ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 23 Packages Projects Releases Wiki Activity

First try adding argoCD day 2

Browse Source
This commit is contained in:
Stefan Reimer 2020-11-24 06:44:57 -08:00
parent 35b1570d18
commit cd24b9fa1a
114 changed files with 15422 additions and 7777 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
charts/kubezero-argo-cd/README.md
View File

@ -1,6 +1,6 @@
# kubezero-argo-cd
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
@ -18,7 +18,7 @@ Kubernetes: `>= 1.17.0`
| Repository | Name | Version |
|------------|------|---------|
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 |
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
| argo-cd.controller.metrics.enabled | bool | `false` | |
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
| argo-cd.dex.enabled | bool | `false` | |
| argo-cd.global.image.tag | string | `"v1.7.8"` | |
| argo-cd.global.image.tag | string | `"v1.7.10"` | |
| argo-cd.installCRDs | bool | `false` | |
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| argo-cd.istio.ipBlocks | list | `[]` | |
| argo-cd.repoServer.logFormat | string | `"json"` | |
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
@ -53,8 +48,10 @@ Kubernetes: `>= 1.17.0`
| argo-cd.server.metrics.enabled | bool | `false` | |
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
| istio.ipBlocks | list | `[]` | |
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |

26
charts/kubezero-argo-cd/templates/app.yaml
View File

@ -1,26 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubezero
namespace: argocd
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
project: kubezero
source:
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
helm:
values: |
{{- toYaml .Values.kubezero | nindent 8 }}
destination:
server: {{ .Values.kubezero.global.defaultDestination.server }}
namespace: argocd
{{- if .Values.kubezero.global.syncPolicy }}
syncPolicy:
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
{{- end }}

6
charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml
View File

@ -1,5 +1,5 @@
{{- if index .Values "argo-cd" "istio" "enabled" }}
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
{{- if .Values.istio.enabled }}
{{- if .Values.istio.ipBlocks }}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
@ -16,7 +16,7 @@ spec:
- from:
- source:
notIpBlocks:
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
{{- with .Values.istio.ipBlocks }}
{{- . | toYaml | nindent 8 }}
{{- end }}
to:

8
charts/kubezero-argo-cd/templates/istio-service.yaml
View File

@ -1,4 +1,4 @@
{{- if index .Values "argo-cd" "istio" "enabled" }}
{{- if .Values.istio.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
@ -7,7 +7,7 @@ metadata:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
gateways:
- {{ index .Values "argo-cd" "istio" "gateway" }}
- {{ .Values.istio.gateway }}
hosts:
- {{ index .Values "argo-cd" "server" "config" "url" }}
http:
@ -18,13 +18,13 @@ spec:
prefix: argocd-client
route:
- destination:
host: {{ .Release.Name }}-argocd-server
host: argocd-server
port:
number: 443
- name: http
route:
- destination:
host: {{ .Release.Name }}-argocd-server
host: argocd-server
port:
number: 80
{{- end }}

15
charts/kubezero-argo-cd/values.yaml
View File

@ -44,7 +44,6 @@ argo-cd:
enabled: false
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: metrics
@ -62,7 +61,6 @@ argo-cd:
enabled: false
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: metrics
@ -105,7 +103,6 @@ argo-cd:
enabled: false
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: metrics
@ -119,9 +116,9 @@ argo-cd:
dex:
enabled: false
istio:
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-system/ingressgateway
ipBlocks: []
istio:
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
enabled: false
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
gateway: istio-ingress/ingressgateway
ipBlocks: []

2
charts/kubezero-aws-ebs-csi-driver/Chart.yaml
View File

@ -3,7 +3,7 @@ name: kubezero-aws-ebs-csi-driver
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
type: application
version: 0.3.2
appVersion: 0.7.0
appVersion: 0.7.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
sources:

2
charts/kubezero-aws-ebs-csi-driver/README.md
View File

@ -1,6 +1,6 @@
# kubezero-aws-ebs-csi-driver
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
KubeZero Umbrella Chart for aws-ebs-csi-driver

4
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml
View File

@ -1,8 +1,8 @@
apiVersion: v1
appVersion: "0.7.0"
appVersion: "0.7.1"
name: aws-ebs-csi-driver
description: A Helm chart for AWS EBS CSI Driver
version: 0.6.0
version: 0.6.1
kubeVersion: ">=1.13.0-0"
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
sources:

2
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml
View File

@ -6,7 +6,7 @@ replicaCount: 2
image:
repository: amazon/aws-ebs-csi-driver
tag: "v0.7.0"
tag: "v0.7.1"
pullPolicy: IfNotPresent
sidecars:

3
charts/kubezero-cert-manager/README.md
View File

@ -40,10 +40,11 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| cert-manager.enabled | bool | `true` | |
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
| cert-manager.podAnnotations | object | `{}` | |
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |

24
charts/kubezero-istio-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.1.0
appVersion: 1.8.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
- kubezero
- istio
maintainers:
- name: Quarky9
dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.1.0
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.1.0
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.17.0"

96
charts/kubezero-istio-ingress/README.md Normal file
View File

@ -0,0 +1,96 @@
# kubezero-istio-ingress
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
**Homepage:** <https://kubezero.com>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Quarky9 | | |
## Requirements
Kubernetes: `>= 1.17.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-ingress | 1.1.0 |
| | istio-private-ingress | 1.1.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.hub | string | `"docker.io/istio"` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| global.tag | string | `"1.8.0"` | |
| istio-ingress.dnsNames | list | `[]` | |
| istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.dnsNames | list | `[]` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

24
charts/kubezero-istio-ingress/README.md.gotmpl Normal file
View File

@ -0,0 +1,24 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
## Resources
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
- https://istio.io/latest/docs/setup/install/standalone-operator/

13
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt Normal file
View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

112
charts/kubezero-istio-ingress/charts/istio-ingress/README.md Normal file
View File

@ -0,0 +1,112 @@
# istio-ingress
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
Helm chart for deploying Istio gateways
## Source Code
* <http://github.com/istio/istio>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
| gateways.istio-ingressgateway.customService | bool | `false` | |
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
| global.arch.amd64 | int | `2` | |
| global.arch.ppc64le | int | `2` | |
| global.arch.s390x | int | `2` | |
| global.caAddress | string | `""` | |
| global.defaultConfigVisibilitySettings | list | `[]` | |
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
| global.defaultResources.requests.cpu | string | `"10m"` | |
| global.defaultTolerations | list | `[]` | |
| global.hub | string | `"gcr.io/istio-testing"` | |
| global.imagePullPolicy | string | `""` | |
| global.imagePullSecrets | list | `[]` | |
| global.istioNamespace | string | `"istio-system"` | |
| global.jwtPolicy | string | `"third-party-jwt"` | |
| global.logAsJson | bool | `false` | |
| global.logging.level | string | `"default:info"` | |
| global.meshExpansion.enabled | bool | `false` | |
| global.meshExpansion.useILB | bool | `false` | |
| global.meshID | string | `""` | |
| global.mountMtlsCerts | bool | `false` | |
| global.multiCluster.clusterName | string | `""` | |
| global.multiCluster.enabled | bool | `false` | |
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
| global.network | string | `""` | |
| global.pilotCertProvider | string | `"istiod"` | |
| global.priorityClassName | string | `""` | |
| global.proxy.clusterDomain | string | `"cluster.local"` | |
| global.proxy.componentLogLevel | string | `"misc:error"` | |
| global.proxy.enableCoreDump | bool | `false` | |
| global.proxy.image | string | `"proxyv2"` | |
| global.proxy.logLevel | string | `"warning"` | |
| global.sds.token.aud | string | `"istio-ca"` | |
| global.sts.servicePort | int | `0` | |
| global.tag | string | `"latest"` | |
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
| meshConfig.defaultConfig.tracing | string | `nil` | |
| meshConfig.enablePrometheusMerge | bool | `true` | |
| ownerName | string | `""` | |
| revision | string | `""` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)

