First try adding argoCD day 2
This commit is contained in:
parent
35b1570d18
commit
cd24b9fa1a
@ -1,6 +1,6 @@
|
|||||||
# kubezero-argo-cd
|
# kubezero-argo-cd
|
||||||
|
|
||||||
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square)
|
![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||||
|
|
||||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.17.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 |
|
| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0`
|
|||||||
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
| argo-cd.controller.resources.requests.cpu | string | `"100m"` | |
|
||||||
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
| argo-cd.controller.resources.requests.memory | string | `"256Mi"` | |
|
||||||
| argo-cd.dex.enabled | bool | `false` | |
|
| argo-cd.dex.enabled | bool | `false` | |
|
||||||
| argo-cd.global.image.tag | string | `"v1.7.8"` | |
|
| argo-cd.global.image.tag | string | `"v1.7.10"` | |
|
||||||
| argo-cd.installCRDs | bool | `false` | |
|
| argo-cd.installCRDs | bool | `false` | |
|
||||||
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
|
||||||
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
|
||||||
| argo-cd.istio.ipBlocks | list | `[]` | |
|
|
||||||
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
| argo-cd.repoServer.logFormat | string | `"json"` | |
|
||||||
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
||||||
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
||||||
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
||||||
@ -53,8 +48,10 @@ Kubernetes: `>= 1.17.0`
|
|||||||
| argo-cd.server.metrics.enabled | bool | `false` | |
|
| argo-cd.server.metrics.enabled | bool | `false` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
|
||||||
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
||||||
|
| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||||
|
| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||||
|
| istio.ipBlocks | list | `[]` | |
|
||||||
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
|
| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster |
|
||||||
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
||||||
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
||||||
|
@ -1,26 +0,0 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: kubezero
|
|
||||||
namespace: argocd
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
project: kubezero
|
|
||||||
source:
|
|
||||||
repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }}
|
|
||||||
targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }}
|
|
||||||
path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero
|
|
||||||
|
|
||||||
helm:
|
|
||||||
values: |
|
|
||||||
{{- toYaml .Values.kubezero | nindent 8 }}
|
|
||||||
|
|
||||||
destination:
|
|
||||||
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
|
||||||
namespace: argocd
|
|
||||||
|
|
||||||
{{- if .Values.kubezero.global.syncPolicy }}
|
|
||||||
syncPolicy:
|
|
||||||
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
|
|
||||||
{{- end }}
|
|
@ -1,5 +1,5 @@
|
|||||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
{{- if .Values.istio.enabled }}
|
||||||
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
{{- if .Values.istio.ipBlocks }}
|
||||||
apiVersion: security.istio.io/v1beta1
|
apiVersion: security.istio.io/v1beta1
|
||||||
kind: AuthorizationPolicy
|
kind: AuthorizationPolicy
|
||||||
metadata:
|
metadata:
|
||||||
@ -16,7 +16,7 @@ spec:
|
|||||||
- from:
|
- from:
|
||||||
- source:
|
- source:
|
||||||
notIpBlocks:
|
notIpBlocks:
|
||||||
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
{{- with .Values.istio.ipBlocks }}
|
||||||
{{- . | toYaml | nindent 8 }}
|
{{- . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
to:
|
to:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
{{- if .Values.istio.enabled }}
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: VirtualService
|
kind: VirtualService
|
||||||
metadata:
|
metadata:
|
||||||
@ -7,7 +7,7 @@ metadata:
|
|||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
gateways:
|
gateways:
|
||||||
- {{ index .Values "argo-cd" "istio" "gateway" }}
|
- {{ .Values.istio.gateway }}
|
||||||
hosts:
|
hosts:
|
||||||
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
- {{ index .Values "argo-cd" "server" "config" "url" }}
|
||||||
http:
|
http:
|
||||||
@ -18,13 +18,13 @@ spec:
|
|||||||
prefix: argocd-client
|
prefix: argocd-client
|
||||||
route:
|
route:
|
||||||
- destination:
|
- destination:
|
||||||
host: {{ .Release.Name }}-argocd-server
|
host: argocd-server
|
||||||
port:
|
port:
|
||||||
number: 443
|
number: 443
|
||||||
- name: http
|
- name: http
|
||||||
route:
|
route:
|
||||||
- destination:
|
- destination:
|
||||||
host: {{ .Release.Name }}-argocd-server
|
host: argocd-server
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -44,7 +44,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -62,7 +61,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -105,7 +103,6 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
|
||||||
additionalLabels:
|
additionalLabels:
|
||||||
release: metrics
|
release: metrics
|
||||||
|
|
||||||
@ -120,8 +117,8 @@ argo-cd:
|
|||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
istio:
|
istio:
|
||||||
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
# istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||||
enabled: false
|
enabled: false
|
||||||
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
# istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||||
gateway: istio-system/ingressgateway
|
gateway: istio-ingress/ingressgateway
|
||||||
