global.proxy.enableCoreDump | bool | `false` | |
|
||||
| global.proxy.image | string | `"proxyv2"` | |
|
||||
| global.proxy.logLevel | string | `"warning"` | |
|
||||
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||
| global.sts.servicePort | int | `0` | |
|
||||
| global.tag | string | `"latest"` | |
|
||||
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
|
||||
| meshConfig.defaultConfig.tracing | string | `nil` | |
|
||||
| meshConfig.enablePrometheusMerge | bool | `true` | |
|
||||
| ownerName | string | `""` | |
|
||||
| revision | string | `""` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
@ -0,0 +1,93 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{- define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,27 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,345 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: {{ .Values.global.network }}
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: gatewaysdsudspath
|
||||
mountPath: /var/run/ingress_gateway
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: gatewaysdsudspath
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,79 @@
|
||||
{{- if .Values.global.meshExpansion.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: meshexpansion-gateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 15012
|
||||
protocol: TCP
|
||||
name: tcp-istiod
|
||||
hosts:
|
||||
- "*"
|
||||
- port:
|
||||
number: 15017
|
||||
protocol: TCP
|
||||
name: tcp-istiodwebhook
|
||||
hosts:
|
||||
- "*"
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: meshexpansion-vs-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
hosts:
|
||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
gateways:
|
||||
- meshexpansion-gateway
|
||||
tcp:
|
||||
- match:
|
||||
- port: 15012
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 15012
|
||||
- match:
|
||||
- port: 15017
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 443
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: meshexpansion-dr-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 15012
|
||||
tls:
|
||||
mode: DISABLE
|
||||
- port:
|
||||
number: 15017
|
||||
tls:
|
||||
mode: DISABLE
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,19 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,78 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,16 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -0,0 +1,19 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
---
|
@ -0,0 +1,55 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -0,0 +1,18 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
@ -0,0 +1,336 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
# This is the port where sni routing happens
|
||||
- port: 15443
|
||||
targetPort: 15443
|
||||
name: tls
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tunning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
#### MESH EXPANSION PORTS ########
|
||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||
# exposing unnecessary ports on the web.
|
||||
# You can remove these ports if you are not using mesh expansion
|
||||
meshExpansionPorts:
|
||||
- port: 15012
|
||||
targetPort: 15012
|
||||
name: tcp-istiod
|
||||
####### end MESH EXPANSION PORTS ######
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: gcr.io/istio-testing
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: latest
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||
# ingress gateway
|
||||
meshExpansion:
|
||||
enabled: false
|
||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||
# will be exposed on an internal gateway
|
||||
useILB: false
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
# Deprecated, use meshConfig.trustDomain
|
||||
# trustDomain: ""
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
# trustDomain: ""
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
name: istio-private-ingress
|
||||
version: 1.1.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio gateways
|
||||
keywords:
|
||||
- istio
|
||||
- ingressgateway
|
||||
- gateways
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -0,0 +1,43 @@
|
||||
|
||||
Changes:
|
||||
- separate namespace allows:
|
||||
-- easier reconfig of just the gateway
|
||||
-- TLS secrets and domain name management is isolated, for better security
|
||||
-- simplified configuration
|
||||
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||
|
||||
- the new chart uses the default namespace service account, and doesn't require
|
||||
additional RBAC permissions.
|
||||
|
||||
- simplified label and chart structure.
|
||||
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||
and allows a bit more flexibility.
|
||||
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||
|
||||
# Port and basic host configuration
|
||||
|
||||
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||
both in upgrade, Gateway and VirtualService.
|
||||
|
||||
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||
config for the rest.
|
||||
|
||||
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||
|
||||
# Migration from istio-system
|
||||
|
||||
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||
with the Service and bound to the namespace, it is recommended to:
|
||||
|
||||
1. Install the new gateway in a new namespace.
|
||||
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||
4. Modify the DNS server to add the A record of the new namespace
|
||||
5. Check traffic
|
||||
6. Delete the A record corresponding to the gateway in istio-system
|
||||
7. Upgrade istio-system, disabling the ingressgateway
|
||||
8. Delete the domain TLS certs from istio-system.
|
||||
|
||||
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,112 @@
|
||||
# istio-ingress
|
||||
|
||||
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||
|
||||
Helm chart for deploying Istio gateways
|
||||
|
||||
## Source Code
|
||||
|
||||
* <http://github.com/istio/istio>
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
|
||||
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
|
||||
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
|
||||
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
|
||||
| gateways.istio-ingressgateway.customService | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
|
||||
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
|
||||
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
|
||||
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
|
||||
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
|
||||
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
|
||||
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
|
||||
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
|
||||
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
|
||||
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
|
||||
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
|
||||
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
|
||||
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
|
||||
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
|
||||
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
|
||||
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
|
||||
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
|
||||
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
|
||||
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
|
||||
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
|
||||
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
|
||||
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
|
||||
| global.arch.amd64 | int | `2` | |
|
||||
| global.arch.ppc64le | int | `2` | |
|
||||
| global.arch.s390x | int | `2` | |
|
||||
| global.caAddress | string | `""` | |
|
||||
| global.defaultConfigVisibilitySettings | list | `[]` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||
| global.defaultTolerations | list | `[]` | |
|
||||
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||
| global.imagePullPolicy | string | `""` | |
|
||||
| global.imagePullSecrets | list | `[]` | |
|
||||
| global.istioNamespace | string | `"istio-system"` | |
|
||||
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||
| global.logAsJson | bool | `false` | |
|
||||
| global.logging.level | string | `"default:info"` | |
|
||||
| global.meshExpansion.enabled | bool | `false` | |
|
||||
| global.meshExpansion.useILB | bool | `false` | |
|
||||
| global.meshID | string | `""` | |
|
||||
| global.mountMtlsCerts | bool | `false` | |
|
||||
| global.multiCluster.clusterName | string | `""` | |
|
||||
| global.multiCluster.enabled | bool | `false` | |
|
||||
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
|
||||
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
|
||||
| global.network | string | `""` | |
|
||||
| global.pilotCertProvider | string | `"istiod"` | |
|
||||
| global.priorityClassName | string | `""` | |
|
||||
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||
| global.proxy.enableCoreDump | bool | `false` | |
|
||||
| global.proxy.image | string | `"proxyv2"` | |
|
||||
| global.proxy.logLevel | string | `"warning"` | |
|
||||
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||
| global.sts.servicePort | int | `0` | |
|
||||
| global.tag | string | `"latest"` | |
|
||||
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
|
||||
| meshConfig.defaultConfig.tracing | string | `nil` | |
|
||||
| meshConfig.enablePrometheusMerge | bool | `true` | |
|
||||
| ownerName | string | `""` | |
|
||||
| revision | string | `""` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
@ -0,0 +1,93 @@
|
||||
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||
|
||||
{{- define "nodeaffinity" }}
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||
{{- range $key, $val := $nodeSelector }}
|
||||
- key: {{ $key }}
|
||||
operator: In
|
||||
values:
|
||||
- {{ $val | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||
{{- range $key, $val := .global.arch }}
|
||||
{{- if gt ($val | int) 0 }}
|
||||
- weight: {{ $val | int }}
|
||||
preference:
|
||||
matchExpressions:
|
||||
- key: kubernetes.io/arch
|
||||
operator: In
|
||||
values:
|
||||
- {{ $key | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinity" }}
|
||||
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||
podAntiAffinity:
|
||||
{{- if .podAntiAffinityLabelSelector }}
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- if .podAntiAffinityTermLabelSelector }}
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: {{ $item.key }}
|
||||
operator: {{ $item.operator }}
|
||||
{{- if $item.values }}
|
||||
values:
|
||||
{{- $vals := split "," $item.values }}
|
||||
{{- range $i, $v := $vals }}
|
||||
- {{ $v | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
topologyKey: {{ $item.topologyKey }}
|
||||
weight: 100
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,27 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||
minReplicas: {{ $gateway.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,345 @@
|
||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if not $gateway.autoscaleEnabled }}
|
||||
{{- if $gateway.replicaCount }}
|
||||
replicas: {{ $gateway.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | indent 6 }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 8 }}
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
chart: gateways
|
||||
{{- end }}
|
||||
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if not (eq .Values.revision "") }}
|
||||
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||
{{- else}}
|
||||
service.istio.io/canonical-revision: latest
|
||||
{{- end }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if $gateway.podAnnotations }}
|
||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||
{{ end }}
|
||||
spec:
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
fsGroup: 1337
|
||||
{{- end }}
|
||||
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.proxy.enableCoreDump }}
|
||||
initContainers:
|
||||
- name: enable-core-dump
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" .Values.global.proxy.image }}
|
||||
image: "{{ .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||
protocol: {{ $val.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- router
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.proxy.logLevel }}
|
||||
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.proxy.componentLogLevel }}
|
||||
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --serviceCluster
|
||||
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if not $gateway.runAsRoot }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
failureThreshold: 30
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
{{- if $gateway.resources }}
|
||||
{{ toYaml $gateway.resources | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.podIP
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: status.hostIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||
{{- if $.Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.meshID }}"
|
||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||
{{- end }}
|
||||
{{- range $key, $val := $gateway.env }}
|
||||
- name: {{ $key }}
|
||||
value: {{ $val }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||
{{- if and (not $network_set) .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: {{ .Values.global.network }}
|
||||
{{- end }}
|
||||
{{- if $gateway.podAnnotations }}
|
||||
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||
value: |
|
||||
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||
{{ end }}
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
volumeMounts:
|
||||
- name: istio-envoy
|
||||
mountPath: /etc/istio/proxy
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: gatewaysdsudspath
|
||||
mountPath: /var/run/ingress_gateway
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
mountPath: /etc/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
- name: podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
{{- if .mountPath }}
|
||||
- name: {{ .name }}
|
||||
mountPath: {{ .mountPath | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $gateway.additionalContainers }}
|
||||
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
- name: podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
- name: istio-envoy
|
||||
emptyDir: {}
|
||||
- name: gatewaysdsudspath
|
||||
emptyDir: {}
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
secretName: istio.istio-ingressgateway-service-account
|
||||
optional: true
|
||||
{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
optional: true
|
||||
{{- range $gateway.secretVolumes }}
|
||||
- name: {{ .name }}
|
||||
secret:
|
||||
secretName: {{ .secretName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- range $gateway.configVolumes }}
|
||||
- name: {{ .name }}
|
||||
configMap:
|
||||
name: {{ .configMapName | quote }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
affinity:
|
||||
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||
{{- if $gateway.tolerations }}
|
||||
tolerations:
|
||||
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||
{{- else if .Values.global.defaultTolerations }}
|
||||
tolerations:
|
||||
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,79 @@
|
||||
{{- if .Values.global.meshExpansion.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: meshexpansion-gateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 15012
|
||||
protocol: TCP
|
||||
name: tcp-istiod
|
||||
hosts:
|
||||
- "*"
|
||||
- port:
|
||||
number: 15017
|
||||
protocol: TCP
|
||||
name: tcp-istiodwebhook
|
||||
hosts:
|
||||
- "*"
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: meshexpansion-vs-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
hosts:
|
||||
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
gateways:
|
||||
- meshexpansion-gateway
|
||||
tcp:
|
||||
- match:
|
||||
- port: 15012
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 15012
|
||||
- match:
|
||||
- port: 15017
|
||||
route:
|
||||
- destination:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
port:
|
||||
number: 443
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: meshexpansion-dr-istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
trafficPolicy:
|
||||
portLevelSettings:
|
||||
- port:
|
||||
number: 15012
|
||||
tls:
|
||||
mode: DISABLE
|
||||
- port:
|
||||
number: 15017
|
||||
tls:
|
||||
mode: DISABLE
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,19 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||
{{- end }}
|
@ -0,0 +1,78 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if .Values.global.multiCluster.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- hosts:
|
||||
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
port:
|
||||
name: tls
|
||||
number: 15443
|
||||
protocol: TLS
|
||||
tls:
|
||||
mode: AUTO_PASSTHROUGH
|
||||
---
|
||||
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
istio: ingressgateway
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
listener:
|
||||
portNumber: 15443
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.filters.network.sni_cluster"
|
||||
patch:
|
||||
operation: INSERT_AFTER
|
||||
value:
|
||||
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||
---
|
||||
{{- end }}
|
||||
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: istio-multicluster-ingressgateway
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||
exportTo:
|
||||
- '*'
|
||||
{{- end }}
|
||||
trafficPolicy:
|
||||
tls:
|
||||
mode: ISTIO_MUTUAL
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,16 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
@ -0,0 +1,19 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
---
|
@ -0,0 +1,55 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
{{- if not $gateway.customService }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||
{{ $key }}: {{ $val | quote }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
||||
spec:
|
||||
{{- if $gateway.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||
{{- end }}
|
||||
{{- if $gateway.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $gateway.externalTrafficPolicy }}
|
||||
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
type: {{ $gateway.type }}
|
||||
selector:
|
||||
{{ $gateway.labels | toYaml | indent 4 }}
|
||||
ports:
|
||||
|
||||
{{- range $key, $val := $gateway.ports }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if $.Values.global.meshExpansion.enabled }}
|
||||
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||
-
|
||||
{{- range $pkey, $pval := $val }}
|
||||
{{ $pkey}}: {{ $pval }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ range $app := $gateway.ingressPorts }}
|
||||
-
|
||||
port: {{ $app.port }}
|
||||
name: {{ $app.name }}
|
||||
{{- end }}
|
||||
---
|
||||
{{ end }}
|
@ -0,0 +1,18 @@
|
||||
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "IngressGateways"