93
charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

345
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml Normal file
View File

@ -0,0 +1,345 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

79
charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

78
charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml Normal file
View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml Normal file
View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml Normal file
View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

55
charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml Normal file
View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

18
charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml Normal file
View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

13
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
name: istio-private-ingress
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

43
charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt Normal file
View File

@ -0,0 +1,43 @@
Changes:
- separate namespace allows:
-- easier reconfig of just the gateway
-- TLS secrets and domain name management is isolated, for better security
-- simplified configuration
-- multiple versions of the ingress can be used, to minimize upgrade risks
- the new chart uses the default namespace service account, and doesn't require
additional RBAC permissions.
- simplified label and chart structure.
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
and allows a bit more flexibility.
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
# Port and basic host configuration
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
both in upgrade, Gateway and VirtualService.
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
config for the rest.
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
# Migration from istio-system
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
with the Service and bound to the namespace, it is recommended to:
1. Install the new gateway in a new namespace.
2. Copy any TLS certificate to the new namespace, and configure the domains.
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
4. Modify the DNS server to add the A record of the new namespace
5. Check traffic
6. Delete the A record corresponding to the gateway in istio-system
7. Upgrade istio-system, disabling the ingressgateway
8. Delete the domain TLS certs from istio-system.
If using certmanager, all Certificate and associated configs must be moved as well.

112
charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md Normal file
View File

@ -0,0 +1,112 @@
# istio-ingress
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
Helm chart for deploying Istio gateways
## Source Code
* <http://github.com/istio/istio>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
| gateways.istio-ingressgateway.customService | bool | `false` | |
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
| global.arch.amd64 | int | `2` | |
| global.arch.ppc64le | int | `2` | |
| global.arch.s390x | int | `2` | |
| global.caAddress | string | `""` | |
| global.defaultConfigVisibilitySettings | list | `[]` | |
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
| global.defaultResources.requests.cpu | string | `"10m"` | |
| global.defaultTolerations | list | `[]` | |
| global.hub | string | `"gcr.io/istio-testing"` | |
| global.imagePullPolicy | string | `""` | |
| global.imagePullSecrets | list | `[]` | |
| global.istioNamespace | string | `"istio-system"` | |
| global.jwtPolicy | string | `"third-party-jwt"` | |
| global.logAsJson | bool | `false` | |
| global.logging.level | string | `"default:info"` | |
| global.meshExpansion.enabled | bool | `false` | |
| global.meshExpansion.useILB | bool | `false` | |
| global.meshID | string | `""` | |
| global.mountMtlsCerts | bool | `false` | |
| global.multiCluster.clusterName | string | `""` | |
| global.multiCluster.enabled | bool | `false` | |
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
| global.network | string | `""` | |
| global.pilotCertProvider | string | `"istiod"` | |
| global.priorityClassName | string | `""` | |
| global.proxy.clusterDomain | string | `"cluster.local"` | |
| global.proxy.componentLogLevel | string | `"misc:error"` | |
| global.proxy.enableCoreDump | bool | `false` | |
| global.proxy.image | string | `"proxyv2"` | |
| global.proxy.logLevel | string | `"warning"` | |
| global.sds.token.aud | string | `"istio-ca"` | |
| global.sts.servicePort | int | `0` | |
| global.tag | string | `"latest"` | |
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
| meshConfig.defaultConfig.tracing | string | `nil` | |
| meshConfig.enablePrometheusMerge | bool | `true` | |
| ownerName | string | `""` | |
| revision | string | `""` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)

93
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- {{ $key | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinity" }}
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
podAntiAffinity:
{{- if .podAntiAffinityLabelSelector }}
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
{{- end }}
{{- if .podAntiAffinityTermLabelSelector }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityRequiredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityLabelSelector }}
- labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- end }}
{{- end }}
{{- define "podAntiAffinityPreferredDuringScheduling" }}
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: {{ $item.key }}
operator: {{ $item.operator }}
{{- if $item.values }}
values:
{{- $vals := split "," $item.values }}
{{- range $i, $v := $vals }}
- {{ $v | quote }}
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
weight: 100
{{- end }}
{{- end }}

27
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
maxReplicas: {{ $gateway.autoscaleMax }}
minReplicas: {{ $gateway.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
---
{{- end }}

345
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml Normal file
View File

@ -0,0 +1,345 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
{{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}}
service.istio.io/canonical-revision: latest
{{- end }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: true
{{- end }}
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.proxy.logLevel }}
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
{{- end}}
{{- if .Values.global.proxy.componentLogLevel }}
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
{{- end}}
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15021
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
{{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
- name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
{{- if and (not $network_set) .Values.global.network }}
- name: ISTIO_META_NETWORK
value: {{ .Values.global.network }}
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
- name: istio-envoy
mountPath: /etc/istio/proxy
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: gatewaysdsudspath
mountPath: /var/run/ingress_gateway
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
- name: podinfo
mountPath: /etc/istio/pod
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: istio-envoy
emptyDir: {}
- name: gatewaysdsudspath
emptyDir: {}
- name: istio-data
emptyDir: {}
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
optional: true
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}

79
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if .Values.global.meshExpansion.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15012
protocol: TCP
name: tcp-istiod
hosts:
- "*"
- port:
number: 15017
protocol: TCP
name: tcp-istiodwebhook
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-vs-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
hosts:
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15012
route:
- destination:
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 15012
- match:
- port: 15017
route:
- destination:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: meshexpansion-dr-istiod
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
spec:
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
trafficPolicy:
portLevelSettings:
- port:
number: 15012
tls:
mode: DISABLE
- port:
number: 15017
tls:
mode: DISABLE
{{- end }}

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
minAvailable: 1
selector:
matchLabels:
{{ $gateway.labels | toYaml | trim | indent 6 }}
{{- end }}

78
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml Normal file
View File

@ -0,0 +1,78 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

16
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml Normal file
View File

@ -0,0 +1,16 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---

19
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml Normal file
View File

@ -0,0 +1,19 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
subjects:
- kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
---

55
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml Normal file
View File

@ -0,0 +1,55 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if not $gateway.customService }}
apiVersion: v1
kind: Service
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := $gateway.serviceAnnotations }}
{{ $key }}: {{ $val | quote }}
{{- end }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if $gateway.loadBalancerIP }}
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
{{- end }}
{{- if $gateway.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
{{- end }}
{{- if $gateway.externalTrafficPolicy }}
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
{{- end }}
type: {{ $gateway.type }}
selector:
{{ $gateway.labels | toYaml | indent 4 }}
ports:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- if $.Values.global.meshExpansion.enabled }}
{{- range $key, $val := $gateway.meshExpansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-
port: {{ $app.port }}
name: {{ $app.name }}
{{- end }}
---
{{ end }}

18
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,18 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | trim | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"

336
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml Normal file
View File