ipBlocks: []
|
ipBlocks: []
|
||||||
|
@ -3,7 +3,7 @@ name: kubezero-aws-ebs-csi-driver
|
|||||||
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.2
|
version: 0.3.2
|
||||||
appVersion: 0.7.0
|
appVersion: 0.7.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-aws-ebs-csi-driver
|
# kubezero-aws-ebs-csi-driver
|
||||||
|
|
||||||
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square)
|
![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
|
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: "0.7.0"
|
appVersion: "0.7.1"
|
||||||
name: aws-ebs-csi-driver
|
name: aws-ebs-csi-driver
|
||||||
description: A Helm chart for AWS EBS CSI Driver
|
description: A Helm chart for AWS EBS CSI Driver
|
||||||
version: 0.6.0
|
version: 0.6.1
|
||||||
kubeVersion: ">=1.13.0-0"
|
kubeVersion: ">=1.13.0-0"
|
||||||
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||||
sources:
|
sources:
|
||||||
|
@ -6,7 +6,7 @@ replicaCount: 2
|
|||||||
|
|
||||||
image:
|
image:
|
||||||
repository: amazon/aws-ebs-csi-driver
|
repository: amazon/aws-ebs-csi-driver
|
||||||
tag: "v0.7.0"
|
tag: "v0.7.1"
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
sidecars:
|
sidecars:
|
||||||
|
@ -40,10 +40,11 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
|||||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
| cert-manager.enabled | bool | `true` | |
|
| cert-manager.enabled | bool | `true` | |
|
||||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||||
|
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
||||||
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
||||||
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
||||||
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
|
| cert-manager.podAnnotations | object | `{}` | |
|
||||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
24
charts/kubezero-istio-ingress/Chart.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: v2
|
||||||
|
name: kubezero-istio-ingress
|
||||||
|
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||||
|
type: application
|
||||||
|
version: 0.1.0
|
||||||
|
appVersion: 1.8.0
|
||||||
|
home: https://kubezero.com
|
||||||
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
keywords:
|
||||||
|
- kubezero
|
||||||
|
- istio
|
||||||
|
maintainers:
|
||||||
|
- name: Quarky9
|
||||||
|
dependencies:
|
||||||
|
- name: kubezero-lib
|
||||||
|
version: ">= 0.1.3"
|
||||||
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
- name: istio-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
condition: istio-ingress.enabled
|
||||||
|
- name: istio-private-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
condition: istio-private-ingress.enabled
|
||||||
|
kubeVersion: ">= 1.17.0"
|
96
charts/kubezero-istio-ingress/README.md
Normal file
96
charts/kubezero-istio-ingress/README.md
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
# kubezero-istio-ingress
|
||||||
|
|
||||||
|
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
KubeZero Umbrella Chart for Istio based Ingress
|
||||||
|
|
||||||
|
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||||
|
|
||||||
|
**Homepage:** <https://kubezero.com>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| Quarky9 | | |
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
Kubernetes: `>= 1.17.0`
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| | istio-ingress | 1.1.0 |
|
||||||
|
| | istio-private-ingress | 1.1.0 |
|
||||||
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
|
| global.hub | string | `"docker.io/istio"` | |
|
||||||
|
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||||
|
| global.logAsJson | bool | `true` | |
|
||||||
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
|
| global.tag | string | `"1.8.0"` | |
|
||||||
|
| istio-ingress.dnsNames | list | `[]` | |
|
||||||
|
| istio-ingress.enabled | bool | `false` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||||
|
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
|
| istio-private-ingress.dnsNames | list | `[]` | |
|
||||||
|
| istio-private-ingress.enabled | bool | `false` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||||
|
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||||
|
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
24
charts/kubezero-istio-ingress/README.md.gotmpl
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.deprecationWarning" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||||
|
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
|
||||||
|
|
||||||
|
{{ template "chart.homepageLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.maintainersSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourcesSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
|
||||||
|
- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
|
||||||
|
- https://istio.io/latest/docs/setup/install/standalone-operator/
|
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: istio-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for deploying Istio gateways
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
- ingressgateway
|
||||||
|
- gateways
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
43
charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
|
||||||
|
Changes:
|
||||||
|
- separate namespace allows:
|
||||||
|
-- easier reconfig of just the gateway
|
||||||
|
-- TLS secrets and domain name management is isolated, for better security
|
||||||
|
-- simplified configuration
|
||||||
|
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||||
|
|
||||||
|
- the new chart uses the default namespace service account, and doesn't require
|
||||||
|
additional RBAC permissions.