|
@ -0,0 +1,336 @@
|
||||
# A-la-carte istio ingress gateway.
|
||||
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
name: istio-ingressgateway
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
protocol: TCP
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
# This is the port where sni routing happens
|
||||
- port: 15443
|
||||
targetPort: 15443
|
||||
name: tls
|
||||
protocol: TCP
|
||||
|
||||
# Scalability tunning
|
||||
# replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
serviceAnnotations: {}
|
||||
|
||||
# Enable cross-cluster access using SNI matching
|
||||
zvpn:
|
||||
enabled: false
|
||||
suffix: global
|
||||
|
||||
# To generate an internal load balancer:
|
||||
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||
#serviceAnnotations:
|
||||
# cloud.google.com/load-balancer-type: "internal"
|
||||
|
||||
podAnnotations: {}
|
||||
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||
|
||||
#### MESH EXPANSION PORTS ########
|
||||
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||
# exposing unnecessary ports on the web.
|
||||
# You can remove these ports if you are not using mesh expansion
|
||||
meshExpansionPorts:
|
||||
- port: 15012
|
||||
targetPort: 15012
|
||||
name: tcp-istiod
|
||||
####### end MESH EXPANSION PORTS ######
|
||||
|
||||
##############
|
||||
secretVolumes:
|
||||
- name: ingressgateway-certs
|
||||
secretName: istio-ingressgateway-certs
|
||||
mountPath: /etc/istio/ingressgateway-certs
|
||||
- name: ingressgateway-ca-certs
|
||||
secretName: istio-ingressgateway-ca-certs
|
||||
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||
|
||||
customService: false
|
||||
externalTrafficPolicy: ""
|
||||
|
||||
ingressPorts: []
|
||||
additionalContainers: []
|
||||
configVolumes: []
|
||||
|
||||
### Advanced options ############
|
||||
env:
|
||||
# A gateway with this mode ensures that pilot generates an additional
|
||||
# set of clusters for internal services but without Istio mTLS, to
|
||||
# enable cross cluster routing.
|
||||
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||
|
||||
nodeSelector: {}
|
||||
tolerations: []
|
||||
|
||||
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||
# your pod is eligible to be scheduled based on labels on pods that are
|
||||
# already running on the node rather than based on labels on nodes.
|
||||
# There are currently two types of anti-affinity:
|
||||
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||
# correspondingly.
|
||||
# For example:
|
||||
# podAntiAffinityLabelSelector:
|
||||
# - key: security
|
||||
# operator: In
|
||||
# values: S1,S2
|
||||
# topologyKey: "kubernetes.io/hostname"
|
||||
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||
# onto a node if that node is already running a pod with label having key
|
||||
# "security" and value "S1".
|
||||
podAntiAffinityLabelSelector: []
|
||||
podAntiAffinityTermLabelSelector: []
|
||||
|
||||
# whether to run the gateway in a privileged container
|
||||
runAsRoot: false
|
||||
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
global:
|
||||
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||
# should be one of the following two options:
|
||||
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||
defaultConfigVisibilitySettings: []
|
||||
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||
# these default values by adding its tolerations block in the relevant section below
|
||||
# and setting the desired values.
|
||||
# Configure this field in case that all pods of Istio control plane are expected to
|
||||
# be scheduled to particular nodes with specified taints.
|
||||
defaultTolerations: []
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: gcr.io/istio-testing
|
||||
|
||||
# Default tag for Istio images.
|
||||
tag: latest
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||
# 0 - Never scheduled
|
||||
# 1 - Least preferred
|
||||
# 2 - No preference
|
||||
# 3 - Most preferred
|
||||
arch:
|
||||
amd64: 2
|
||||
s390x: 2
|
||||
ppc64le: 2
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||
# ingress gateway
|
||||
meshExpansion:
|
||||
enabled: false
|
||||
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||
# will be exposed on an internal gateway
|
||||
useILB: false
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
# The suffix for global service names
|
||||
globalDomainSuffix: "global"
|
||||
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||
includeEnvoyFilter: true
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
# Deprecated, use meshConfig.trustDomain
|
||||
# trustDomain: ""
|
||||
|
||||
meshConfig:
|
||||
enablePrometheusMerge: true
|
||||
# trustDomain: ""
|
||||
defaultConfig:
|
||||
proxyMetadata: {}
|
||||
tracing:
|
||||
# tlsSettings:
|
||||
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||
# sni: # example: tracer.somedomain
|
||||
# subjectAltNames: []
|
||||
# - tracer.somedomain
|
@ -1,9 +1,9 @@
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
{{- if index .Values "istio-ingress" "enabled" }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: ingressgateway-listener-tcp-keepalive
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
||||
@ -33,13 +33,13 @@ spec:
|
||||
state: STATE_LISTENING
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: private-ingressgateway-listener-tcp-keepalive
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
workloadSelector:
|
||||
labels:
|
@ -1,9 +1,9 @@
|
||||
{{- if .Values.ingress.dnsNames }}
|
||||
{{- if index .Values "istio-ingress" "dnsNames" }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: public-ingress-cert
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -12,5 +12,5 @@ spec:
|
||||
name: letsencrypt-dns-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
{{ toYaml .Values.ingress.dnsNames | indent 4 }}
|
||||
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
|
||||
{{- end }}
|
@ -1,9 +1,9 @@
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -15,7 +15,7 @@ spec:
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
@ -23,20 +23,21 @@ spec:
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
|
||||
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
namespace: istio-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -48,7 +49,7 @@ spec:
|
||||
name: http
|
||||
protocol: HTTP2
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
httpsRedirect: true
|
||||
- port:
|
||||
@ -56,7 +57,7 @@ spec:
|
||||
name: https
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
@ -67,19 +68,19 @@ spec:
|
||||
name: amqp
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 5671
|
||||
name: amqps
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 24224
|
||||
name: fluentd-forward
|
||||
protocol: TLS
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
@ -90,11 +91,11 @@ spec:
|
||||
name: redis
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
- port:
|
||||
number: 6380
|
||||
name: redis-1
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||
{{- end }}
|
@ -1,8 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{.Values.operatorNamespace}}
|
||||
name: istio-ingress
|
||||
labels:
|
||||
istio-operator-managed: Reconcile
|
||||
istio-injection: disabled
|
||||
---
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
120
charts/kubezero-istio-ingress/values.yaml
Normal file
120
charts/kubezero-istio-ingress/values.yaml
Normal file
@ -0,0 +1,120 @@
|
||||
# Make sure these values match kuberzero-istio !!!
|
||||
global:
|
||||
hub: docker.io/istio
|
||||
tag: 1.8.0
|
||||
|
||||
logAsJson: true
|
||||
jwtPolicy: first-party-jwt
|
||||
|
||||
priorityClassName: "system-cluster-critical"
|
||||
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
|
||||
istio-ingress:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
resources:
|
||||
requests:
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 256Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
type: NodePort
|
||||
env:
|
||||
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||
# ISTIO_META_HTTP10: '"1"'
|
||||
|
||||
# The node selector is normally the list of nodeports, see CloudBender
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "30080_30443"
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
nodePort: 30021
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 30080
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 30443
|
||||
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
||||
istio-private-ingress:
|
||||
enabled: false
|
||||
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
# name and labels make the ingress private
|
||||
name: istio-private-ingressgateway
|
||||
labels:
|
||||
app: istio-private-ingressgateway
|
||||
istio: private-ingressgateway
|
||||
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
limits:
|
||||
# cpu: 100m
|
||||
memory: 256Mi
|
||||
externalTrafficPolicy: Local
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-private-ingressgateway
|
||||
type: NodePort
|
||||
env:
|
||||
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||
# ISTIO_META_HTTP10: '"1"'
|
||||
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "31080_31443"
|
||||
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
nodePort: 31021
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
nodePort: 31080
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
nodePort: 31443
|
||||
#- name: fluentd-forward
|
||||
# port: 24224
|
||||
# nodePort: 31224
|
||||
#- name: amqps
|
||||
# port: 5671
|
||||
# nodePort: 31671
|
||||
#- name: amqp
|
||||
# port: 5672
|
||||
# nodePort: 31672
|
||||
#- name: redis
|
||||
# port: 6379
|
||||
# nodePort: 31379
|
||||
|
||||
dnsNames: []
|
||||
# - '*.example.com'
|
||||
|
2
charts/kubezero-istio/.gitignore
vendored
2
charts/kubezero-istio/.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
istioctl
|
||||
istio-*
|
||||
istio-?.?.?
|
||||
|
@ -15,6 +15,8 @@ dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: istio-operator
|
||||
version: ">= 1.7"
|
||||
kubeVersion: ">= 1.16.0"
|
||||
- name: base
|
||||
version: 1.1.0
|
||||
- name: istio-discovery
|
||||
version: 1.2.0
|
||||
kubeVersion: ">= 1.17.0"
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
Installs Istio Operator and KubeZero Istio profile
|
||||
Installs the Istio control plane
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
@ -16,31 +16,37 @@ Installs Istio Operator and KubeZero Istio profile
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.16.0`
|
||||
Kubernetes: `>= 1.17.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | istio-operator | >= 1.7 |
|
||||
| | base | 1.1.0 |
|
||||
| | istio-discovery | 1.2.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## KubeZero default configuration
|
||||
- mapped istio-operator to run on the controller nodes only
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| ingress.autoscaleEnabled | bool | `false` | |
|
||||
| ingress.dnsNames[0] | string | `"*"` | |
|
||||
| ingress.private.enabled | bool | `true` | |
|
||||
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
|
||||
| ingress.public.enabled | bool | `true` | |
|
||||
| ingress.replicaCount | int | `2` | |
|
||||
| ingress.type | string | `"NodePort"` | |
|
||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
||||
| istio-operator.tag | string | `"1.7.4"` | |
|
||||
| istiod.autoscaleEnabled | bool | `false` | |
|
||||
| istiod.replicaCount | int | `1` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||
| global.hub | string | `"docker.io/istio"` | |
|
||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||
| global.logAsJson | bool | `true` | |
|
||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| global.tag | string | `"1.8.0"` | |
|
||||
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||
| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
|
||||
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
|
||||
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||
|
||||
## Resources
|
||||
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
Installs Istio Operator and KubeZero Istio profile
|
||||
Installs the Istio control plane
|
||||
|
||||
{{ template "chart.homepageLine" . }}
|
||||
|
||||
@ -15,9 +15,6 @@ Installs Istio Operator and KubeZero Istio profile
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
## KubeZero default configuration
|
||||
- mapped istio-operator to run on the controller nodes only
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
## Resources
|
||||
|
11
charts/kubezero-istio/charts/base/Chart.yaml
Normal file
11
charts/kubezero-istio/charts/base/Chart.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
name: base
|
||||
version: 1.1.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||
keywords:
|
||||
- istio
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
1
charts/kubezero-istio/charts/base/NOTES.txt
Normal file
1
charts/kubezero-istio/charts/base/NOTES.txt
Normal file
@ -0,0 +1 @@
|
||||
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.