@ -0,0 +1,336 @@
# A-la-carte istio ingress gateway.
# Must be installed in a separate namespace, to minimize access to secrets.
gateways:
istio-ingressgateway:
name: istio-ingressgateway
labels:
app: istio-ingressgateway
istio: ingressgateway
ports:
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
- port: 15021
targetPort: 15021
name: status-port
protocol: TCP
- port: 80
targetPort: 8080
name: http2
protocol: TCP
- port: 443
targetPort: 8443
name: https
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning
# replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
loadBalancerIP: ""
loadBalancerSourceRanges: []
serviceAnnotations: {}
# Enable cross-cluster access using SNI matching
zvpn:
enabled: false
suffix: global
# To generate an internal load balancer:
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
#serviceAnnotations:
# cloud.google.com/load-balancer-type: "internal"
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15012
targetPort: 15012
name: tcp-istiod
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
customService: false
externalTrafficPolicy: ""
ingressPorts: []
additionalContainers: []
configVolumes: []
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
tolerations: []
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote "hard" vs. "soft" requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# "security" and value "S1".
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
# whether to run the gateway in a privileged container
runAsRoot: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
global:
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
defaultConfigVisibilitySettings: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default node tolerations to be applied to all deployments so that all pods can be
# scheduled to a particular nodes with matching taints. Each component can overwrite
# these default values by adding its tolerations block in the relevant section below
# and setting the desired values.
# Configure this field in case that all pods of Istio control plane are expected to
# be scheduled to particular nodes with specified taints.
defaultTolerations: []
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# Used to locate istiod.
istioNamespace: istio-system
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# The suffix for global service names
globalDomainSuffix: "global"
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
includeEnvoyFilter: true
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Deprecated, use meshConfig.trustDomain
# trustDomain: ""
meshConfig:
enablePrometheusMerge: true
# trustDomain: ""
defaultConfig:
proxyMetadata: {}
tracing:
# tlsSettings:
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
# privateKey: # example: /etc/istio/tracer/key.pem
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
# sni: # example: tracer.somedomain
# subjectAltNames: []
# - tracer.somedomain

8
charts/kubezero-istio/templates/envoyfilter.yaml → charts/kubezero-istio-ingress/templates/envoyfilter.yaml
View File

@ -1,9 +1,9 @@
{{- if .Values.ingress.public.enabled }}
{{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-listener-tcp-keepalive
namespace: istio-system
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:
@ -33,13 +33,13 @@ spec:
state: STATE_LISTENING
{{- end }}
{{- if .Values.ingress.private.enabled }}
{{- if index .Values "istio-private-ingress" "enabled" }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: istio-system
namespace: {{ .Release.Namespace }}
spec:
workloadSelector:
labels:

6
charts/kubezero-istio/templates/ingress-certificate.yaml → charts/kubezero-istio-ingress/templates/ingress-certificate.yaml
View File

@ -1,9 +1,9 @@
{{- if .Values.ingress.dnsNames }}
{{- if index .Values "istio-ingress" "dnsNames" }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: public-ingress-cert
namespace: istio-system
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
@ -12,5 +12,5 @@ spec:
name: letsencrypt-dns-prod
kind: ClusterIssuer
dnsNames:
{{ toYaml .Values.ingress.dnsNames | indent 4 }}
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
{{- end }}

27
charts/kubezero-istio/templates/ingress-gateway.yaml → charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
View File

@ -1,9 +1,9 @@
{{- if .Values.ingress.public.enabled }}
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
@ -15,7 +15,7 @@ spec:
name: http
protocol: HTTP2
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls:
httpsRedirect: true
- port:
@ -23,20 +23,21 @@ spec:
name: https
protocol: HTTPS
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: public-ingress-cert
{{- end }}
{{- if .Values.ingress.private.enabled }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: private-ingressgateway
namespace: istio-system
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
@ -48,7 +49,7 @@ spec:
name: http
protocol: HTTP2
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls:
httpsRedirect: true
- port:
@ -56,7 +57,7 @@ spec:
name: https
protocol: HTTPS
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
@ -67,19 +68,19 @@ spec:
name: amqp
protocol: TCP
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 24224
name: fluentd-forward
protocol: TLS
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
@ -90,11 +91,11 @@ spec:
name: redis
protocol: TCP
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 6380
name: redis-1
protocol: TCP
hosts:
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
{{- end }}

5
charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml → charts/kubezero-istio-ingress/templates/namespace.yaml
View File

@ -1,8 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{.Values.operatorNamespace}}
name: istio-ingress
labels:
istio-operator-managed: Reconcile
istio-injection: disabled
---
{{ include "kubezero-lib.labels" . | indent 4 }}

120
charts/kubezero-istio-ingress/values.yaml Normal file
View File

@ -0,0 +1,120 @@
# Make sure these values match kuberzero-istio !!!
global:
hub: docker.io/istio
tag: 1.8.0
logAsJson: true
jwtPolicy: first-party-jwt
priorityClassName: "system-cluster-critical"
defaultPodDisruptionBudget:
enabled: false
istio-ingress:
enabled: false
gateways:
istio-ingressgateway:
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
# The node selector is normally the list of nodeports, see CloudBender
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
ports:
- name: http-status
port: 15021
nodePort: 30021
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
- name: https
port: 443
targetPort: 8443
nodePort: 30443
dnsNames: []
# - '*.example.com'
istio-private-ingress:
enabled: false
gateways:
istio-ingressgateway:
# name and labels make the ingress private
name: istio-private-ingressgateway
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
autoscaleEnabled: false
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
# cpu: 100m
memory: 256Mi
externalTrafficPolicy: Local
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: NodePort
env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"'
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"
ports:
- name: http-status
port: 15021
nodePort: 31021
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
- name: https
port: 443
targetPort: 8443
nodePort: 31443
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
#- name: amqps
# port: 5671
# nodePort: 31671
#- name: amqp
# port: 5672
# nodePort: 31672
#- name: redis
# port: 6379
# nodePort: 31379
dnsNames: []
# - '*.example.com'

2
charts/kubezero-istio/.gitignore vendored
View File

@ -1,2 +1,2 @@
istioctl
istio-*
istio-?.?.?

8
charts/kubezero-istio/Chart.yaml
View File

@ -15,6 +15,8 @@ dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-operator
version: ">= 1.7"
kubeVersion: ">= 1.16.0"
- name: base
version: 1.1.0
- name: istio-discovery
version: 1.2.0
kubeVersion: ">= 1.17.0"

40
charts/kubezero-istio/README.md
View File

@ -4,7 +4,7 @@
KubeZero Umbrella Chart for Istio
Installs Istio Operator and KubeZero Istio profile
Installs the Istio control plane
**Homepage:** <https://kubezero.com>
@ -16,31 +16,37 @@ Installs Istio Operator and KubeZero Istio profile
## Requirements
Kubernetes: `>= 1.16.0`
Kubernetes: `>= 1.17.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-operator | >= 1.7 |
| | base | 1.1.0 |
| | istio-discovery | 1.2.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## KubeZero default configuration
- mapped istio-operator to run on the controller nodes only
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| ingress.autoscaleEnabled | bool | `false` | |
| ingress.dnsNames[0] | string | `"*"` | |
| ingress.private.enabled | bool | `true` | |
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
| ingress.public.enabled | bool | `true` | |
| ingress.replicaCount | int | `2` | |
| ingress.type | string | `"NodePort"` | |
| istio-operator.hub | string | `"docker.io/istio"` | |
| istio-operator.tag | string | `"1.7.4"` | |
| istiod.autoscaleEnabled | bool | `false` | |
| istiod.replicaCount | int | `1` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.hub | string | `"docker.io/istio"` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| global.tag | string | `"1.8.0"` | |
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| istio-discovery.pilot.replicaCount | int | `1` | |
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| istio-discovery.telemetry.enabled | bool | `false` | |
## Resources

5
charts/kubezero-istio/README.md.gotmpl
View File

@ -5,7 +5,7 @@
{{ template "chart.description" . }}
Installs Istio Operator and KubeZero Istio profile
Installs the Istio control plane
{{ template "chart.homepageLine" . }}
@ -15,9 +15,6 @@ Installs Istio Operator and KubeZero Istio profile
{{ template "chart.requirementsSection" . }}
## KubeZero default configuration
- mapped istio-operator to run on the controller nodes only
{{ template "chart.valuesSection" . }}
## Resources

11
charts/kubezero-istio/charts/base/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
name: base
version: 1.1.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs
keywords:
- istio
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

1
charts/kubezero-istio/charts/base/NOTES.txt Normal file
View File

@ -0,0 +1 @@
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.