|
||||||
|
|
||||||
|
- simplified label and chart structure.
|
||||||
|
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||||
|
and allows a bit more flexibility.
|
||||||
|
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||||
|
|
||||||
|
# Port and basic host configuration
|
||||||
|
|
||||||
|
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||||
|
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||||
|
both in upgrade, Gateway and VirtualService.
|
||||||
|
|
||||||
|
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||||
|
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||||
|
config for the rest.
|
||||||
|
|
||||||
|
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||||
|
|
||||||
|
# Migration from istio-system
|
||||||
|
|
||||||
|
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||||
|
with the Service and bound to the namespace, it is recommended to:
|
||||||
|
|
||||||
|
1. Install the new gateway in a new namespace.
|
||||||
|
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||||
|
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||||
|
4. Modify the DNS server to add the A record of the new namespace
|
||||||
|
5. Check traffic
|
||||||
|
6. Delete the A record corresponding to the gateway in istio-system
|
||||||
|
7. Upgrade istio-system, disabling the ingressgateway
|
||||||
|
8. Delete the domain TLS certs from istio-system.
|
||||||
|
|
||||||
|
If using certmanager, all Certificate and associated configs must be moved as well.
|
112
charts/kubezero-istio-ingress/charts/istio-ingress/README.md
Normal file
112
charts/kubezero-istio-ingress/charts/istio-ingress/README.md
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
# istio-ingress
|
||||||
|
|
||||||
|
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
Helm chart for deploying Istio gateways
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <http://github.com/istio/istio>
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
|
||||||
|
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
|
||||||
|
| gateways.istio-ingressgateway.customService | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
|
||||||
|
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
|
||||||
|
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
|
||||||
|
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
|
||||||
|
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
|
||||||
|
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
|
||||||
|
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
|
||||||
|
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
|
||||||
|
| global.arch.amd64 | int | `2` | |
|
||||||
|
| global.arch.ppc64le | int | `2` | |
|
||||||
|
| global.arch.s390x | int | `2` | |
|
||||||
|
| global.caAddress | string | `""` | |
|
||||||
|
| global.defaultConfigVisibilitySettings | list | `[]` | |
|
||||||
|
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||||
|
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||||
|
| global.defaultTolerations | list | `[]` | |
|
||||||
|
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||||
|
| global.imagePullPolicy | string | `""` | |
|
||||||
|
| global.imagePullSecrets | list | `[]` | |
|
||||||
|
| global.istioNamespace | string | `"istio-system"` | |
|
||||||
|
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||||
|
| global.logAsJson | bool | `false` | |
|
||||||
|
| global.logging.level | string | `"default:info"` | |
|
||||||
|
| global.meshExpansion.enabled | bool | `false` | |
|
||||||
|
| global.meshExpansion.useILB | bool | `false` | |
|
||||||
|
| global.meshID | string | `""` | |
|
||||||
|
| global.mountMtlsCerts | bool | `false` | |
|
||||||
|
| global.multiCluster.clusterName | string | `""` | |
|
||||||
|
| global.multiCluster.enabled | bool | `false` | |
|
||||||
|
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
|
||||||
|
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
|
||||||
|
| global.network | string | `""` | |
|
||||||
|
| global.pilotCertProvider | string | `"istiod"` | |
|
||||||
|
| global.priorityClassName | string | `""` | |
|
||||||
|
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||||
|
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||||
|
| global.proxy.enableCoreDump | bool | `false` | |
|
||||||
|
| global.proxy.image | string | `"proxyv2"` | |
|
||||||
|
| global.proxy.logLevel | string | `"warning"` | |
|
||||||
|
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||||
|
| global.sts.servicePort | int | `0` | |
|
||||||
|
| global.tag | string | `"latest"` | |
|
||||||
|
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
|
||||||
|
| meshConfig.defaultConfig.tracing | string | `nil` | |
|
||||||
|
| meshConfig.enablePrometheusMerge | bool | `true` | |
|
||||||
|
| ownerName | string | `""` | |
|
||||||
|
| revision | string | `""` | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
@ -0,0 +1,93 @@
|
|||||||
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
|
{{- define "nodeaffinity" }}
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||||
|
{{- range $key, $val := $nodeSelector }}
|
||||||
|
- key: {{ $key }}
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- weight: {{ $val | int }}
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinity" }}
|
||||||
|
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||||
|
podAntiAffinity:
|
||||||
|
{{- if .podAntiAffinityLabelSelector }}