|
23
charts/kubezero-istio/charts/base/README.md
Normal file
23
charts/kubezero-istio/charts/base/README.md
Normal file
@ -0,0 +1,23 @@
|
||||
# base
|
||||
|
||||
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||
|
||||
Helm chart for deploying Istio cluster resources and CRDs
|
||||
|
||||
## Source Code
|
||||
|
||||
* <http://github.com/istio/istio>
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| base.enableCRDTemplates | bool | `false` | |
|
||||
| base.validationURL | string | `""` | |
|
||||
| global.configValidation | bool | `true` | |
|
||||
| global.imagePullSecrets | list | `[]` | |
|
||||
| global.istioNamespace | string | `"istio-system"` | |
|
||||
| global.istiod.enableAnalysis | bool | `false` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
3426
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
Normal file
3426
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
Normal file
File diff suppressed because it is too large
Load Diff
66
charts/kubezero-istio/charts/base/crds/crd-operator.yaml
Normal file
66
charts/kubezero-istio/charts/base/crds/crd-operator.yaml
Normal file
@ -0,0 +1,66 @@
|
||||
# SYNC WITH manifests/charts/istio-operator/templates
|
||||
apiVersion: apiextensions.k8s.io/v1beta1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: istiooperators.install.istio.io
|
||||
labels:
|
||||
release: istio
|
||||
spec:
|
||||
additionalPrinterColumns:
|
||||
- JSONPath: .spec.revision
|
||||
description: Istio control plane revision
|
||||
name: Revision
|
||||
type: string
|
||||
- JSONPath: .status.status
|
||||
description: IOP current state
|
||||
type: string
|
||||
name: Status
|
||||
- JSONPath: .metadata.creationTimestamp
|
||||
description: 'CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||
name: Age
|
||||
type: date
|
||||
group: install.istio.io
|
||||
names:
|
||||
kind: IstioOperator
|
||||
plural: istiooperators
|
||||
singular: istiooperator
|
||||
shortNames:
|
||||
- iop
|
||||
- io
|
||||
scope: Namespaced
|
||||
subresources:
|
||||
status: {}
|
||||
validation:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
spec:
|
||||
description: 'Specification of the desired state of the istio control plane resource.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
||||
type: object
|
||||
status:
|
||||
description: 'Status describes each of istio control plane component status at the current time.
|
||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
||||
type: object
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
served: true
|
||||
storage: true
|
||||
---
|
3751
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
Normal file
3751
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
Normal file
File diff suppressed because it is too large
Load Diff
5
charts/kubezero-istio/charts/base/kustomization.yaml
Normal file
5
charts/kubezero-istio/charts/base/kustomization.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- files/gen-istio-cluster.yaml
|
146
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
Normal file
146
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
Normal file
@ -0,0 +1,146 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# sidecar injection controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "patch"]
|
||||
|
||||
# configuration validation webhook controller
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
|
||||
# istio configuration
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
resources: ["*"]
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
|
||||
verbs: ["update"]
|
||||
# TODO: should be on just */status but wildcard is not supported
|
||||
resources: ["*"]
|
||||
{{- end }}
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries" ]
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||
resources: [ "workloadentries/status" ]
|
||||
|
||||
# auto-detect installed CRD definitions
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# discovery and routing
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
# ingress controller
|
||||
{{- if .Values.global.istiod.enableAnalysis }}
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
{{- end}}
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses", "ingressclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/status"]
|
||||
verbs: ["*"]
|
||||
|
||||
# required for CA's namespace controller
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
|
||||
# Istiod and bootstrap.
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "certificatesigningrequests"
|
||||
- "certificatesigningrequests/approval"
|
||||
- "certificatesigningrequests/status"
|
||||
verbs: ["update", "create", "get", "delete", "watch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources:
|
||||
- "signers"
|
||||
resourceNames:
|
||||
- "kubernetes.io/legacy-unknown"
|
||||
verbs: ["approve"]
|
||||
|
||||
# Used by Istiod to verify the JWT tokens
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Used by Istiod to verify gateway SDS
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
|
||||
# Use for Kubernetes Service APIs
|
||||
- apiGroups: ["networking.x-k8s.io"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "config.istio.io"
|
||||
- "security.istio.io"
|
||||
- "networking.istio.io"
|
||||
- "authentication.istio.io"
|
||||
resources: ["*"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["discovery.k8s.io"]
|
||||
resources: ["endpointslices"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["replicasets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["authentication.k8s.io"]
|
||||
resources: ["tokenreviews"]
|
||||
verbs: ["create"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }}
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "list", "watch", "update"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
{{- end}}
|
||||
---
|
@ -0,0 +1,32 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
---
|
4
charts/kubezero-istio/charts/base/templates/crds.yaml
Normal file
4
charts/kubezero-istio/charts/base/templates/crds.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
{{- if .Values.base.enableCRDTemplates }}
|
||||
{{ .Files.Get "crds/crd-all.gen.yaml" }}
|
||||
{{ .Files.Get "crds/crd-operator.yaml" }}
|
||||
{{- end }}
|
30
charts/kubezero-istio/charts/base/templates/endpoints.yaml
Normal file
30
charts/kubezero-istio/charts/base/templates/endpoints.yaml
Normal file
@ -0,0 +1,30 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if .Values.pilot.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
name: istiod-remote
|
||||
namespace: {{ .Release.Namespace }}
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: {{ .Values.global.remotePilotAddress }}
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
name: istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: {{ .Values.global.remotePilotAddress }}
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
20
charts/kubezero-istio/charts/base/templates/role.yaml
Normal file
20
charts/kubezero-istio/charts/base/templates/role.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
rules:
|
||||
# permissions to verify the webhook is ready and rejecting
|
||||
# invalid config. We use --server-dry-run so no config is persisted.
|
||||
- apiGroups: ["networking.istio.io"]
|
||||
verbs: ["create"]
|
||||
resources: ["gateways"]
|
||||
|
||||
# For storing CA secret
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
||||
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
16
charts/kubezero-istio/charts/base/templates/rolebinding.yaml
Normal file
16
charts/kubezero-istio/charts/base/templates/rolebinding.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istio-reader-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istio-reader
|
||||
release: {{ .Release.Name }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: istiod-service-account
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
---
|
37
charts/kubezero-istio/charts/base/templates/services.yaml
Normal file
37
charts/kubezero-istio/charts/base/templates/services.yaml
Normal file
@ -0,0 +1,37 @@
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
{{- if .Values.pilot.enabled }}
|
||||
# when istiod is enabled in remote cluster, we can't use istiod service name
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: istiod-remote
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
clusterIP: None
|
||||
{{- else }}
|
||||
# when istiod isn't enabled in remote cluster, we can use istiod service name
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: istiod
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 15012
|
||||
name: tcp-istiod
|
||||
protocol: TCP
|
||||
# if the remotePilotAddress is IP addr, we use clusterIP: None.
|
||||
# else, we use externalName
|
||||
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||
clusterIP: None
|
||||
{{- else }}
|
||||
type: ExternalName
|
||||
externalName: {{ .Values.global.remotePilotAddress }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,42 @@
|
||||
{{- if .Values.global.configValidation }}
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: istiod-{{ .Values.global.istioNamespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
istio: istiod
|
||||
webhooks:
|
||||
- name: validation.istio.io
|
||||
clientConfig:
|
||||
{{- if .Values.base.validationURL }}
|
||||
url: {{ .Values.base.validationURL }}
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod
|
||||
namespace: {{ .Values.global.istioNamespace }}
|
||||
path: "/validate"
|
||||
{{- end }}
|
||||
caBundle: "" # patched at runtime when the webhook is ready.
|
||||
rules:
|
||||
- operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
apiGroups:
|
||||
- config.istio.io
|
||||
- security.istio.io
|
||||
- authentication.istio.io
|
||||
- networking.istio.io
|
||||
apiVersions:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
# Fail open until the validation webhook is ready. The webhook controller
|
||||
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
||||
# endpoint is ready.
|
||||
failurePolicy: Ignore
|
||||
sideEffects: None
|
||||
admissionReviewVersions: ["v1beta1", "v1"]
|
||||
---
|
||||
{{- end }}
|
22
charts/kubezero-istio/charts/base/values.yaml
Normal file
22
charts/kubezero-istio/charts/base/values.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
global:
|
||||
|
||||
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
istiod:
|
||||
enableAnalysis: false
|
||||
|
||||
configValidation: true
|
||||
|
||||
base:
|
||||
# Used for helm2 to add the CRDs to templates.
|
||||
enableCRDTemplates: false
|
||||
|
||||
# Validation webhook configuration url
|
||||
# For example: https://$remotePilotAddress:15017/validate
|
||||
validationURL: ""
|
14
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
Normal file
14
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
name: istio-discovery
|
||||
version: 1.2.0
|
||||
appVersion: 1.2.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for istio control plane
|
||||
keywords:
|
||||
- istio
|
||||
- istiod
|
||||
- istio-discovery
|
||||
sources:
|
||||
- http://github.com/istio/istio
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
Normal file
5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
Normal file
@ -0,0 +1,5 @@
|
||||
Minimal control plane for Istio. Pilot and mesh config are included.
|
||||
|
||||
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
||||
address of an MCP server can be set.