23
charts/kubezero-istio/charts/base/README.md Normal file
View File

@ -0,0 +1,23 @@
# base
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
Helm chart for deploying Istio cluster resources and CRDs
## Source Code
* <http://github.com/istio/istio>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| base.enableCRDTemplates | bool | `false` | |
| base.validationURL | string | `""` | |
| global.configValidation | bool | `true` | |
| global.imagePullSecrets | list | `[]` | |
| global.istioNamespace | string | `"istio-system"` | |
| global.istiod.enableAnalysis | bool | `false` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)

3426
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

66
charts/kubezero-istio/charts/base/crds/crd-operator.yaml Normal file
View File

@ -0,0 +1,66 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
additionalPrinterColumns:
- JSONPath: .spec.revision
description: Istio control plane revision
name: Revision
type: string
- JSONPath: .status.status
description: IOP current state
type: string
name: Status
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: install.istio.io
names:
kind: IstioOperator
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
status:
description: 'Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
served: true
storage: true
---

3751
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

5
charts/kubezero-istio/charts/base/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- files/gen-istio-cluster.yaml

146
charts/kubezero-istio/charts/base/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}
---

32
charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-{{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
---

4
charts/kubezero-istio/charts/base/templates/crds.yaml Normal file
View File

@ -0,0 +1,4 @@
{{- if .Values.base.enableCRDTemplates }}
{{ .Files.Get "crds/crd-all.gen.yaml" }}
{{ .Files.Get "crds/crd-operator.yaml" }}
{{- end }}

30
charts/kubezero-istio/charts/base/templates/endpoints.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
apiVersion: v1
kind: Endpoints
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
subsets:
- addresses:
- ip: {{ .Values.global.remotePilotAddress }}
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
{{- end }}
---
{{- end }}

20
charts/kubezero-istio/charts/base/templates/role.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

16
charts/kubezero-istio/charts/base/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod-{{ .Values.global.istioNamespace }}
subjects:
- kind: ServiceAccount
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}

30
charts/kubezero-istio/charts/base/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
---
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
---

37
charts/kubezero-istio/charts/base/templates/services.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
# when istiod is enabled in remote cluster, we can't use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod-remote
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
clusterIP: None
{{- else }}
# when istiod isn't enabled in remote cluster, we can use istiod service name
apiVersion: v1
kind: Service
metadata:
name: istiod
namespace: {{ .Release.Namespace }}
spec:
ports:
- port: 15012
name: tcp-istiod
protocol: TCP
# if the remotePilotAddress is IP addr, we use clusterIP: None.
# else, we use externalName
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
clusterIP: None
{{- else }}
type: ExternalName
externalName: {{ .Values.global.remotePilotAddress }}
{{- end }}
{{- end }}
---
{{- end }}

42
charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,42 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
webhooks:
- name: validation.istio.io
clientConfig:
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
- security.istio.io
- authentication.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
---
{{- end }}

22
charts/kubezero-istio/charts/base/values.yaml Normal file
View File

@ -0,0 +1,22 @@
global:
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# Used to locate istiod.
istioNamespace: istio-system
istiod:
enableAnalysis: false
configValidation: true
base:
# Used for helm2 to add the CRDs to templates.
enableCRDTemplates: false
# Validation webhook configuration url
# For example: https://$remotePilotAddress:15017/validate
validationURL: ""

14
charts/kubezero-istio/charts/istio-discovery/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
name: istio-discovery
version: 1.2.0
appVersion: 1.2.0
tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane
keywords:
- istio
- istiod
- istio-discovery
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt Normal file
View File

@ -0,0 +1,5 @@
Minimal control plane for Istio. Pilot and mesh config are included.
MCP and injector should optionally be installed in the same namespace. Alternatively remote
address of an MCP server can be set.

133
charts/kubezero-istio/charts/istio-discovery/README.md Normal file
View File

@ -0,0 +1,133 @@
# istio-discovery
![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
Helm chart for istio control plane
## Source Code
* <http://github.com/istio/istio>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.caAddress | string | `""` | |
| global.centralIstiod | bool | `false` | |
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
| global.defaultResources.requests.cpu | string | `"10m"` | |
| global.externalIstiod | bool | `false` | |
| global.hub | string | `"gcr.io/istio-testing"` | |
| global.imagePullPolicy | string | `""` | |
| global.imagePullSecrets | list | `[]` | |
| global.istioNamespace | string | `"istio-system"` | |
| global.istiod.enableAnalysis | bool | `false` | |
| global.jwtPolicy | string | `"third-party-jwt"` | |
| global.logAsJson | bool | `false` | |
| global.logging.level | string | `"default:info"` | |
| global.meshID | string | `""` | |
| global.meshNetworks | object | `{}` | |
| global.mountMtlsCerts | bool | `false` | |
| global.multiCluster.clusterName | string | `""` | |
| global.multiCluster.enabled | bool | `false` | |
| global.network | string | `""` | |
| global.omitSidecarInjectorConfigMap | bool | `false` | |
| global.oneNamespace | bool | `false` | |
| global.operatorManageWebhooks | bool | `false` | |
| global.pilotCertProvider | string | `"istiod"` | |
| global.priorityClassName | string | `""` | |
| global.proxy.autoInject | string | `"enabled"` | |
| global.proxy.clusterDomain | string | `"cluster.local"` | |
| global.proxy.componentLogLevel | string | `"misc:error"` | |
| global.proxy.enableCoreDump | bool | `false` | |
| global.proxy.excludeIPRanges | string | `""` | |
| global.proxy.excludeInboundPorts | string | `""` | |
| global.proxy.excludeOutboundPorts | string | `""` | |
| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | |
| global.proxy.image | string | `"proxyv2"` | |
| global.proxy.includeIPRanges | string | `"*"` | |
| global.proxy.logLevel | string | `"warning"` | |
| global.proxy.privileged | bool | `false` | |
| global.proxy.readinessFailureThreshold | int | `30` | |
| global.proxy.readinessInitialDelaySeconds | int | `1` | |
| global.proxy.readinessPeriodSeconds | int | `2` | |
| global.proxy.resources.limits.cpu | string | `"2000m"` | |
| global.proxy.resources.limits.memory | string | `"1024Mi"` | |
| global.proxy.resources.requests.cpu | string | `"100m"` | |
| global.proxy.resources.requests.memory | string | `"128Mi"` | |
| global.proxy.statusPort | int | `15020` | |
| global.proxy.tracer | string | `"zipkin"` | |
| global.proxy_init.image | string | `"proxyv2"` | |
| global.proxy_init.resources.limits.cpu | string | `"2000m"` | |
| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | |
| global.proxy_init.resources.requests.cpu | string | `"10m"` | |
| global.proxy_init.resources.requests.memory | string | `"10Mi"` | |
| global.remotePilotAddress | string | `""` | |
| global.sds.token.aud | string | `"istio-ca"` | |
| global.sts.servicePort | int | `0` | |
| global.tag | string | `"latest"` | |
| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | |
| global.tracer.lightstep.accessToken | string | `""` | |
| global.tracer.lightstep.address | string | `""` | |
| global.tracer.stackdriver.debug | bool | `false` | |
| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | |
| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | |
| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | |
| global.tracer.zipkin.address | string | `""` | |
| global.trustDomain | string | `""` | |
| global.useMCP | bool | `false` | |
| istiodRemote.injectionURL | string | `""` | |
| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | |
| meshConfig.rootNamespace | string | `"istio-system"` | |
| ownerName | string | `""` | |
| pilot.autoscaleEnabled | bool | `true` | |
| pilot.autoscaleMax | int | `5` | |
| pilot.autoscaleMin | int | `1` | |
| pilot.configMap | bool | `true` | |
| pilot.configSource.subscribedResources | list | `[]` | |
| pilot.cpu.targetAverageUtilization | int | `80` | |
| pilot.deploymentLabels | object | `{}` | |
| pilot.enableProtocolSniffingForInbound | bool | `true` | |
| pilot.enableProtocolSniffingForOutbound | bool | `true` | |
| pilot.env | object | `{}` | |
| pilot.hub | string | `""` | |
| pilot.image | string | `"pilot"` | |
| pilot.jwksResolverExtraRootCA | string | `""` | |
| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | |
| pilot.nodeSelector | object | `{}` | |
| pilot.plugins | list | `[]` | |
| pilot.podAnnotations | object | `{}` | |
| pilot.replicaCount | int | `1` | |
| pilot.resources.requests.cpu | string | `"500m"` | |
| pilot.resources.requests.memory | string | `"2048Mi"` | |
| pilot.rollingMaxSurge | string | `"100%"` | |
| pilot.rollingMaxUnavailable | string | `"25%"` | |
| pilot.tag | string | `""` | |
| pilot.traceSampling | float | `1` | |
| revision | string | `""` | |
| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | |
| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | |
| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | |
| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | |
| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | |
| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | |
| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | |
| telemetry.enabled | bool | `true` | |
| telemetry.v2.accessLogPolicy.enabled | bool | `false` | |
| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | |
| telemetry.v2.enabled | bool | `true` | |
| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | |
| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | |
| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | |
| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | |
| telemetry.v2.prometheus.enabled | bool | `true` | |
| telemetry.v2.prometheus.wasmEnabled | bool | `false` | |
| telemetry.v2.stackdriver.configOverride | object | `{}` | |
| telemetry.v2.stackdriver.disableOutbound | bool | `false` | |
| telemetry.v2.stackdriver.enabled | bool | `false` | |
| telemetry.v2.stackdriver.logging | bool | `false` | |
| telemetry.v2.stackdriver.monitoring | bool | `false` | |
| telemetry.v2.stackdriver.topology | bool | `false` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)