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .podAntiAffinityTermLabelSelector }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
weight: 100
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,27 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||||
|
apiVersion: autoscaling/v2beta1
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||||
|
minReplicas: {{ $gateway.autoscaleMin }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,345 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if not (eq .Values.revision "") }}
|
||||||
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
|
{{- else}}
|
||||||
|
service.istio.io/canonical-revision: latest
|
||||||
|
{{- end }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.proxy.enableCoreDump }}
|
||||||
|
initContainers:
|
||||||
|
- name: enable-core-dump
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
privileged: true
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
{{- if .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logging.level }}
|
||||||
|
- --log_output_level={{ .Values.global.logging.level }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
- --serviceCluster
|
||||||
|
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 30
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 2
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if $.Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.meshID }}"
|
||||||
|
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: {{ .Values.global.network }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
|
value: |
|
||||||
|
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||||
|
{{ end }}
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: istio-envoy
|
||||||
|
mountPath: /etc/istio/proxy
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/istio/config
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
mountPath: /var/run/secrets/tokens
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
mountPath: /var/run/ingress_gateway
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
mountPath: /etc/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
- name: podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
- name: podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- name: istio-envoy
|
||||||
|
emptyDir: {}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
secretName: istio.istio-ingressgateway-service-account
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
optional: true
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,79 @@
|
|||||||
|
{{- if .Values.global.meshExpansion.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-gateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiod
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiodwebhook
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-vs-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
gateways:
|
||||||
|
- meshexpansion-gateway
|
||||||
|
tcp:
|
||||||
|
- match:
|
||||||
|
- port: 15012
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 15012
|
||||||
|
- match:
|
||||||
|
- port: 15017
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 443
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-dr-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
trafficPolicy:
|
||||||
|
portLevelSettings:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
|
||||||
|
{{- end }}
|
@ -0,0 +1,19 @@
|
|||||||
|
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,78 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.multiCluster.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- hosts:
|
||||||
|
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
port:
|
||||||
|
name: tls
|
||||||
|
number: 15443
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: AUTO_PASSTHROUGH
|
||||||
|
---
|
||||||
|
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
listener:
|
||||||
|
portNumber: 15443
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.filters.network.sni_cluster"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_AFTER
|
||||||
|
value:
|
||||||
|
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||||
|
typed_config:
|
||||||
|
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||||
|
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||||
|
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||||
|
exportTo:
|
||||||
|
- '*'
|
||||||
|
{{- end }}
|
||||||
|
trafficPolicy:
|
||||||
|
tls:
|
||||||
|
mode: ISTIO_MUTUAL
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,16 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
---
|
@ -0,0 +1,19 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
---
|
@ -0,0 +1,55 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if not $gateway.customService }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
annotations:
|
||||||
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
{{ $key }}: {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if $gateway.loadBalancerIP }}
|
||||||
|
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.loadBalancerSourceRanges }}
|
||||||
|
loadBalancerSourceRanges:
|
||||||
|
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.externalTrafficPolicy }}
|
||||||
|
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
type: {{ $gateway.type }}
|
||||||
|
selector:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
ports:
|
||||||
|
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
|
-
|
||||||
|
port: {{ $app.port }}
|
||||||
|
name: {{ $app.name }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{ end }}