|
||||
|
133
charts/kubezero-istio/charts/istio-discovery/README.md
Normal file
133
charts/kubezero-istio/charts/istio-discovery/README.md
Normal file
@ -0,0 +1,133 @@
|
||||
# istio-discovery
|
||||
|
||||
![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
|
||||
|
||||
Helm chart for istio control plane
|
||||
|
||||
## Source Code
|
||||
|
||||
* <http://github.com/istio/istio>
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| global.caAddress | string | `""` | |
|
||||
| global.centralIstiod | bool | `false` | |
|
||||
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||
| global.externalIstiod | bool | `false` | |
|
||||
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||
| global.imagePullPolicy | string | `""` | |
|
||||
| global.imagePullSecrets | list | `[]` | |
|
||||
| global.istioNamespace | string | `"istio-system"` | |
|
||||
| global.istiod.enableAnalysis | bool | `false` | |
|
||||
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||
| global.logAsJson | bool | `false` | |
|
||||
| global.logging.level | string | `"default:info"` | |
|
||||
| global.meshID | string | `""` | |
|
||||
| global.meshNetworks | object | `{}` | |
|
||||
| global.mountMtlsCerts | bool | `false` | |
|
||||
| global.multiCluster.clusterName | string | `""` | |
|
||||
| global.multiCluster.enabled | bool | `false` | |
|
||||
| global.network | string | `""` | |
|
||||
| global.omitSidecarInjectorConfigMap | bool | `false` | |
|
||||
| global.oneNamespace | bool | `false` | |
|
||||
| global.operatorManageWebhooks | bool | `false` | |
|
||||
| global.pilotCertProvider | string | `"istiod"` | |
|
||||
| global.priorityClassName | string | `""` | |
|
||||
| global.proxy.autoInject | string | `"enabled"` | |
|
||||
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||
| global.proxy.enableCoreDump | bool | `false` | |
|
||||
| global.proxy.excludeIPRanges | string | `""` | |
|
||||
| global.proxy.excludeInboundPorts | string | `""` | |
|
||||
| global.proxy.excludeOutboundPorts | string | `""` | |
|
||||
| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | |
|
||||
| global.proxy.image | string | `"proxyv2"` | |
|
||||
| global.proxy.includeIPRanges | string | `"*"` | |
|
||||
| global.proxy.logLevel | string | `"warning"` | |
|
||||
| global.proxy.privileged | bool | `false` | |
|
||||
| global.proxy.readinessFailureThreshold | int | `30` | |
|
||||
| global.proxy.readinessInitialDelaySeconds | int | `1` | |
|
||||
| global.proxy.readinessPeriodSeconds | int | `2` | |
|
||||
| global.proxy.resources.limits.cpu | string | `"2000m"` | |
|
||||
| global.proxy.resources.limits.memory | string | `"1024Mi"` | |
|
||||
| global.proxy.resources.requests.cpu | string | `"100m"` | |
|
||||
| global.proxy.resources.requests.memory | string | `"128Mi"` | |
|
||||
| global.proxy.statusPort | int | `15020` | |
|
||||
| global.proxy.tracer | string | `"zipkin"` | |
|
||||
| global.proxy_init.image | string | `"proxyv2"` | |
|
||||
| global.proxy_init.resources.limits.cpu | string | `"2000m"` | |
|
||||
| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | |
|
||||
| global.proxy_init.resources.requests.cpu | string | `"10m"` | |
|
||||
| global.proxy_init.resources.requests.memory | string | `"10Mi"` | |
|
||||
| global.remotePilotAddress | string | `""` | |
|
||||
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||
| global.sts.servicePort | int | `0` | |
|
||||
| global.tag | string | `"latest"` | |
|
||||
| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | |
|
||||
| global.tracer.lightstep.accessToken | string | `""` | |
|
||||
| global.tracer.lightstep.address | string | `""` | |
|
||||
| global.tracer.stackdriver.debug | bool | `false` | |
|
||||
| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | |
|
||||
| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | |
|
||||
| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | |
|
||||
| global.tracer.zipkin.address | string | `""` | |
|
||||
| global.trustDomain | string | `""` | |
|
||||
| global.useMCP | bool | `false` | |
|
||||
| istiodRemote.injectionURL | string | `""` | |
|
||||
| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | |
|
||||
| meshConfig.rootNamespace | string | `"istio-system"` | |
|
||||
| ownerName | string | `""` | |
|
||||
| pilot.autoscaleEnabled | bool | `true` | |
|
||||
| pilot.autoscaleMax | int | `5` | |
|
||||
| pilot.autoscaleMin | int | `1` | |
|
||||
| pilot.configMap | bool | `true` | |
|
||||
| pilot.configSource.subscribedResources | list | `[]` | |
|
||||
| pilot.cpu.targetAverageUtilization | int | `80` | |
|
||||
| pilot.deploymentLabels | object | `{}` | |
|
||||
| pilot.enableProtocolSniffingForInbound | bool | `true` | |
|
||||
| pilot.enableProtocolSniffingForOutbound | bool | `true` | |
|
||||
| pilot.env | object | `{}` | |
|
||||
| pilot.hub | string | `""` | |
|
||||
| pilot.image | string | `"pilot"` | |
|
||||
| pilot.jwksResolverExtraRootCA | string | `""` | |
|
||||
| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | |
|
||||
| pilot.nodeSelector | object | `{}` | |
|
||||
| pilot.plugins | list | `[]` | |
|
||||
| pilot.podAnnotations | object | `{}` | |
|
||||
| pilot.replicaCount | int | `1` | |
|
||||
| pilot.resources.requests.cpu | string | `"500m"` | |
|
||||
| pilot.resources.requests.memory | string | `"2048Mi"` | |
|
||||
| pilot.rollingMaxSurge | string | `"100%"` | |
|
||||
| pilot.rollingMaxUnavailable | string | `"25%"` | |
|
||||
| pilot.tag | string | `""` | |
|
||||
| pilot.traceSampling | float | `1` | |
|
||||
| revision | string | `""` | |
|
||||
| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | |
|
||||
| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | |
|
||||
| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | |
|
||||
| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | |
|
||||
| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | |
|
||||
| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | |
|
||||
| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | |
|
||||
| telemetry.enabled | bool | `true` | |
|
||||
| telemetry.v2.accessLogPolicy.enabled | bool | `false` | |
|
||||
| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | |
|
||||
| telemetry.v2.enabled | bool | `true` | |
|
||||
| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | |
|
||||
| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | |
|
||||
| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | |
|
||||
| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | |
|
||||
| telemetry.v2.prometheus.enabled | bool | `true` | |
|
||||
| telemetry.v2.prometheus.wasmEnabled | bool | `false` | |
|
||||
| telemetry.v2.stackdriver.configOverride | object | `{}` | |
|
||||
| telemetry.v2.stackdriver.disableOutbound | bool | `false` | |
|
||||
| telemetry.v2.stackdriver.enabled | bool | `false` | |
|
||||
| telemetry.v2.stackdriver.logging | bool | `false` | |
|
||||
| telemetry.v2.stackdriver.monitoring | bool | `false` | |
|
||||
| telemetry.v2.stackdriver.topology | bool | `false` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
1983
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
Normal file
1983
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,463 @@
|
||||
template: |
|
||||
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
||||
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
|
||||
initContainers:
|
||||
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
||||
{{ if .Values.istio_cni.enabled -}}
|
||||
- name: istio-validation
|
||||
{{ else -}}
|
||||
- name: istio-init
|
||||
{{ end -}}
|
||||
{{- if contains "/" .Values.global.proxy_init.image }}
|
||||
image: "{{ .Values.global.proxy_init.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
args:
|
||||
- istio-iptables
|
||||
- "-p"
|
||||
- "15001"
|
||||
- "-z"
|
||||
- "15006"
|
||||
- "-u"
|
||||
- "1337"
|
||||
- "-m"
|
||||
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
||||
- "-i"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
||||
- "-x"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
||||
- "-b"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
|
||||
- "-d"
|
||||
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
|
||||
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
||||
{{- else }}
|
||||
- "15090,15021"
|
||||
{{- end }}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
|
||||
- "-q"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
||||
{{ end -}}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
|
||||
- "-o"
|
||||
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
||||
{{ end -}}
|
||||
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
|
||||
- "-k"
|
||||
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
||||
{{ end -}}
|
||||
{{ if .Values.istio_cni.enabled -}}
|
||||
- "--run-validation"
|
||||
- "--skip-rule-apply"
|
||||
{{ end -}}
|
||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||
{{- if .ProxyConfig.ProxyMetadata }}
|
||||
env:
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||
privileged: {{ .Values.global.proxy.privileged }}
|
||||
capabilities:
|
||||
{{- if not .Values.istio_cni.enabled }}
|
||||
add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
{{- end }}
|
||||
drop:
|
||||
- ALL
|
||||
{{- if not .Values.istio_cni.enabled }}
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{- else }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1337
|
||||
runAsUser: 1337
|
||||
runAsNonRoot: true
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
{{ end -}}
|
||||
{{- if eq .Values.global.proxy.enableCoreDump true }}
|
||||
- name: enable-core-dump
|
||||
args:
|
||||
- -c
|
||||
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||
command:
|
||||
- /bin/sh
|
||||
{{- if contains "/" .Values.global.proxy_init.image }}
|
||||
image: "{{ .Values.global.proxy_init.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add:
|
||||
- SYS_ADMIN
|
||||
drop:
|
||||
- ALL
|
||||
privileged: true
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
||||
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: 15090
|
||||
protocol: TCP
|
||||
name: http-envoy-prom
|
||||
args:
|
||||
- proxy
|
||||
- sidecar
|
||||
- --domain
|
||||
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||
- --serviceCluster
|
||||
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||
{{ else -}}
|
||||
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||
{{ end -}}
|
||||
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}}
|
||||
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}}
|
||||
{{- if .Values.global.sts.servicePort }}
|
||||
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
|
||||
- --concurrency
|
||||
- "{{ .ProxyConfig.Concurrency.GetValue }}"
|
||||
{{- end -}}
|
||||
{{- if .Values.global.proxy.lifecycle }}
|
||||
lifecycle:
|
||||
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
|
||||
{{- else if $holdProxy }}
|
||||
lifecycle:
|
||||
postStart:
|
||||
exec:
|
||||
command:
|
||||
- pilot-agent
|
||||
- wait
|
||||
{{- end }}
|
||||
env:
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: CA_ADDR
|
||||
{{- if .Values.global.caAddress }}
|
||||
value: {{ .Values.global.caAddress }}
|
||||
{{- else }}
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||
{{- end }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: INSTANCE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIP
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: HOST_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: CANONICAL_SERVICE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||
- name: CANONICAL_REVISION
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||
- name: PROXY_CONFIG
|
||||
value: |
|
||||
{{ protoToJSON .ProxyConfig }}
|
||||
- name: ISTIO_META_POD_PORTS
|
||||
value: |-
|
||||
[
|
||||
{{- $first := true }}
|
||||
{{- range $index1, $c := .Spec.Containers }}
|
||||
{{- range $index2, $p := $c.Ports }}
|
||||
{{- if (structToJSON $p) }}
|
||||
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||
{{- $first = false }}
|
||||
{{- end }}
|
||||
{{- end}}
|
||||
{{- end}}
|
||||
]
|
||||
- name: ISTIO_META_APP_CONTAINERS
|
||||
value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}"
|
||||
- name: ISTIO_META_CLUSTER_ID
|
||||
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||
- name: ISTIO_META_INTERCEPTION_MODE
|
||||
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
||||
{{- if .Values.global.network }}
|
||||
- name: ISTIO_META_NETWORK
|
||||
value: "{{ .Values.global.network }}"
|
||||
{{- end }}
|
||||
{{ if .ObjectMeta.Annotations }}
|
||||
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||
value: |
|
||||
{{ toJSON .ObjectMeta.Annotations }}
|
||||
{{ end }}
|
||||
{{- if .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_WORKLOAD_NAME
|
||||
value: "{{ .DeploymentMeta.Name }}"
|
||||
{{ end }}
|
||||
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||
- name: ISTIO_META_OWNER
|
||||
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||
{{- end}}
|
||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- name: ISTIO_BOOTSTRAP_OVERRIDE
|
||||
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
|
||||
{{- end }}
|
||||
{{- if .Values.global.meshID }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ .Values.global.meshID }}"
|
||||
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: ISTIO_META_MESH_ID
|
||||
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||
{{- end }}
|
||||
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||
- name: TRUST_DOMAIN
|
||||
value: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $value }}"
|
||||
{{- end }}
|
||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/ready
|
||||
port: 15021
|
||||
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
||||
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
||||
timeoutSeconds: 3
|
||||
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
||||
{{ end -}}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||
capabilities:
|
||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||
add:
|
||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
|
||||
- NET_ADMIN
|
||||
{{- end }}
|
||||
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
|
||||
- NET_BIND_SERVICE
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
drop:
|
||||
- ALL
|
||||
privileged: {{ .Values.global.proxy.privileged }}
|
||||
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
|
||||
runAsGroup: 1337
|
||||
fsGroup: 1337
|
||||
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
{{- else -}}
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1337
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||
requests:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||
limits:
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||
{{ end }}
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if .Values.global.proxy.resources }}
|
||||
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- mountPath: /var/run/secrets/istio
|
||||
name: istiod-ca-cert
|
||||
{{- end }}
|
||||
- mountPath: /var/lib/istio/data
|
||||
name: istio-data
|
||||
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- mountPath: /etc/istio/custom-bootstrap
|
||||
name: custom-bootstrap-volume
|
||||
{{- end }}
|
||||
# SDS channel between istioagent and Envoy
|
||||
- mountPath: /etc/istio/proxy
|
||||
name: istio-envoy
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: istio-token
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- mountPath: /etc/certs/
|
||||
name: istio-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: istio-podinfo
|
||||
mountPath: /etc/istio/pod
|
||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
|
||||
name: lightstep-certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 4 }}
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||
- name: custom-bootstrap-volume
|
||||
configMap:
|
||||
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
|
||||
{{- end }}
|
||||
# SDS channel between istioagent and Envoy
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: istio-envoy
|
||||
- name: istio-data
|
||||
emptyDir: {}
|
||||
- name: istio-podinfo
|
||||
downwardAPI:
|
||||
items:
|
||||
- path: "labels"
|
||||
fieldRef:
|
||||
fieldPath: metadata.labels
|
||||
- path: "annotations"
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: istio-token
|
||||
expirationSeconds: 43200
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||
- name: istiod-ca-cert
|
||||
configMap:
|
||||
name: istio-ca-root-cert
|
||||
{{- end }}
|
||||
{{- if .Values.global.mountMtlsCerts }}
|
||||
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||
- name: istio-certs
|
||||
secret:
|
||||
optional: true
|
||||
{{ if eq .Spec.ServiceAccountName "" }}
|
||||
secretName: istio.default
|
||||
{{ else -}}
|
||||
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||
- name: "{{ $index }}"
|
||||
{{ toYaml $value | indent 2 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||
- name: lightstep-certs
|
||||
secret:
|
||||
optional: true
|
||||
secretName: lightstep.cacert
|
||||
{{- end }}
|
||||
podRedirectAnnot:
|
||||
{{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }}
|
||||
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}'
|
||||
{{- end }}
|
||||
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
||||
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
||||
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
||||
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
|
||||
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
||||
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
||||
{{- end }}
|
||||
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
||||
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
||||
{{- end }}
|
||||
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
||||
{{- if .Values.global.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.global.imagePullSecrets }}
|
||||
- name: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- files/gen-istio.yaml
|
@ -0,0 +1,26 @@
|
||||
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
spec:
|
||||
maxReplicas: {{ .Values.pilot.autoscaleMax }}
|
||||
minReplicas: {{ .Values.pilot.autoscaleMin }}
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
metrics:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,14 @@
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
release: {{ .Release.Name }}
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
data:
|
||||
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
|
||||
{{- end }}
|
@ -0,0 +1,92 @@
|
||||
|
||||
{{- define "mesh" }}
|
||||
# The trust domain corresponds to the trust root of a system.
|
||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
|
||||
|
||||
defaultConfig:
|
||||
{{- if .Values.global.meshID }}
|
||||
meshId: {{ .Values.global.meshID }}
|
||||
{{- else if .Values.global.trustDomain }}
|
||||
meshId: {{ .Values.global.trustDomain }}
|
||||
{{- end }}
|
||||
tracing:
|
||||
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
||||
lightstep:
|
||||
# Address of the LightStep Satellite pool
|
||||
address: {{ .Values.global.tracer.lightstep.address }}
|
||||
# Access Token used to communicate with the Satellite pool
|
||||
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
|
||||
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
|
||||
zipkin:
|
||||
# Address of the Zipkin collector
|
||||
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
|
||||
{{- else if eq .Values.global.proxy.tracer "datadog" }}
|
||||
datadog:
|
||||
# Address of the Datadog Agent
|
||||
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
|
||||
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
|
||||
stackdriver:
|
||||
# enables trace output to stdout.
|
||||
{{- if $.Values.global.tracer.stackdriver.debug }}
|
||||
debug: {{ $.Values.global.tracer.stackdriver.debug }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
|
||||
# The global default max number of attributes per span.
|
||||
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
|
||||
# The global default max number of annotation events per span.
|
||||
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
|
||||
{{- end }}
|
||||
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
|
||||
# The global default max number of message events per span.
|
||||
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
||||
{{- end }}
|
||||
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
||||
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
|
||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.global.remotePilotAddress }}
|
||||
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
||||
{{- else }}
|
||||
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
|
||||
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
|
||||
{{- $originalMesh := include "mesh" . | fromYaml }}
|
||||
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
|
||||
|
||||
{{- if .Values.pilot.configMap }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
release: {{ .Release.Name }}
|
||||
data:
|
||||
|
||||
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
|
||||
meshNetworks: |-
|
||||
{{- if .Values.global.meshNetworks }}
|
||||
networks:
|
||||
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
|
||||
{{- else }}
|
||||
networks: {}
|
||||
{{- end }}
|
||||
|
||||
mesh: |-
|
||||
{{- if .Values.meshConfig }}
|
||||
{{ $mesh | toYaml | indent 4 }}
|
||||
{{- else }}
|
||||
{{- include "mesh" . }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,245 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
istio: pilot
|
||||
release: {{ .Release.Name }}
|
||||
{{- range $key, $val := .Values.pilot.deploymentLabels }}
|
||||
{{ $key }}: "{{ $val }}"
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.pilot.autoscaleEnabled }}
|
||||
{{- if .Values.pilot.replicaCount }}
|
||||
replicas: {{ .Values.pilot.replicaCount }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
|
||||
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- if ne .Values.revision ""}}
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
{{- else }}
|
||||
istio: pilot
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
{{- if eq .Values.revision ""}}
|
||||
istio: pilot
|
||||
{{- else }}
|
||||
istio: istiod
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||
prometheus.io/port: "15014"
|
||||
prometheus.io/scrape: "true"
|
||||
{{- end }}
|
||||
sidecar.istio.io/inject: "false"
|
||||
{{- if .Values.pilot.podAnnotations }}
|
||||
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: istiod-service-account
|
||||
{{- if .Values.global.priorityClassName }}
|
||||
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||
{{- end }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
containers:
|
||||
- name: discovery
|
||||
{{- if contains "/" .Values.pilot.image }}
|
||||
image: "{{ .Values.pilot.image }}"
|
||||
{{- else }}
|
||||
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
|
||||
{{- end }}
|
||||
{{- if .Values.global.imagePullPolicy }}
|
||||
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||
{{- end }}
|
||||
args:
|
||||
- "discovery"
|
||||
- --monitoringAddr=:15014
|
||||
{{- if .Values.global.logging.level }}
|
||||
- --log_output_level={{ .Values.global.logging.level }}
|
||||
{{- end}}
|
||||
{{- if .Values.global.logAsJson }}
|
||||
- --log_as_json
|
||||
{{- end }}
|
||||
- --domain
|
||||
- {{ .Values.global.proxy.clusterDomain }}
|
||||
{{- if .Values.global.oneNamespace }}
|
||||
- "-a"
|
||||
- {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- if .Values.pilot.plugins }}
|
||||
- --plugins={{ .Values.pilot.plugins }}
|
||||
{{- end }}
|
||||
- --keepaliveMaxServerConnectionAge
|
||||
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
- containerPort: 15010
|
||||
protocol: TCP
|
||||
- containerPort: 15017
|
||||
protocol: TCP
|
||||
- containerPort: 15053
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: 8080
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 3
|
||||
timeoutSeconds: 5
|
||||
env:
|
||||
- name: REVISION
|
||||
value: "{{ .Values.revision | default `default` }}"
|
||||
- name: JWT_POLICY
|
||||
value: {{ .Values.global.jwtPolicy }}
|
||||
- name: PILOT_CERT_PROVIDER
|
||||
value: {{ .Values.global.pilotCertProvider }}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: SERVICE_ACCOUNT
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: KUBECONFIG
|
||||
value: /var/run/secrets/remote/config
|
||||
{{- if .Values.pilot.env }}
|
||||
{{- range $key, $val := .Values.pilot.env }}
|
||||
- name: {{ $key }}
|
||||
value: "{{ $val }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.pilot.traceSampling }}
|
||||
- name: PILOT_TRACE_SAMPLING
|
||||
value: "{{ .Values.pilot.traceSampling }}"
|
||||
{{- end }}
|
||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
|
||||
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
||||
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
||||
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
||||
{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }}
|
||||
- name: INJECTION_WEBHOOK_CONFIG_NAME
|
||||
{{- if eq .Release.Namespace "istio-system" }}
|
||||
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- else }}
|
||||
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- name: ISTIOD_ADDR
|
||||
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
||||
- name: PILOT_ENABLE_ANALYSIS
|
||||
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
||||
- name: CLUSTER_ID
|
||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||
- name: EXTERNAL_ISTIOD
|
||||
value: "{{ $.Values.global.externalIstiod | default "false" }}"
|
||||
- name: CENTRAL_ISTIOD
|
||||
value: "{{ $.Values.global.centralIstiod | default "false" }}"
|
||||
{{- if .Values.telemetry.v2.enabled }}
|
||||
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
||||
value: "true"
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if .Values.pilot.resources }}
|
||||
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
|
||||
{{- else }}
|
||||
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
runAsUser: 1337
|
||||
runAsGroup: 1337
|
||||
runAsNonRoot: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /etc/istio/config
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
mountPath: /var/run/secrets/tokens
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: local-certs
|
||||
mountPath: /var/run/secrets/istio-dns
|
||||
- name: cacerts
|
||||
mountPath: /etc/cacerts
|
||||
readOnly: true
|
||||
- name: istio-kubeconfig
|
||||
mountPath: /var/run/secrets/remote
|
||||
readOnly: true
|
||||
- name: inject
|
||||
mountPath: /var/lib/istio/inject
|
||||
readOnly: true
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
- name: extracacerts
|
||||
mountPath: /cacerts
|
||||
{{- end }}
|
||||
volumes:
|
||||
# Technically not needed on this pod - but it helps debugging/testing SDS
|
||||
# Should be removed after everything works.
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: local-certs
|
||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||
- name: istio-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: {{ .Values.global.sds.token.aud }}
|
||||
expirationSeconds: 43200
|
||||
path: istio-token
|
||||
{{- end }}
|
||||
# Optional: user-generated root
|
||||
- name: cacerts
|
||||
secret:
|
||||
secretName: cacerts
|
||||
optional: true
|
||||
- name: istio-kubeconfig
|
||||
secret:
|
||||
secretName: istio-kubeconfig
|
||||
optional: true
|
||||
# Optional - image should have
|
||||
- name: inject
|
||||
configMap:
|
||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||
- name: extracacerts
|
||||
configMap:
|
||||
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- end }}
|
||||
---
|
@ -0,0 +1,35 @@
|
||||
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
release: {{ .Release.Name }}
|
||||
data:
|
||||
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
|
||||
values: |-
|
||||
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
|
||||
|
||||
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
|
||||
# and istiod webhook functionality.
|
||||
#
|
||||
# New fields should not use Values - it is a 'primary' config object, users should be able
|
||||
# to fine tune it or use it with kube-inject.
|
||||
config: |-
|
||||
policy: {{ .Values.global.proxy.autoInject }}
|
||||
alwaysInjectSelector:
|
||||
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
||||
neverInjectSelector:
|
||||
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
|
||||
injectedAnnotations:
|
||||
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
||||
"{{ $key }}": "{{ $val }}"
|
||||
{{- end }}
|
||||
|
||||
{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }}
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,85 @@
|
||||
# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds)
|
||||
{{- if not .Values.global.operatorManageWebhooks }}
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
{{- if eq .Release.Namespace "istio-system"}}
|
||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{ else }}
|
||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
app: sidecar-injector
|
||||
release: {{ .Release.Name }}
|
||||
webhooks:
|
||||
- name: sidecar-injector.istio.io
|
||||
clientConfig:
|
||||
{{- if .Values.istiodRemote.injectionURL }}
|
||||
url: {{ .Values.istiodRemote.injectionURL }}
|
||||
{{- else }}
|
||||
service:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
path: "/inject"
|
||||
{{- end }}
|
||||
caBundle: ""
|
||||
sideEffects: None
|
||||
rules:
|
||||
- operations: [ "CREATE" ]
|
||||
apiGroups: [""]
|
||||
apiVersions: ["v1"]
|
||||
resources: ["pods"]
|
||||
failurePolicy: Fail
|
||||
admissionReviewVersions: ["v1beta1", "v1"]
|
||||
namespaceSelector:
|
||||
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||
matchExpressions:
|
||||
- key: name
|
||||
operator: NotIn
|
||||
values:
|
||||
- {{ .Release.Namespace }}
|
||||
- key: istio-injection
|
||||
operator: NotIn
|
||||
values:
|
||||
- disabled
|
||||
- key: istio-env
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: DoesNotExist
|
||||
{{- else if .Values.revision }}
|
||||
matchExpressions:
|
||||
- key: istio-injection
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Values.revision }}
|
||||
{{- else }}
|
||||
matchLabels:
|
||||
istio-injection: enabled
|
||||
{{- end }}
|
||||
{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
|
||||
objectSelector:
|
||||
{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
|
||||
matchExpressions:
|
||||
- key: "sidecar.istio.io/inject"
|
||||
operator: NotIn
|
||||
values:
|
||||
- "false"
|
||||
{{- else if .Values.revision }}
|
||||
matchExpressions:
|
||||
- key: "sidecar.istio.io/inject"
|
||||
operator: DoesNotExist
|
||||
- key: istio.io/rev
|
||||
operator: In
|
||||
values:
|
||||
- {{ .Values.revision }}
|
||||
{{- else }}
|
||||
matchLabels:
|
||||
"sidecar.istio.io/inject": "true"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,25 @@
|
||||
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: istiod
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
release: {{ .Release.Name }}
|
||||
istio: pilot
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: istiod
|
||||
{{- if ne .Values.revision ""}}
|
||||
istio.io/rev: {{ .Values.revision }}
|
||||
{{- else }}
|
||||
istio: pilot
|
||||
{{- end }}
|
||||
---
|
||||
{{- end }}
|
@ -0,0 +1,37 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
app: istiod
|
||||
istio: pilot
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
ports:
|
||||
- port: 15010
|
||||
name: grpc-xds # plaintext
|
||||
protocol: TCP
|
||||
- port: 15012
|
||||
name: https-dns # mTLS with k8s-signed cert
|
||||
protocol: TCP
|
||||
- port: 443
|
||||
name: https-webhook # validation and injection
|
||||
targetPort: 15017
|
||||
protocol: TCP
|
||||
- port: 15014
|
||||
name: http-monitoring # prometheus stats
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: istiod
|
||||
{{- if ne .Values.revision ""}}
|
||||
istio.io/rev: {{ .Values.revision }}
|
||||
{{- else }}
|
||||
# Label used by the 'default' service. For versioned deployments we match with app and version.
|
||||
# This avoids default deployment picking the canary
|
||||
istio: pilot
|
||||
{{- end }}
|
||||
---
|
@ -0,0 +1,792 @@
|
||||
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
|
||||
# Note: metadata exchange filter is wasm enabled only in sidecars.
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||
operator.istio.io/component: "Pilot"
|
||||
spec:
|
||||
configPatches:
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{}
|
||||
vm_config:
|
||||
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.metadata_exchange
|
||||
{{- end }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{}
|
||||
vm_config:
|
||||
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.metadata_exchange
|
||||
{{- end }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{}
|
||||
vm_config:
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.metadata_exchange
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener: {}
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||
value:
|
||||
protocol: istio-peer-exchange
|
||||
- applyTo: CLUSTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
cluster: {}
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
filters:
|
||||
- name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||
value:
|
||||
protocol: istio-peer-exchange
|
||||
- applyTo: CLUSTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
cluster: {}
|
||||
patch:
|
||||
operation: MERGE
|
||||
value:
|
||||
filters:
|
||||
- name: istio.metadata_exchange
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||
value:
|
||||
protocol: istio-peer-exchange
|
||||
---
|
||||
# Note: http stats filter is wasm enabled only in sidecars.
|
||||
{{- if .Values.telemetry.v2.prometheus.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||
{
|
||||
{{- if .Values.global.multiCluster.clusterName }}
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||
"destination_cluster": "upstream_peer.cluster_id"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stats_outbound
|
||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.stats
|
||||
{{- end }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_inbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||
{
|
||||
{{- if .Values.global.multiCluster.clusterName }}
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "downstream_peer.cluster_id",
|
||||
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stats_inbound
|
||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.stats
|
||||
{{- end }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||
{
|
||||
"disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }},
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||
"destination_cluster": "upstream_peer.cluster_id"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stats_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: envoy.wasm.stats
|
||||
---
|
||||
# Note: tcp stats filter is wasm enabled only in sidecars.
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_inbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||
{
|
||||
{{- if .Values.global.multiCluster.clusterName }}
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "downstream_peer.cluster_id",
|
||||
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: tcp_stats_inbound
|
||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: "envoy.wasm.stats"
|
||||
{{- end }}
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||
{
|
||||
{{- if .Values.global.multiCluster.clusterName }}
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||
"destination_cluster": "upstream_peer.cluster_id"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: tcp_stats_outbound
|
||||
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||
runtime: envoy.wasm.runtime.v8
|
||||
allow_precompiled: true
|
||||
code:
|
||||
local:
|
||||
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||
{{- else }}
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: "envoy.wasm.stats"
|
||||
{{- end }}
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stats
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stats_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||
{
|
||||
{{- if .Values.global.multiCluster.clusterName }}
|
||||
"metrics": [
|
||||
{
|
||||
"dimensions": {
|
||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||
"destination_cluster": "upstream_peer.cluster_id"
|
||||
}
|
||||
}
|
||||
]
|
||||
{{- end }}
|
||||
}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: tcp_stats_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local:
|
||||
inline_string: "envoy.wasm.stats"
|
||||
---
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.telemetry.v2.stackdriver.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
{{- end }}
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_inbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_inbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "envoy.router"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
---
|
||||
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: SIDECAR_OUTBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
{{- end }}
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_inbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_inbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
- applyTo: NETWORK_FILTER
|
||||
match:
|
||||
context: GATEWAY
|
||||
proxy:
|
||||
proxyVersion: '^1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.tcp_proxy"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.stackdriver
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
root_id: stackdriver_outbound
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
||||
{{- else }}
|
||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||
{{- end }}
|
||||
vm_config:
|
||||
vm_id: stackdriver_outbound
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||
---
|
||||
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
{{- if .Values.meshConfig.rootNamespace }}
|
||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||
{{- else }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
labels:
|
||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||
spec:
|
||||
configPatches:
|
||||
- applyTo: HTTP_FILTER
|
||||
match:
|
||||
context: SIDECAR_INBOUND
|
||||
proxy:
|
||||
proxyVersion: '1\.8.*'
|
||||
listener:
|
||||
filterChain:
|
||||
filter:
|
||||
name: "envoy.http_connection_manager"
|
||||
subFilter:
|
||||
name: "istio.stackdriver"
|
||||
patch:
|
||||
operation: INSERT_BEFORE
|
||||
value:
|
||||
name: istio.access_log
|
||||
typed_config:
|
||||
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||
value:
|
||||
config:
|
||||
configuration:
|
||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||
value: |
|
||||
{
|
||||
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
|
||||
}
|
||||
vm_config:
|
||||
runtime: envoy.wasm.runtime.null
|
||||
code:
|
||||
local: { inline_string: "envoy.wasm.access_log_policy" }
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
485
charts/kubezero-istio/charts/istio-discovery/values.yaml
Normal file
485
charts/kubezero-istio/charts/istio-discovery/values.yaml
Normal file
@ -0,0 +1,485 @@
|
||||
#.Values.pilot for discovery and mesh wide config
|
||||
|
||||
## Discovery Settings
|
||||
pilot:
|
||||
autoscaleEnabled: true
|
||||
autoscaleMin: 1
|
||||
autoscaleMax: 5
|
||||
replicaCount: 1
|
||||
rollingMaxSurge: 100%
|
||||
rollingMaxUnavailable: 25%
|
||||
|
||||
hub: ""
|
||||
tag: ""
|
||||
|
||||
# Can be a full hub/image:tag
|
||||
image: pilot
|
||||
traceSampling: 1.0
|
||||
|
||||
# Resources for a small pilot install
|
||||
resources:
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 2048Mi
|
||||
|
||||
env: {}
|
||||
|
||||
cpu:
|
||||
targetAverageUtilization: 80
|
||||
|
||||
# if protocol sniffing is enabled for outbound
|
||||
enableProtocolSniffingForOutbound: true
|
||||
# if protocol sniffing is enabled for inbound
|
||||
enableProtocolSniffingForInbound: true
|
||||
|
||||
nodeSelector: {}
|
||||
podAnnotations: {}
|
||||
|
||||
# You can use jwksResolverExtraRootCA to provide a root certificate
|
||||
# in PEM format. This will then be trusted by pilot when resolving
|
||||
# JWKS URIs.
|
||||
jwksResolverExtraRootCA: ""
|
||||
|
||||
# This is used to set the source of configuration for
|
||||
# the associated address in configSource, if nothing is specificed
|
||||
# the default MCP is assumed.
|
||||
configSource:
|
||||
subscribedResources: []
|
||||
|
||||
plugins: []
|
||||
|
||||
# The following is used to limit how long a sidecar can be connected
|
||||
# to a pilot. It balances out load across pilot instances at the cost of
|
||||
# increasing system churn.
|
||||
keepaliveMaxServerConnectionAge: 30m
|
||||
|
||||
# Additional labels to apply to the deployment.
|
||||
deploymentLabels: {}
|
||||
|
||||
|
||||
## Mesh config settings
|
||||
|
||||
# Install the mesh config map, generated from values.yaml.
|
||||
# If false, pilot wil use default values (by default) or user-supplied values.
|
||||
configMap: true
|
||||
|
||||
|
||||
sidecarInjectorWebhook:
|
||||
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
||||
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
||||
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
||||
neverInjectSelector: []
|
||||
alwaysInjectSelector: []
|
||||
|
||||
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
|
||||
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
|
||||
#
|
||||
# annotations:
|
||||
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
||||
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
||||
#
|
||||
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
|
||||
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
|
||||
# injectedAnnotations:
|
||||
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
|
||||
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
|
||||
injectedAnnotations: {}
|
||||
|
||||
# This enables injection of sidecar in all namespaces,
|
||||
# with the exception of namespaces with "istio-injection:disabled" annotation
|
||||
# Only one environment should have this enabled.
|
||||
enableNamespacesByDefault: false
|
||||
|
||||
# Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
|
||||
# It is disabled by default since this function will only work after k8s v1.15.
|
||||
objectSelector:
|
||||
enabled: false
|
||||
autoInject: true
|
||||
|
||||
rewriteAppHTTPProbe: true
|
||||
istiodRemote:
|
||||
# Sidecar injector mutating webhook configuration url
|
||||
# For example: https://$remotePilotAddress:15017/inject
|
||||
injectionURL: ""
|
||||
telemetry:
|
||||
enabled: true
|
||||
v2:
|
||||
# For Null VM case now.
|
||||
# This also enables metadata exchange.
|
||||
enabled: true
|
||||
metadataExchange:
|
||||
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
|
||||
wasmEnabled: false
|
||||
# Indicate if prometheus stats filter is enabled or not
|
||||
prometheus:
|
||||
enabled: true
|
||||
# Indicates whether to enable WebAssembly runtime for stats filter.
|
||||
wasmEnabled: false
|
||||
# overrides stats EnvoyFilter configuration.
|
||||
configOverride:
|
||||
gateway: {}
|
||||
inboundSidecar: {}
|
||||
outboundSidecar: {}
|
||||
# stackdriver filter settings.
|
||||
stackdriver:
|
||||
enabled: false
|
||||
logging: false
|
||||
monitoring: false
|
||||
topology: false
|
||||
disableOutbound: false
|
||||
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
|
||||
|
||||
configOverride: {}
|
||||
# e.g.
|
||||
# enable_mesh_edges_reporting: true
|
||||
# disable_server_access_logging: false
|
||||
# meshEdgesReportingDuration: 500s
|
||||
# disable_host_header_fallback: true
|
||||
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
|
||||
accessLogPolicy:
|
||||
enabled: false
|
||||
# To reduce the number of successful logs, default log window duration is
|
||||
# set to 12 hours.
|
||||
logWindowDuration: "43200s"
|
||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||
revision: ""
|
||||
|
||||
# For Helm compatibility.
|
||||
ownerName: ""
|
||||
|
||||
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
|
||||
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
|
||||
meshConfig:
|
||||
|
||||
# Config for the default ProxyConfig.
|
||||
# Initially using directly the proxy metadata - can also be activated using annotations
|
||||
# on the pod. This is an unsupported low-level API, pending review and decisions on
|
||||
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
|
||||
# and gradual adoption by setting capture only on specific workloads. It also allows
|
||||
# VMs to use other DNS options, like dnsmasq or unbound.
|
||||
defaultConfig:
|
||||
proxyMetadata:
|
||||
# If empty, agent will not start :15013 DNS listener and will not attempt
|
||||
# to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in
|
||||
# istiod and the dns-over-tls listener.
|
||||
# DNS_AGENT: DNS-TLS
|
||||
DNS_AGENT: ""
|
||||
|
||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
||||
# is processed as if it were declared in the leaf namespace.
|
||||
rootNamespace: "istio-system"
|
||||
|
||||
# TODO: the intent is to eventually have this enabled by default when security is used.
|
||||
# It is not clear if user should normally need to configure - the metadata is typically
|
||||
# used as an escape and to control testing and rollout, but it is not intended as a long-term
|
||||
# stable API.
|
||||
|
||||
# What we may configure in mesh config is the ".global" - and use of other suffixes.
|
||||
# No hurry to do this in 1.6, we're trying to prove the code.
|
||||
|
||||
global:
|
||||
# enable pod disruption budget for the control plane, which is used to
|
||||
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: true
|
||||
# The values aren't mutable due to a current PodDisruptionBudget limitation
|
||||
# minAvailable: 1
|
||||
|
||||
# A minimal set of requested resources to applied to all deployments so that
|
||||
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||
# Each component can overwrite these default values by adding its own resources
|
||||
# block in the relevant section below and setting the desired resources values.
|
||||
defaultResources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
# memory: 128Mi
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
# Used to locate istiod.
|
||||
istioNamespace: istio-system
|
||||
|
||||
# Default hub for Istio images.
|
||||
# Releases are published to docker hub under 'istio' project.
|
||||
# Dev builds from prow are on gcr.io
|
||||
hub: gcr.io/istio-testing
|
||||
# Default tag for Istio images.
|
||||
tag: latest
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent.