1983
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

463
charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml Normal file
View File

@ -0,0 +1,463 @@
template: |
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if .Values.istio_cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- istio-iptables
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- "1337"
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{- else }}
- "15090,15021"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
- "-q"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{ end -}}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if .Values.istio_cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{- if .ProxyConfig.ProxyMetadata }}
env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not .Values.istio_cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
{{- if not .Values.istio_cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
- --concurrency
- "{{ .ProxyConfig.Concurrency.GetValue }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
{{- else if $holdProxy }}
lifecycle:
postStart:
exec:
command:
- pilot-agent
- wait
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
add:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
- NET_ADMIN
{{- end }}
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
- NET_BIND_SERVICE
{{- end }}
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 2 }}
{{ end }}
{{ end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
podRedirectAnnot:
{{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}'
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
{{- end }}
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{- end }}
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}

5
charts/kubezero-istio/charts/istio-discovery/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- files/gen-istio.yaml

26
charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
maxReplicas: {{ .Values.pilot.autoscaleMax }}
minReplicas: {{ .Values.pilot.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
---
{{- end }}

14
charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.pilot.jwksResolverExtraRootCA }}
apiVersion: v1
kind: ConfigMap
metadata:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
data:
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
{{- end }}

92
charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml Normal file
View File

@ -0,0 +1,92 @@
{{- define "mesh" }}
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
defaultConfig:
{{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }}
{{- else if .Values.global.trustDomain }}
meshId: {{ .Values.global.trustDomain }}
{{- end }}
tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }}
lightstep:
# Address of the LightStep Satellite pool
address: {{ .Values.global.tracer.lightstep.address }}
# Access Token used to communicate with the Satellite pool
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
zipkin:
# Address of the Zipkin collector
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
{{- else if eq .Values.global.proxy.tracer "datadog" }}
datadog:
# Address of the Datadog Agent
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
stackdriver:
# enables trace output to stdout.
{{- if $.Values.global.tracer.stackdriver.debug }}
debug: {{ $.Values.global.tracer.stackdriver.debug }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
# The global default max number of attributes per span.
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
# The global default max number of annotation events per span.
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
{{- end }}
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
# The global default max number of message events per span.
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
{{- end }}
{{- end }}
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
{{- $originalMesh := include "mesh" . | fromYaml }}
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
{{- if .Values.pilot.configMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
meshNetworks: |-
{{- if .Values.global.meshNetworks }}
networks:
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
{{- else }}
networks: {}
{{- end }}
mesh: |-
{{- if .Values.meshConfig }}
{{ $mesh | toYaml | indent 4 }}
{{- else }}
{{- include "mesh" . }}
{{- end }}
---
{{- end }}

245
charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml Normal file
View File

@ -0,0 +1,245 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
istio: pilot
release: {{ .Release.Name }}
{{- range $key, $val := .Values.pilot.deploymentLabels }}
{{ $key }}: "{{ $val }}"
{{- end }}
spec:
{{- if not .Values.pilot.autoscaleEnabled }}
{{- if .Values.pilot.replicaCount }}
replicas: {{ .Values.pilot.replicaCount }}
{{- end }}
{{- end }}
strategy:
rollingUpdate:
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector:
matchLabels:
{{- if ne .Values.revision ""}}
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }}
istio: pilot
{{- end }}
template:
metadata:
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
{{- if eq .Values.revision ""}}
istio: pilot
{{- else }}
istio: istiod
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15014"
prometheus.io/scrape: "true"
{{- end }}
sidecar.istio.io/inject: "false"
{{- if .Values.pilot.podAnnotations }}
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istiod-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
securityContext:
fsGroup: 1337
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}
image: "{{ .Values.pilot.image }}"
{{- else }}
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
{{- end }}
{{- if .Values.global.imagePullPolicy }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{- end }}
args:
- "discovery"
- --monitoringAddr=:15014
{{- if .Values.global.logging.level }}
- --log_output_level={{ .Values.global.logging.level }}
{{- end}}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --domain
- {{ .Values.global.proxy.clusterDomain }}
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if .Values.pilot.plugins }}
- --plugins={{ .Values.pilot.plugins }}
{{- end }}
- --keepaliveMaxServerConnectionAge
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 15010
protocol: TCP
- containerPort: 15017
protocol: TCP
- containerPort: 15053
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 1
periodSeconds: 3
timeoutSeconds: 5
env:
- name: REVISION
value: "{{ .Values.revision | default `default` }}"
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.serviceAccountName
- name: KUBECONFIG
value: /var/run/secrets/remote/config
{{- if .Values.pilot.env }}
{{- range $key, $val := .Values.pilot.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.pilot.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.pilot.traceSampling }}"
{{- end }}
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }}
- name: INJECTION_WEBHOOK_CONFIG_NAME
{{- if eq .Release.Namespace "istio-system" }}
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- else }}
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
{{- end }}
- name: ISTIOD_ADDR
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
- name: PILOT_ENABLE_ANALYSIS
value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- name: EXTERNAL_ISTIOD
value: "{{ $.Values.global.externalIstiod | default "false" }}"
- name: CENTRAL_ISTIOD
value: "{{ $.Values.global.centralIstiod | default "false" }}"
{{- if .Values.telemetry.v2.enabled }}
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
value: "true"
{{- end }}
resources:
{{- if .Values.pilot.resources }}
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
{{- end }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
mountPath: /var/run/secrets/tokens
readOnly: true
{{- end }}
- name: local-certs
mountPath: /var/run/secrets/istio-dns
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
- name: istio-kubeconfig
mountPath: /var/run/secrets/remote
readOnly: true
- name: inject
mountPath: /var/lib/istio/inject
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
mountPath: /cacerts
{{- end }}
volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works.
- emptyDir:
medium: Memory
name: local-certs
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: {{ .Values.global.sds.token.aud }}
expirationSeconds: 43200
path: istio-token
{{- end }}
# Optional: user-generated root
- name: cacerts
secret:
secretName: cacerts
optional: true
- name: istio-kubeconfig
secret:
secretName: istio-kubeconfig
optional: true
# Optional - image should have
- name: inject
configMap:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts
configMap:
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- end }}
---