|
@ -0,0 +1,18 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
336
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
Normal file
@ -0,0 +1,336 @@
|
|||||||
|
# A-la-carte istio ingress gateway.
|
||||||
|
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
name: istio-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-ingressgateway
|
||||||
|
istio: ingressgateway
|
||||||
|
ports:
|
||||||
|
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||||
|
# Note that AWS ELB will by default perform health checks on the first port
|
||||||
|
# on this list. Setting this to the health check port will ensure that health
|
||||||
|
# checks always work. https://github.com/istio/istio/issues/12503
|
||||||
|
- port: 15021
|
||||||
|
targetPort: 15021
|
||||||
|
name: status-port
|
||||||
|
protocol: TCP
|
||||||
|
- port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
name: http2
|
||||||
|
protocol: TCP
|
||||||
|
- port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
name: https
|
||||||
|
protocol: TCP
|
||||||
|
# This is the port where sni routing happens
|
||||||
|
- port: 15443
|
||||||
|
targetPort: 15443
|
||||||
|
name: tls
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Scalability tunning
|
||||||
|
# replicaCount: 1
|
||||||
|
rollingMaxSurge: 100%
|
||||||
|
rollingMaxUnavailable: 25%
|
||||||
|
autoscaleEnabled: true
|
||||||
|
autoscaleMin: 1
|
||||||
|
autoscaleMax: 5
|
||||||
|
|
||||||
|
cpu:
|
||||||
|
targetAverageUtilization: 80
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
|
||||||
|
loadBalancerIP: ""
|
||||||
|
loadBalancerSourceRanges: []
|
||||||
|
serviceAnnotations: {}
|
||||||
|
|
||||||
|
# Enable cross-cluster access using SNI matching
|
||||||
|
zvpn:
|
||||||
|
enabled: false
|
||||||
|
suffix: global
|
||||||
|
|
||||||
|
# To generate an internal load balancer:
|
||||||
|
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||||
|
#serviceAnnotations:
|
||||||
|
# cloud.google.com/load-balancer-type: "internal"
|
||||||
|
|
||||||
|
podAnnotations: {}
|
||||||
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
|
#### MESH EXPANSION PORTS ########
|
||||||
|
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||||
|
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||||
|
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||||
|
# exposing unnecessary ports on the web.
|
||||||
|
# You can remove these ports if you are not using mesh expansion
|
||||||
|
meshExpansionPorts:
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
####### end MESH EXPANSION PORTS ######
|
||||||
|
|
||||||
|
##############
|
||||||
|
secretVolumes:
|
||||||
|
- name: ingressgateway-certs
|
||||||
|
secretName: istio-ingressgateway-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-certs
|
||||||
|
- name: ingressgateway-ca-certs
|
||||||
|
secretName: istio-ingressgateway-ca-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||||
|
|
||||||
|
customService: false
|
||||||
|
externalTrafficPolicy: ""
|
||||||
|
|
||||||
|
ingressPorts: []
|
||||||
|
additionalContainers: []
|
||||||
|
configVolumes: []
|
||||||
|
|
||||||
|
### Advanced options ############
|
||||||
|
env:
|
||||||
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
|
# enable cross cluster routing.
|
||||||
|
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||||
|
# your pod is eligible to be scheduled based on labels on pods that are
|
||||||
|
# already running on the node rather than based on labels on nodes.
|
||||||
|
# There are currently two types of anti-affinity:
|
||||||
|
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||||
|
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||||
|
# correspondingly.
|
||||||
|
# For example:
|
||||||
|
# podAntiAffinityLabelSelector:
|
||||||
|
# - key: security
|
||||||
|
# operator: In
|
||||||
|
# values: S1,S2
|
||||||
|
# topologyKey: "kubernetes.io/hostname"
|
||||||
|
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||||
|
# onto a node if that node is already running a pod with label having key
|
||||||
|
# "security" and value "S1".
|
||||||
|
podAntiAffinityLabelSelector: []
|
||||||
|
podAntiAffinityTermLabelSelector: []
|
||||||
|
|
||||||
|
# whether to run the gateway in a privileged container
|
||||||
|
runAsRoot: false
|
||||||
|
|
||||||
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
|
revision: ""