|
||||
imagePullPolicy: ""
|
||||
|
||||
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||
# Must be set for any cluster configured with private docker registry.
|
||||
imagePullSecrets: []
|
||||
# - private-registry-key
|
||||
|
||||
# Enabled by default in master for maximising testing.
|
||||
istiod:
|
||||
enableAnalysis: false
|
||||
|
||||
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||
logAsJson: false
|
||||
|
||||
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||
# If empty, default scope and level will be used as configured in code
|
||||
logging:
|
||||
level: "default:info"
|
||||
|
||||
omitSidecarInjectorConfigMap: false
|
||||
|
||||
# Whether to restrict the applications namespace the controller manages;
|
||||
# If not set, controller watches all namespaces
|
||||
oneNamespace: false
|
||||
|
||||
# Configure whether Operator manages webhook configurations. The current behavior
|
||||
# of Istiod is to manage its own webhook configurations.
|
||||
# When this option is set as true, Istio Operator, instead of webhooks, manages the
|
||||
# webhook configurations. When this option is set as false, webhooks manage their
|
||||
# own webhook configurations.
|
||||
operatorManageWebhooks: false
|
||||
|
||||
# Custom DNS config for the pod to resolve names of services in other
|
||||
# clusters. Use this to add additional search domains, and other settings.
|
||||
# see
|
||||
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
|
||||
# This does not apply to gateway pods as they typically need a different
|
||||
# set of DNS settings than the normal application pods (e.g., in
|
||||
# multicluster scenarios).
|
||||
# NOTE: If using templates, follow the pattern in the commented example below.
|
||||
#podDNSSearchNamespaces:
|
||||
#- global
|
||||
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
|
||||
|
||||
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
||||
proxy:
|
||||
image: proxyv2
|
||||
|
||||
# This controls the 'policy' in the sidecar injector.
|
||||
autoInject: enabled
|
||||
|
||||
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||
# cluster domain. Default value is "cluster.local".
|
||||
clusterDomain: "cluster.local"
|
||||
|
||||
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||
# not set, then the global "logLevel" will be used.
|
||||
componentLogLevel: "misc:error"
|
||||
|
||||
# If set, newly injected sidecars will have core dumps enabled.
|
||||
enableCoreDump: false
|
||||
|
||||
# istio ingress capture allowlist
|
||||
# examples:
|
||||
# Redirect only selected ports: --includeInboundPorts="80,8080"
|
||||
excludeInboundPorts: ""
|
||||
|
||||
# istio egress capture allowlist
|
||||
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
|
||||
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
|
||||
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
|
||||
# be allowed by the sidecar
|
||||
includeIPRanges: "*"
|
||||
excludeIPRanges: ""
|
||||
excludeOutboundPorts: ""
|
||||
|
||||
# Log level for proxy, applies to gateways and sidecars.
|
||||
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||
logLevel: warning
|
||||
|
||||
#If set to true, istio-proxy container will have privileged securityContext
|
||||
privileged: false
|
||||
|
||||
# The number of successive failed probes before indicating readiness failure.
|
||||
readinessFailureThreshold: 30
|
||||
|
||||
# The initial delay for readiness probes in seconds.
|
||||
readinessInitialDelaySeconds: 1
|
||||
|
||||
# The period between readiness probes.
|
||||
readinessPeriodSeconds: 2
|
||||
|
||||
# Resources for the sidecar.
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
|
||||
statusPort: 15020
|
||||
|
||||
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
|
||||
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
|
||||
tracer: "zipkin"
|
||||
|
||||
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
|
||||
holdApplicationUntilProxyStarts: false
|
||||
|
||||
proxy_init:
|
||||
# Base name for the proxy_init container, used to configure iptables.
|
||||
image: proxyv2
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 10Mi
|
||||
|
||||
# configure remote pilot and istiod service and endpoint
|
||||
remotePilotAddress: ""
|
||||
|
||||
##############################################################################################
|
||||
# The following values are found in other charts. To effectively modify these values, make #
|
||||
# make sure they are consistent across your Istio helm charts #
|
||||
##############################################################################################
|
||||
|
||||
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||
caAddress: ""
|
||||
|
||||
# External istiod controls all remote clusters: disabled by default
|
||||
externalIstiod: false
|
||||
# Central istiod controls all remote clusters: disabled by default
|
||||
centralIstiod: false
|
||||
|
||||
# Configure the policy for validating JWT.
|
||||
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||
jwtPolicy: "third-party-jwt"
|
||||
|
||||
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||
# meshes will interact with each other, but it is not required to be
|
||||
# globally/universally unique. For example, if any of the following are true,
|
||||
# then two meshes must have different Mesh IDs:
|
||||
# - Meshes will have their telemetry aggregated in one place
|
||||
# - Meshes will be federated together
|
||||
# - Policy will be written referencing one mesh from the other
|
||||
#
|
||||
# If an administrator expects that any of these conditions may become true in
|
||||
# the future, they should ensure their meshes have different Mesh IDs
|
||||
# assigned.
|
||||
#
|
||||
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||
# ID post-install.
|
||||
#
|
||||
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||
# value.
|
||||
meshID: ""
|
||||
|
||||
# Configure the mesh networks to be used by the Split Horizon EDS.
|
||||
#
|
||||
# The following example defines two networks with different endpoints association methods.
|
||||
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
|
||||
# mapped to network1. The gateway for this network example is specified by its public IP
|
||||
# address and port.
|
||||
# The second network, `network2`, in this example is defined differently with all endpoints
|
||||
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
|
||||
# gateway is also defined differently with the name of the gateway service on the remote
|
||||
# cluster. The public IP for the gateway will be determined from that remote service (only
|
||||
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
|
||||
# it still need to be configured manually).
|
||||
#
|
||||
# meshNetworks:
|
||||
# network1:
|
||||
# endpoints:
|
||||
# - fromCidr: "192.168.0.1/24"
|
||||
# gateways:
|
||||
# - address: 1.1.1.1
|
||||
# port: 80
|
||||
# network2:
|
||||
# endpoints:
|
||||
# - fromRegistry: reg1
|
||||
# gateways:
|
||||
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
||||
# port: 443
|
||||
#
|
||||
meshNetworks: {}
|
||||
|
||||
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||
mountMtlsCerts: false
|
||||
|
||||
multiCluster:
|
||||
# Set to true to connect two kubernetes clusters via their respective
|
||||
# ingressgateway services when pods in each cluster cannot directly
|
||||
# talk to one another. All clusters should be using Istio mTLS and must
|
||||
# have a shared root CA for this model to work.
|
||||
enabled: false
|
||||
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||
# to properly label proxies
|
||||
clusterName: ""
|
||||
|
||||
# Network defines the network this cluster belong to. This name
|
||||
# corresponds to the networks in the map of mesh networks.
|
||||
network: ""
|
||||
|
||||
# Configure the certificate provider for control plane communication.
|
||||
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||
# As some platforms may not have kubernetes signing APIs,
|
||||
# Istiod is the default
|
||||
pilotCertProvider: istiod
|
||||
|
||||
sds:
|
||||
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
|
||||
# JWT is intended for the CA.
|
||||
token:
|
||||
aud: istio-ca
|
||||
|
||||
sts:
|
||||
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||
# Setting this port to a non-zero value enables STS server.
|
||||
servicePort: 0
|
||||
|
||||
# Configuration for each of the supported tracers
|
||||
tracer:
|
||||
# Configuration for envoy to send trace data to LightStep.
|
||||
# Disabled by default.
|
||||
# address: the <host>:<port> of the satellite pool
|
||||
# accessToken: required for sending data to the pool
|
||||
#
|
||||
datadog:
|
||||
# Host:Port for submitting traces to the Datadog agent.
|
||||
address: "$(HOST_IP):8126"
|
||||
lightstep:
|
||||
address: "" # example: lightstep-satellite:443
|
||||
accessToken: "" # example: abcdefg1234567
|
||||
stackdriver:
|
||||
# enables trace output to stdout.
|
||||
debug: false
|
||||
# The global default max number of message events per span.
|
||||
maxNumberOfMessageEvents: 200
|
||||
# The global default max number of annotation events per span.
|
||||
maxNumberOfAnnotations: 200
|
||||
# The global default max number of attributes per span.
|
||||
maxNumberOfAttributes: 200
|
||||
zipkin:
|
||||
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
|
||||
# zipkin service (port 9411) in the same namespace as the other istio components.
|
||||
address: ""
|
||||
|
||||
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
||||
useMCP: false
|
||||
|
||||
# Deprecated, use meshConfig.trustDomain
|
||||
trustDomain: ""
|
@ -1,12 +0,0 @@
|
||||
apiVersion: v1
|
||||
name: istio-operator
|
||||
version: 1.7.0
|
||||
tillerVersion: ">=2.7.2"
|
||||
description: Helm chart for deploying Istio operator
|
||||
keywords:
|
||||
- istio
|
||||
- operator
|
||||
sources:
|
||||
- https://github.com/istio/istio/tree/master/operator
|
||||
engine: gotpl
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -1,74 +0,0 @@
|
||||
# SYNC WITH manifests/charts/base/files
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: istiooperators.install.istio.io
|
||||
labels:
|
||||
release: istio
|
||||
spec:
|
||||
group: install.istio.io
|
||||
names:
|
||||
kind: IstioOperator
|
||||
plural: istiooperators
|
||||
singular: istiooperator
|
||||
shortNames:
|
||||
- iop
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Istio control plane revision
|
||||
jsonPath: .spec.revision
|
||||
name: Revision
|
||||
type: string
|
||||
- description: IOP current state
|
||||
jsonPath: .status.status
|
||||
type: string
|
||||
name: Status
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
description:
|
||||
"CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
apiVersion:
|
||||
description:
|
||||
"APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
|
||||
type: string
|
||||
kind:
|
||||
description:
|
||||
"Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
||||
type: string
|
||||
spec:
|
||||
description:
|
||||
"Specification of the desired state of the istio control plane resource.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
description:
|
||||
"Status describes each of istio control plane component status at the current time.
|
||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
|
@ -1,109 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
rules:
|
||||
# istio groups
|
||||
- apiGroups:
|
||||
- authentication.istio.io
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- config.istio.io
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- install.istio.io
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- networking.istio.io
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- security.istio.io
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
# k8s groups
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- mutatingwebhookconfigurations
|
||||
- validatingwebhookconfigurations
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions.apiextensions.k8s.io
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- apps
|
||||
- extensions
|
||||
resources:
|
||||
- daemonsets
|
||||
- deployments
|
||||
- deployments/finalizers
|
||||
- ingresses
|
||||
- replicasets
|
||||
- statefulsets
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- autoscaling
|
||||
resources:
|
||||
- horizontalpodautoscalers
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- monitoring.coreos.com
|
||||
resources:
|
||||
- servicemonitors
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- poddisruptionbudgets
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- clusterrolebindings
|
||||
- clusterroles
|
||||
- roles
|
||||
- rolebindings
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- endpoints
|
||||
- events
|
||||
- namespaces
|
||||
- pods
|
||||
- pods/proxy
|
||||
- persistentvolumeclaims
|
||||
- secrets
|
||||
- services
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
@ -1,13 +0,0 @@
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
namespace: {{.Values.operatorNamespace}}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
@ -1,6 +0,0 @@
|
||||
{{- if .Values.enableCRDTemplates -}}
|
||||
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
|
||||
---
|
||||
{{ $.Files.Get $path }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -1,57 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: {{.Values.operatorNamespace}}
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
name: istio-operator
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
name: istio-operator
|
||||
spec:
|
||||
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- name: istio-operator
|
||||
image: {{.Values.hub}}/operator:{{.Values.tag}}
|
||||
command:
|
||||
- operator
|
||||
- server
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsGroup: 1337
|
||||
runAsUser: 1337
|
||||
runAsNonRoot: true
|
||||
imagePullPolicy: IfNotPresent
|
||||
resources:
|
||||
{{ toYaml .Values.operator.resources | trim | indent 12 }}
|
||||
env:
|
||||
- name: WATCH_NAMESPACE
|
||||
value: {{.Values.watchedNamespaces | quote}}
|
||||
- name: LEADER_ELECTION_NAMESPACE
|
||||
value: {{.Values.operatorNamespace | quote}}
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: OPERATOR_NAME
|
||||
value: {{.Values.operatorNamespace | quote}}
|
||||
- name: WAIT_FOR_RESOURCES_TIMEOUT
|
||||
value: {{.Values.waitForResourcesTimeout | quote}}
|
||||
- name: REVISION
|
||||
value: {{.Values.revision | quote}}
|
||||
---
|
@ -1,15 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
namespace: {{.Values.operatorNamespace}}
|
||||
labels:
|
||||
name: istio-operator
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
spec:
|
||||
ports:
|
||||
- name: http-metrics
|
||||
port: 8383
|
||||
targetPort: 8383
|
||||
selector:
|
||||
name: istio-operator
|
||||
---
|
@ -1,6 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
namespace: {{.Values.operatorNamespace}}
|
||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
---
|
@ -1,25 +0,0 @@
|
||||
hub: gcr.io/istio-testing
|
||||
tag: latest
|
||||
|
||||
operatorNamespace: istio-operator
|
||||
|
||||
# Used to replace istioNamespace to support operator watch multiple namespaces.
|
||||
watchedNamespaces: istio-system
|
||||
waitForResourcesTimeout: 300s
|
||||
|
||||
# Used for helm2 to add the CRDs to templates.
|
||||
enableCRDTemplates: false
|
||||
|
||||
# revision for the operator resources
|
||||
revision: ""
|
||||
|
||||
# Operator resource defaults
|
||||
operator:
|
||||
resources:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,82 +0,0 @@
|
||||
kind: CustomResourceDefinition
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
metadata:
|
||||
name: adapters.config.istio.io
|
||||
labels:
|
||||
app: mixer
|
||||
package: adapter
|
||||
istio: mixer-adapter
|
||||
chart: istio
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
annotations:
|
||||
"helm.sh/resource-policy": keep
|
||||
spec:
|
||||
group: config.istio.io
|
||||
names:
|
||||
kind: adapter
|
||||
plural: adapters
|
||||
singular: adapter
|
||||
categories:
|
||||
- istio-io
|
||||
- policy-istio-io
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
|
||||
---
|
||||
kind: CustomResourceDefinition
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
metadata:
|
||||
name: templates.config.istio.io
|
||||
labels:
|
||||
app: mixer
|
||||
package: template
|
||||
istio: mixer-template
|
||||
chart: istio
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
annotations:
|
||||
"helm.sh/resource-policy": keep
|
||||
spec:
|
||||
group: config.istio.io
|
||||
names:
|
||||
kind: template
|
||||
plural: templates
|
||||
singular: template
|
||||
categories:
|
||||
- istio-io
|
||||
- policy-istio-io
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
|
@ -1,74 +0,0 @@
|
||||
# SYNC WITH manifests/charts/istio-operator/templates
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: istiooperators.install.istio.io
|
||||
labels:
|
||||
release: istio
|
||||
spec:
|
||||
group: install.istio.io
|
||||
names:
|
||||
kind: IstioOperator
|
||||
plural: istiooperators
|
||||
singular: istiooperator
|
||||
shortNames:
|
||||
- iop
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Istio control plane revision
|
||||
jsonPath: .spec.revision
|
||||
name: Revision
|
||||
type: string
|
||||
- description: IOP current state
|
||||
jsonPath: .status.status
|
||||
type: string
|
||||
name: Status
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
description:
|
||||
"CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
apiVersion:
|
||||
description:
|
||||
"APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
|
||||
type: string
|
||||
kind:
|
||||
description:
|
||||
"Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
||||
type: string
|
||||
spec:
|
||||
description:
|
||||
"Specification of the desired state of the istio control plane resource.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
description:
|
||||
"Status describes each of istio control plane component status at the current time.
|
||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
|
16
charts/kubezero-istio/istio-discovery.patch
Normal file
16
charts/kubezero-istio/istio-discovery.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||
index e4a983a..ba586de 100644
|
||||
--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||
@@ -59,6 +59,11 @@ spec:
|
||||
{{- end }}
|
||||
securityContext:
|
||||
fsGroup: 1337
|
||||
+ nodeSelector:
|
||||
+ node-role.kubernetes.io/master: ""
|
||||
+ tolerations:
|
||||
+ - effect: NoSchedule
|
||||
+ key: node-role.kubernetes.io/master
|
||||
containers:
|
||||
- name: discovery
|
||||
{{- if contains "/" .Values.pilot.image }}
|
@ -1,15 +0,0 @@
|
||||
--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100
|
||||
+++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100
|
||||
@@ -14,6 +14,12 @@
|
||||
name: istio-operator
|
||||
spec:
|
||||
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||
+ nodeSelector:
|
||||
+ kubernetes.io/os: linux
|
||||
+ node-role.kubernetes.io/master: ""
|
||||
+ tolerations:
|
||||
+ - key: node-role.kubernetes.io/master
|
||||
+ effect: NoSchedule
|
||||
containers:
|
||||
- name: istio-operator
|
||||
image: {{.Values.hub}}/operator:{{.Values.tag}}
|
@ -1,140 +0,0 @@
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
apiVersion: install.istio.io/v1alpha1
|
||||
kind: IstioOperator
|
||||
metadata:
|
||||
name: kubezero-istio-private-ingress
|
||||
namespace: istio-system
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
profile: empty
|
||||
components:
|
||||
ingressGateways:
|
||||
- name: istio-private-ingressgateway
|
||||
enabled: true
|
||||
namespace: istio-system
|
||||
k8s:
|
||||
replicaCount: {{ .Values.ingress.replicaCount }}
|
||||
{{- if .Values.ingress.autoscaleEnabled }}
|
||||
hpaSpec:
|
||||
maxReplicas: 5
|
||||
metrics:
|
||||
- resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: 80
|
||||
type: Resource
|
||||
minReplicas: 1
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-private-ingressgateway
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if .Values.ingress.private.http10 }}
|
||||
- name: ISTIO_META_HTTP10
|
||||
value: '"1"'
|
||||
{{- end }}
|
||||
# https://github.com/istio/istio/issues/26524, not in 1.7 either
|
||||
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
||||
# value: "60"
|
||||
#- name: ISTIO_META_IDLE_TIMEOUT
|
||||
# value: "3600s"
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}"
|
||||
{{- end }}
|
||||
resources:
|
||||
limits:
|
||||
# cpu: 2000m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 100%
|
||||
maxUnavailable: 25%
|
||||
overlays:
|
||||
- apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-private-ingressgateway
|
||||
patches:
|
||||
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
||||
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
||||
- path: spec.template.spec.terminationGracePeriodSeconds
|
||||
value: 90
|
||||
|
||||
meshConfig:
|
||||
accessLogFile: /dev/stdout
|
||||
accessLogEncoding: 'JSON'
|
||||
h2UpgradePolicy: 'DO_NOT_UPGRADE'
|
||||
tcpKeepalive:
|
||||
interval: 30s
|
||||
time: 60s
|
||||
|
||||
values:
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
|
||||
externalTrafficPolicy: Local
|
||||
labels:
|
||||
app: istio-private-ingressgateway
|
||||
istio: private-ingressgateway
|
||||
meshExpansionPorts: []
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-private-ingressgateway
|
||||
type: {{ default "NodePort" .Values.ingress.type }}
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31021
|
||||
{{- end }}
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31080
|
||||
{{- end }}
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31443
|
||||
{{- end }}
|
||||
- name: fluentd-forward
|
||||
port: 24224
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31224
|
||||
{{- end }}
|
||||
- name: amqps
|
||||
port: 5671
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31671
|
||||
{{- end }}
|
||||
- name: amqp
|
||||
port: 5672
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31672
|
||||
{{- end }}
|
||||
- name: redis
|
||||
port: 6379
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31379
|
||||
{{- end }}
|
||||
- name: redis-1
|
||||
port: 6380
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31380
|
||||
{{- end }}
|
||||
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
||||
logAsJson: true
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
{{- end }}
|
@ -1,152 +0,0 @@
|
||||
apiVersion: install.istio.io/v1alpha1
|
||||
kind: IstioOperator
|
||||
metadata:
|
||||
name: kubezero-istio
|
||||
namespace: istio-system
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
profile: empty
|
||||
components:
|
||||
base:
|
||||
enabled: true
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
ingressGateways:
|
||||
- enabled: true
|
||||
k8s:
|
||||
replicaCount: {{ .Values.ingress.replicaCount }}
|
||||
{{- if .Values.ingress.autoscaleEnabled }}
|
||||
hpaSpec:
|
||||
maxReplicas: 5
|
||||
metrics:
|
||||
- resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: 80
|
||||
type: Resource
|
||||
minReplicas: 1
|
||||
scaleTargetRef:
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-ingressgateway
|
||||
{{- end }}
|
||||
env:
|
||||
{{- if .Values.ingress.http10 }}
|
||||
- name: ISTIO_META_HTTP10
|
||||
value: '"1"'
|
||||
{{- end }}
|
||||
# https://github.com/istio/istio/issues/26524, not in 1.7 !
|
||||
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
||||
# value: "60"
|
||||
#- name: ISTIO_META_IDLE_TIMEOUT
|
||||
# value: "3600s"
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodeSelector:
|
||||
node.kubernetes.io/ingress.public: "30080_30443"
|
||||
{{- end }}
|
||||
resources:
|
||||
limits:
|
||||
#cpu: 2000m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 100%
|
||||
maxUnavailable: 25%
|
||||
overlays:
|
||||
- apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: istio-ingressgateway
|
||||
patches:
|
||||
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
||||
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
||||
- path: spec.template.spec.terminationGracePeriodSeconds
|
||||
value: 90
|
||||
|
||||
name: istio-ingressgateway
|
||||
{{- end }}
|
||||
pilot:
|
||||
enabled: true
|
||||
k8s:
|
||||
replicaCount: {{ .Values.istiod.replicaCount }}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
env:
|
||||
- name: PILOT_ENABLE_MYSQL_FILTER
|
||||
value: "true"
|
||||
- name: PILOT_ENABLE_REDIS_FILTER
|
||||
value: "true"
|
||||
- name: PILOT_HTTP10
|
||||
value: "true"
|
||||
policy:
|
||||
enabled: true
|
||||
k8s:
|
||||
replicaCount: {{ .Values.istiod.replicaCount }}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
|
||||
telemetry:
|
||||
enabled: false
|
||||
meshConfig:
|
||||
accessLogFile: /dev/stdout
|
||||
accessLogEncoding: 'JSON'
|
||||
h2UpgradePolicy: 'DO_NOT_UPGRADE'
|
||||
tcpKeepalive:
|
||||
interval: 30s
|
||||
time: 60s
|
||||
values:
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
|
||||
externalTrafficPolicy: Local
|
||||
labels:
|
||||
app: istio-ingressgateway
|
||||
istio: ingressgateway
|
||||
meshExpansionPorts: []
|
||||
podAntiAffinityLabelSelector:
|
||||
- key: app
|
||||
operator: In
|
||||
topologyKey: kubernetes.io/hostname
|
||||
values: istio-ingressgateway
|
||||
type: {{ default "NodePort" .Values.ingress.type }}
|
||||
ports:
|
||||
- name: http-status
|
||||
port: 15021
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 30021
|
||||
{{- end }}
|
||||
- name: http2
|
||||
port: 80
|
||||
targetPort: 8080
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 30080
|
||||
{{- end }}
|
||||
- name: https
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 30443
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
||||
logAsJson: true
|
||||
defaultPodDisruptionBudget:
|
||||
enabled: false
|
||||
pilot:
|
||||
autoscaleEnabled: false
|
||||
mixer:
|
||||
policy:
|
||||
autoscaleEnabled: false
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
export ISTIO_VERSION=1.7.4
|
||||
export ISTIO_VERSION=1.8.0
|
||||
|
||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||
NAME="istio-$ISTIO_VERSION"
|
||||
@ -10,17 +10,24 @@ if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||
curl -sL "$URL" | tar xz
|
||||
fi
|
||||
|
||||
# Extract control plane charts
|
||||
rm -rf charts/base charts/istio-*
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/
|
||||
|
||||
# Patch for istiod to control plane
|
||||
patch -p3 -i istio-discovery.patch
|
||||
|
||||
# Minor tweaks
|
||||
rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml
|
||||
|
||||
# Ingress charts
|
||||
rm -rf ../kubezero-istio-ingress/charts/istio-*
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress
|
||||
|
||||
# Rename private chart
|
||||
sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
|
||||
|
||||
# Get matching istioctl
|
||||
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||
|
||||
# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
|
||||
# Now lets extract istio-operator chart
|
||||
rm -rf charts/istio-operator
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
|
||||
|
||||
# Apply our patch
|
||||
patch -i istio-operator.patch -p0
|
||||
|
||||
# Extract crds
|
||||
rm -rf crds
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds .
|
||||
# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user