35
charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
data:
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
values: |-
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
# and istiod webhook functionality.
#
# New fields should not use Values - it is a 'primary' config object, users should be able
# to fine tune it or use it with kube-inject.
config: |-
policy: {{ .Values.global.proxy.autoInject }}
alwaysInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
neverInjectSelector:
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
injectedAnnotations:
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
"{{ $key }}": "{{ $val }}"
{{- end }}
{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }}
{{- end }}

85
charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml Normal file
View File

@ -0,0 +1,85 @@
# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds)
{{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Release.Namespace "istio-system"}}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{ else }}
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: {{ .Values.istiodRemote.injectionURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
matchExpressions:
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
- key: istio-injection
operator: NotIn
values:
- disabled
- key: istio-env
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- else if .Values.revision }}
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: In
values:
- {{ .Values.revision }}
{{- else }}
matchLabels:
istio-injection: enabled
{{- end }}
{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
objectSelector:
{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
matchExpressions:
- key: "sidecar.istio.io/inject"
operator: NotIn
values:
- "false"
{{- else if .Values.revision }}
matchExpressions:
- key: "sidecar.istio.io/inject"
operator: DoesNotExist
- key: istio.io/rev
operator: In
values:
- {{ .Values.revision }}
{{- else }}
matchLabels:
"sidecar.istio.io/inject": "true"
{{- end }}
{{- end }}
{{- end }}

25
charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
app: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
release: {{ .Release.Name }}
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: istiod
{{- if ne .Values.revision ""}}
istio.io/rev: {{ .Values.revision }}
{{- else }}
istio: pilot
{{- end }}
---
{{- end }}

37
charts/kubezero-istio/charts/istio-discovery/templates/service.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: v1
kind: Service
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: istiod
istio: pilot
release: {{ .Release.Name }}
spec:
ports:
- port: 15010
name: grpc-xds # plaintext
protocol: TCP
- port: 15012
name: https-dns # mTLS with k8s-signed cert
protocol: TCP
- port: 443
name: https-webhook # validation and injection
targetPort: 15017
protocol: TCP
- port: 15014
name: http-monitoring # prometheus stats
protocol: TCP
selector:
app: istiod
{{- if ne .Values.revision ""}}
istio.io/rev: {{ .Values.revision }}
{{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version.
# This avoids default deployment picking the canary
istio: pilot
{{- end }}
---

792
charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml Normal file
View File

@ -0,0 +1,792 @@
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
# Note: metadata exchange filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.metadata_exchange
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener: {}
patch:
operation: INSERT_BEFORE
value:
name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
cluster: {}
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
- applyTo: CLUSTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
cluster: {}
patch:
operation: MERGE
value:
filters:
- name: istio.metadata_exchange
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
value:
protocol: istio-peer-exchange
---
# Note: http stats filter is wasm enabled only in sidecars.
{{- if .Values.telemetry.v2.prometheus.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
{{- if .Values.global.multiCluster.clusterName }}
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
{{- if .Values.global.multiCluster.clusterName }}
"metrics": [
{
"dimensions": {
"source_cluster": "downstream_peer.cluster_id",
"destination_cluster": "node.metadata['CLUSTER_ID']"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
{{- end }}
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
"disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }},
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: stats_outbound
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: envoy.wasm.stats
---
# Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
{
{{- if .Values.global.multiCluster.clusterName }}
"metrics": [
{
"dimensions": {
"source_cluster": "downstream_peer.cluster_id",
"destination_cluster": "node.metadata['CLUSTER_ID']"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_inbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{
{{- if .Values.global.multiCluster.clusterName }}
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
runtime: envoy.wasm.runtime.v8
allow_precompiled: true
code:
local:
filename: /etc/istio/extensions/stats-filter.compiled.wasm
{{- else }}
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stats
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stats_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{
{{- if .Values.global.multiCluster.clusterName }}
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
{{- end }}
}
{{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
{{- end }}
vm_config:
vm_id: tcp_stats_outbound
runtime: envoy.wasm.runtime.null
code:
local:
inline_string: "envoy.wasm.stats"
---
{{- end }}
{{- if .Values.telemetry.v2.stackdriver.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: HTTP_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
{{- end }}
- applyTo: NETWORK_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_inbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_inbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.8.*'
listener:
filterChain:
filter:
name: "envoy.tcp_proxy"
patch:
operation: INSERT_BEFORE
value:
name: istio.stackdriver
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
value:
config:
root_id: stackdriver_outbound
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }}
vm_config:
vm_id: stackdriver_outbound
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: envoy.wasm.null.stackdriver }
---
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
istio.io/rev: {{ .Values.revision | default "default" }}
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.8.*'
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "istio.stackdriver"
patch:
operation: INSERT_BEFORE
value:
name: istio.access_log
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
}
vm_config:
runtime: envoy.wasm.runtime.null
code:
local: { inline_string: "envoy.wasm.access_log_policy" }
---
{{- end }}
{{- end }}
{{- end }}

485
charts/kubezero-istio/charts/istio-discovery/values.yaml Normal file
View File