|
||||||
|
|
||||||
|
# For Helm compatibility.
|
||||||
|
ownerName: ""
|
||||||
|
|
||||||
|
global:
|
||||||
|
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||||
|
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||||
|
# should be one of the following two options:
|
||||||
|
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||||
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# A minimal set of requested resources to applied to all deployments so that
|
||||||
|
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||||
|
# Each component can overwrite these default values by adding its own resources
|
||||||
|
# block in the relevant section below and setting the desired resources values.
|
||||||
|
defaultResources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
# memory: 128Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||||
|
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||||
|
# these default values by adding its tolerations block in the relevant section below
|
||||||
|
# and setting the desired values.
|
||||||
|
# Configure this field in case that all pods of Istio control plane are expected to
|
||||||
|
# be scheduled to particular nodes with specified taints.
|
||||||
|
defaultTolerations: []
|
||||||
|
|
||||||
|
# Default hub for Istio images.
|
||||||
|
# Releases are published to docker hub under 'istio' project.
|
||||||
|
# Dev builds from prow are on gcr.io
|
||||||
|
hub: gcr.io/istio-testing
|
||||||
|
|
||||||
|
# Default tag for Istio images.
|
||||||
|
tag: latest
|
||||||
|
|
||||||
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
imagePullPolicy: ""
|
||||||
|
|
||||||
|
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||||
|
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - private-registry-key
|
||||||
|
|
||||||
|
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||||
|
logAsJson: false
|
||||||
|
|
||||||
|
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||||
|
# 0 - Never scheduled
|
||||||
|
# 1 - Least preferred
|
||||||
|
# 2 - No preference
|
||||||
|
# 3 - Most preferred
|
||||||
|
arch:
|
||||||
|
amd64: 2
|
||||||
|
s390x: 2
|
||||||
|
ppc64le: 2
|
||||||
|
|
||||||
|
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||||
|
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||||
|
# If empty, default scope and level will be used as configured in code
|
||||||
|
logging:
|
||||||
|
level: "default:info"
|
||||||
|
|
||||||
|
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||||
|
# ingress gateway
|
||||||
|
meshExpansion:
|
||||||
|
enabled: false
|
||||||
|
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||||
|
# will be exposed on an internal gateway
|
||||||
|
useILB: false
|
||||||
|
|
||||||
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
|
# will not be killed because of low priority class.
|
||||||
|
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||||
|
# for more detail.
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: proxyv2
|
||||||
|
|
||||||
|
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||||
|
# cluster domain. Default value is "cluster.local".
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
|
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||||
|
# not set, then the global "logLevel" will be used.
|
||||||
|
componentLogLevel: "misc:error"
|
||||||
|
|
||||||
|
# If set, newly injected sidecars will have core dumps enabled.
|
||||||
|
enableCoreDump: false
|
||||||
|
|
||||||
|
# Log level for proxy, applies to gateways and sidecars.
|
||||||
|
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||||
|
logLevel: warning
|
||||||
|
|
||||||
|
##############################################################################################
|
||||||
|
# The following values are found in other charts. To effectively modify these values, make #
|
||||||
|
# make sure they are consistent across your Istio helm charts #
|
||||||
|
##############################################################################################
|
||||||
|
|
||||||
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
caAddress: ""
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
# Configure the policy for validating JWT.
|
||||||
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
|
jwtPolicy: "third-party-jwt"