@ -0,0 +1,485 @@
#.Values.pilot for discovery and mesh wide config
## Discovery Settings
pilot:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
hub: ""
tag: ""
# Can be a full hub/image:tag
image: pilot
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env: {}
cpu:
targetAverageUtilization: 80
# if protocol sniffing is enabled for outbound
enableProtocolSniffingForOutbound: true
# if protocol sniffing is enabled for inbound
enableProtocolSniffingForInbound: true
nodeSelector: {}
podAnnotations: {}
# You can use jwksResolverExtraRootCA to provide a root certificate
# in PEM format. This will then be trusted by pilot when resolving
# JWKS URIs.
jwksResolverExtraRootCA: ""
# This is used to set the source of configuration for
# the associated address in configSource, if nothing is specificed
# the default MCP is assumed.
configSource:
subscribedResources: []
plugins: []
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# Additional labels to apply to the deployment.
deploymentLabels: {}
## Mesh config settings
# Install the mesh config map, generated from values.yaml.
# If false, pilot wil use default values (by default) or user-supplied values.
configMap: true
sidecarInjectorWebhook:
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
# This enables injection of sidecar in all namespaces,
# with the exception of namespaces with "istio-injection:disabled" annotation
# Only one environment should have this enabled.
enableNamespacesByDefault: false
# Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
# It is disabled by default since this function will only work after k8s v1.15.
objectSelector:
enabled: false
autoInject: true
rewriteAppHTTPProbe: true
istiodRemote:
# Sidecar injector mutating webhook configuration url
# For example: https://$remotePilotAddress:15017/inject
injectionURL: ""
telemetry:
enabled: true
v2:
# For Null VM case now.
# This also enables metadata exchange.
enabled: true
metadataExchange:
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
wasmEnabled: false
# Indicate if prometheus stats filter is enabled or not
prometheus:
enabled: true
# Indicates whether to enable WebAssembly runtime for stats filter.
wasmEnabled: false
# overrides stats EnvoyFilter configuration.
configOverride:
gateway: {}
inboundSidecar: {}
outboundSidecar: {}
# stackdriver filter settings.
stackdriver:
enabled: false
logging: false
monitoring: false
topology: false
disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {}
# e.g.
# enable_mesh_edges_reporting: true
# disable_server_access_logging: false
# meshEdgesReportingDuration: 500s
# disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy:
enabled: false
# To reduce the number of successful logs, default log window duration is
# set to 12 hours.
logWindowDuration: "43200s"
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# For Helm compatibility.
ownerName: ""
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
meshConfig:
# Config for the default ProxyConfig.
# Initially using directly the proxy metadata - can also be activated using annotations
# on the pod. This is an unsupported low-level API, pending review and decisions on
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
# and gradual adoption by setting capture only on specific workloads. It also allows
# VMs to use other DNS options, like dnsmasq or unbound.
defaultConfig:
proxyMetadata:
# If empty, agent will not start :15013 DNS listener and will not attempt
# to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in
# istiod and the dns-over-tls listener.
# DNS_AGENT: DNS-TLS
DNS_AGENT: ""
# The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
# is processed as if it were declared in the leaf namespace.
rootNamespace: "istio-system"
# TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term
# stable API.
# What we may configure in mesh config is the ".global" - and use of other suffixes.
# No hurry to do this in 1.6, we're trying to prove the code.
global:
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Used to locate istiod.
istioNamespace: istio-system
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: gcr.io/istio-testing
# Default tag for Istio images.
tag: latest
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# Enabled by default in master for maximising testing.
istiod:
enableAnalysis: false
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
omitSidecarInjectorConfigMap: false
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Configure whether Operator manages webhook configurations. The current behavior
# of Istiod is to manage its own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio ingress capture allowlist
# examples:
# Redirect only selected ports: --includeInboundPorts="80,8080"
excludeInboundPorts: ""
# istio egress capture allowlist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
excludeOutboundPorts: ""
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "zipkin"
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
holdApplicationUntilProxyStarts: false
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxyv2
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 10m
memory: 10Mi
# configure remote pilot and istiod service and endpoint
remotePilotAddress: ""
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
caAddress: ""
# External istiod controls all remote clusters: disabled by default
externalIstiod: false
# Central istiod controls all remote clusters: disabled by default
centralIstiod: false
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: ""
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
#
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
stackdriver:
# enables trace output to stdout.
debug: false
# The global default max number of message events per span.
maxNumberOfMessageEvents: 200
# The global default max number of annotation events per span.
maxNumberOfAnnotations: 200
# The global default max number of attributes per span.
maxNumberOfAttributes: 200
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# Deprecated, use meshConfig.trustDomain
trustDomain: ""

12
charts/kubezero-istio/charts/istio-operator/Chart.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
name: istio-operator
version: 1.7.0
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio operator
keywords:
- istio
- operator
sources:
- https://github.com/istio/istio/tree/master/operator
engine: gotpl
icon: https://istio.io/latest/favicons/android-192x192.png

74
charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml
View File

@ -1,74 +0,0 @@
# SYNC WITH manifests/charts/base/files
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
group: install.istio.io
names:
kind: IstioOperator
plural: istiooperators
singular: istiooperator
shortNames:
- iop
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
type: string
name: Status
- jsonPath: .metadata.creationTimestamp
description:
"CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
spec:
description:
"Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
x-kubernetes-preserve-unknown-fields: true
type: object
status:
description:
"Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources:
status: {}
---

109
charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml
View File

@ -1,109 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
rules:
# istio groups
- apiGroups:
- authentication.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- config.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- install.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
- '*'
verbs:
- '*'
# k8s groups
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions.apiextensions.k8s.io
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- apps
- extensions
resources:
- daemonsets
- deployments
- deployments/finalizers
- ingresses
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- events
- namespaces
- pods
- pods/proxy
- persistentvolumeclaims
- secrets
- services
- serviceaccounts
verbs:
- '*'
---

13
charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml
View File

@ -1,13 +0,0 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{.Values.operatorNamespace}}
roleRef:
kind: ClusterRole
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
apiGroup: rbac.authorization.k8s.io
---

6
charts/kubezero-istio/charts/istio-operator/templates/crds.yaml
View File

@ -1,6 +0,0 @@
{{- if .Values.enableCRDTemplates -}}
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
---
{{ $.Files.Get $path }}
{{- end -}}
{{- end -}}

57
charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
View File

@ -1,57 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: {{.Values.operatorNamespace}}
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
spec:
replicas: 1
selector:
matchLabels:
name: istio-operator
template:
metadata:
labels:
name: istio-operator
spec:
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
nodeSelector:
kubernetes.io/os: linux
node-role.kubernetes.io/master: ""
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: istio-operator
image: {{.Values.hub}}/operator:{{.Values.tag}}
command:
- operator
- server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
imagePullPolicy: IfNotPresent
resources:
{{ toYaml .Values.operator.resources | trim | indent 12 }}
env:
- name: WATCH_NAMESPACE
value: {{.Values.watchedNamespaces | quote}}
- name: LEADER_ELECTION_NAMESPACE
value: {{.Values.operatorNamespace | quote}}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: {{.Values.operatorNamespace | quote}}
- name: WAIT_FOR_RESOURCES_TIMEOUT
value: {{.Values.waitForResourcesTimeout | quote}}
- name: REVISION
value: {{.Values.revision | quote}}
---

15
charts/kubezero-istio/charts/istio-operator/templates/service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
namespace: {{.Values.operatorNamespace}}
labels:
name: istio-operator
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
spec:
ports:
- name: http-metrics
port: 8383
targetPort: 8383
selector:
name: istio-operator
---

6
charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{.Values.operatorNamespace}}
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
---

25
charts/kubezero-istio/charts/istio-operator/values.yaml
View File

@ -1,25 +0,0 @@
hub: gcr.io/istio-testing
tag: latest
operatorNamespace: istio-operator
# Used to replace istioNamespace to support operator watch multiple namespaces.
watchedNamespaces: istio-system
waitForResourcesTimeout: 300s
# Used for helm2 to add the CRDs to templates.
enableCRDTemplates: false
# revision for the operator resources
revision: ""
# Operator resource defaults
operator:
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi

6612
charts/kubezero-istio/crds/crd-all.gen.yaml
View File

File diff suppressed because it is too large Load Diff

82
charts/kubezero-istio/crds/crd-mixer.yaml
View File

@ -1,82 +0,0 @@
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: adapters.config.istio.io
labels:
app: mixer
package: adapter
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
spec:
group: config.istio.io
names:
kind: adapter
plural: adapters
singular: adapter
categories:
- istio-io
- policy-istio-io
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
x-kubernetes-preserve-unknown-fields: true
type: object
status:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: templates.config.istio.io
labels:
app: mixer
package: template
istio: mixer-template
chart: istio
heritage: Tiller
release: istio
annotations:
"helm.sh/resource-policy": keep
spec:
group: config.istio.io
names:
kind: template
plural: templates
singular: template
categories:
- istio-io
- policy-istio-io
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
properties:
spec:
x-kubernetes-preserve-unknown-fields: true
type: object
status:
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources:
status: {}
---

74
charts/kubezero-istio/crds/crd-operator.yaml
View File

@ -1,74 +0,0 @@
# SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
group: install.istio.io
names:
kind: IstioOperator
plural: istiooperators
singular: istiooperator
shortNames:
- iop
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
type: string
name: Status
- jsonPath: .metadata.creationTimestamp
description:
"CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
spec:
description:
"Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
x-kubernetes-preserve-unknown-fields: true
type: object
status:
description:
"Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
served: true
storage: true
subresources:
status: {}
---

16
charts/kubezero-istio/istio-discovery.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
index e4a983a..ba586de 100644
--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
@@ -59,6 +59,11 @@ spec:
{{- end }}
securityContext:
fsGroup: 1337
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
containers:
- name: discovery
{{- if contains "/" .Values.pilot.image }}

15
charts/kubezero-istio/istio-operator.patch
View File

@ -1,15 +0,0 @@
--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100
+++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100
@@ -14,6 +14,12 @@
name: istio-operator
spec:
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
+ nodeSelector:
+ kubernetes.io/os: linux
+ node-role.kubernetes.io/master: ""
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
containers:
- name: istio-operator
image: {{.Values.hub}}/operator:{{.Values.tag}}

140
charts/kubezero-istio/templates/istio-private-ingress.yaml
View File

@ -1,140 +0,0 @@
{{- if .Values.ingress.private.enabled }}
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: kubezero-istio-private-ingress
namespace: istio-system
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
profile: empty
components:
ingressGateways:
- name: istio-private-ingressgateway
enabled: true
namespace: istio-system
k8s:
replicaCount: {{ .Values.ingress.replicaCount }}
{{- if .Values.ingress.autoscaleEnabled }}
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-private-ingressgateway
{{- end }}
env:
{{- if .Values.ingress.private.http10 }}
- name: ISTIO_META_HTTP10
value: '"1"'
{{- end }}
# https://github.com/istio/istio/issues/26524, not in 1.7 either
#- name: TERMINATION_DRAIN_DURATION_SECONDS
# value: "60"
#- name: ISTIO_META_IDLE_TIMEOUT
# value: "3600s"
{{- if eq .Values.ingress.type "NodePort" }}
nodeSelector:
node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}"
{{- end }}
resources:
limits:
# cpu: 2000m
memory: 256Mi
requests:
cpu: 100m
memory: 64Mi
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-private-ingressgateway
patches:
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
- path: spec.template.spec.terminationGracePeriodSeconds
value: 90
meshConfig:
accessLogFile: /dev/stdout
accessLogEncoding: 'JSON'
h2UpgradePolicy: 'DO_NOT_UPGRADE'
tcpKeepalive:
interval: 30s
time: 60s
values:
gateways:
istio-ingressgateway:
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
externalTrafficPolicy: Local
labels:
app: istio-private-ingressgateway
istio: private-ingressgateway
meshExpansionPorts: []
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-private-ingressgateway
type: {{ default "NodePort" .Values.ingress.type }}
ports:
- name: http-status
port: 15021
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31021
{{- end }}
- name: http2
port: 80
targetPort: 8080
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31080
{{- end }}
- name: https
port: 443
targetPort: 8443
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31443
{{- end }}
- name: fluentd-forward
port: 24224
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31224
{{- end }}
- name: amqps
port: 5671
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31671
{{- end }}
- name: amqp
port: 5672
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31672
{{- end }}
- name: redis
port: 6379
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31379
{{- end }}
- name: redis-1
port: 6380
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 31380
{{- end }}
global:
jwtPolicy: first-party-jwt
logAsJson: true
defaultPodDisruptionBudget:
enabled: false
{{- end }}

152
charts/kubezero-istio/templates/istio.yaml
View File

@ -1,152 +0,0 @@
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: kubezero-istio
namespace: istio-system
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
profile: empty
components:
base:
enabled: true
{{- if .Values.ingress.public.enabled }}
ingressGateways:
- enabled: true
k8s:
replicaCount: {{ .Values.ingress.replicaCount }}
{{- if .Values.ingress.autoscaleEnabled }}
hpaSpec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
{{- end }}
env:
{{- if .Values.ingress.http10 }}
- name: ISTIO_META_HTTP10
value: '"1"'
{{- end }}
# https://github.com/istio/istio/issues/26524, not in 1.7 !
#- name: TERMINATION_DRAIN_DURATION_SECONDS
# value: "60"
#- name: ISTIO_META_IDLE_TIMEOUT
# value: "3600s"
{{- if eq .Values.ingress.type "NodePort" }}
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
{{- end }}
resources:
limits:
#cpu: 2000m
memory: 256Mi
requests:
cpu: 100m
memory: 64Mi
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
overlays:
- apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
patches:
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
- path: spec.template.spec.terminationGracePeriodSeconds
value: 90
name: istio-ingressgateway
{{- end }}
pilot:
enabled: true
k8s:
replicaCount: {{ .Values.istiod.replicaCount }}
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
resources:
requests:
cpu: 100m
memory: 128Mi
env:
- name: PILOT_ENABLE_MYSQL_FILTER
value: "true"
- name: PILOT_ENABLE_REDIS_FILTER
value: "true"
- name: PILOT_HTTP10
value: "true"
policy:
enabled: true
k8s:
replicaCount: {{ .Values.istiod.replicaCount }}
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
telemetry:
enabled: false
meshConfig:
accessLogFile: /dev/stdout
accessLogEncoding: 'JSON'
h2UpgradePolicy: 'DO_NOT_UPGRADE'
tcpKeepalive:
interval: 30s
time: 60s
values:
{{- if .Values.ingress.public.enabled }}
gateways:
istio-ingressgateway:
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
externalTrafficPolicy: Local
labels:
app: istio-ingressgateway
istio: ingressgateway
meshExpansionPorts: []
podAntiAffinityLabelSelector:
- key: app
operator: In
topologyKey: kubernetes.io/hostname
values: istio-ingressgateway
type: {{ default "NodePort" .Values.ingress.type }}
ports:
- name: http-status
port: 15021
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 30021
{{- end }}
- name: http2
port: 80
targetPort: 8080
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 30080
{{- end }}
- name: https
port: 443
targetPort: 8443
{{- if eq .Values.ingress.type "NodePort" }}
nodePort: 30443
{{- end }}
{{- end }}
global:
jwtPolicy: first-party-jwt
logAsJson: true
defaultPodDisruptionBudget:
enabled: false
pilot:
autoscaleEnabled: false
mixer:
policy:
autoscaleEnabled: false

35
charts/kubezero-istio/update.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash
set -ex
export ISTIO_VERSION=1.7.4
export ISTIO_VERSION=1.8.0
if [ ! -d istio-$ISTIO_VERSION ]; then
NAME="istio-$ISTIO_VERSION"
@ -10,17 +10,24 @@ if [ ! -d istio-$ISTIO_VERSION ]; then
curl -sL "$URL" | tar xz
fi
# Extract control plane charts
rm -rf charts/base charts/istio-*
cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/
# Patch for istiod to control plane
patch -p3 -i istio-discovery.patch
# Minor tweaks
rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml
# Ingress charts
rm -rf ../kubezero-istio-ingress/charts/istio-*
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress
# Rename private chart
sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
# Get matching istioctl
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
# Now lets extract istio-operator chart
rm -rf charts/istio-operator
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
# Apply our patch
patch -i istio-operator.patch -p0
# Extract crds
rm -rf crds
cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds .
# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }

Some files were not shown because too many files have changed in this diff Show More