|
||||||
|
|
||||||
|
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||||
|
# meshes will interact with each other, but it is not required to be
|
||||||
|
# globally/universally unique. For example, if any of the following are true,
|
||||||
|
# then two meshes must have different Mesh IDs:
|
||||||
|
# - Meshes will have their telemetry aggregated in one place
|
||||||
|
# - Meshes will be federated together
|
||||||
|
# - Policy will be written referencing one mesh from the other
|
||||||
|
#
|
||||||
|
# If an administrator expects that any of these conditions may become true in
|
||||||
|
# the future, they should ensure their meshes have different Mesh IDs
|
||||||
|
# assigned.
|
||||||
|
#
|
||||||
|
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||||
|
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||||
|
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||||
|
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||||
|
# ID post-install.
|
||||||
|
#
|
||||||
|
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||||
|
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||||
|
# value.
|
||||||
|
meshID: ""
|
||||||
|
|
||||||
|
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||||
|
mountMtlsCerts: false
|
||||||
|
|
||||||
|
multiCluster:
|
||||||
|
# Set to true to connect two kubernetes clusters via their respective
|
||||||
|
# ingressgateway services when pods in each cluster cannot directly
|
||||||
|
# talk to one another. All clusters should be using Istio mTLS and must
|
||||||
|
# have a shared root CA for this model to work.
|
||||||
|
enabled: false
|
||||||
|
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||||
|
# to properly label proxies
|
||||||
|
clusterName: ""
|
||||||
|
# The suffix for global service names
|
||||||
|
globalDomainSuffix: "global"
|
||||||
|
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||||
|
includeEnvoyFilter: true
|
||||||
|
|
||||||
|
# Network defines the network this cluster belong to. This name
|
||||||
|
# corresponds to the networks in the map of mesh networks.
|
||||||
|
network: ""
|
||||||
|
|
||||||
|
# Configure the certificate provider for control plane communication.
|
||||||
|
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||||
|
# As some platforms may not have kubernetes signing APIs,
|
||||||
|
# Istiod is the default
|
||||||
|
pilotCertProvider: istiod
|
||||||
|
|
||||||
|
sds:
|
||||||
|
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||||
|
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||||
|
# JWT is intended for the CA.
|
||||||
|
token:
|
||||||
|
aud: istio-ca
|
||||||
|
|
||||||
|
sts:
|
||||||
|
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||||
|
# Setting this port to a non-zero value enables STS server.
|
||||||
|
servicePort: 0
|
||||||
|
|
||||||
|
# Deprecated, use meshConfig.trustDomain
|
||||||
|
# trustDomain: ""
|
||||||
|
|
||||||
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
|
# trustDomain: ""
|
||||||
|
defaultConfig:
|
||||||
|
proxyMetadata: {}
|
||||||
|
tracing:
|
||||||
|
# tlsSettings:
|
||||||
|
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||||
|
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||||
|
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||||
|
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||||
|
# sni: # example: tracer.somedomain
|
||||||
|
# subjectAltNames: []
|
||||||
|
# - tracer.somedomain
|
@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: istio-private-ingress
|
||||||
|
version: 1.1.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for deploying Istio gateways
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
- ingressgateway
|
||||||
|
- gateways
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
@ -0,0 +1,43 @@
|
|||||||
|
|
||||||
|
Changes:
|
||||||
|
- separate namespace allows:
|
||||||
|
-- easier reconfig of just the gateway
|
||||||
|
-- TLS secrets and domain name management is isolated, for better security
|
||||||
|
-- simplified configuration
|
||||||
|
-- multiple versions of the ingress can be used, to minimize upgrade risks
|
||||||
|
|
||||||
|
- the new chart uses the default namespace service account, and doesn't require
|
||||||
|
additional RBAC permissions.
|
||||||
|
|
||||||
|
- simplified label and chart structure.
|
||||||
|
- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
|
||||||
|
and allows a bit more flexibility.
|
||||||
|
- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
|
||||||
|
|
||||||
|
# Port and basic host configuration
|
||||||
|
|
||||||
|
In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
|
||||||
|
In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
|
||||||
|
both in upgrade, Gateway and VirtualService.
|
||||||
|
|
||||||
|
The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
|
||||||
|
Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
|
||||||
|
config for the rest.
|
||||||
|
|
||||||
|
All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
|
||||||
|
|
||||||
|
# Migration from istio-system
|
||||||
|
|
||||||
|
Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
|
||||||
|
with the Service and bound to the namespace, it is recommended to:
|
||||||
|
|
||||||
|
1. Install the new gateway in a new namespace.
|
||||||
|
2. Copy any TLS certificate to the new namespace, and configure the domains.
|
||||||
|
3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
|
||||||
|
4. Modify the DNS server to add the A record of the new namespace
|
||||||
|
5. Check traffic
|
||||||
|
6. Delete the A record corresponding to the gateway in istio-system
|
||||||
|
7. Upgrade istio-system, disabling the ingressgateway
|
||||||
|
8. Delete the domain TLS certs from istio-system.
|
||||||
|
|
||||||
|
If using certmanager, all Certificate and associated configs must be moved as well.
|
@ -0,0 +1,112 @@
|
|||||||
|
# istio-ingress
|
||||||
|
|
||||||
|
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
Helm chart for deploying Istio gateways
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <http://github.com/istio/istio>
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| gateways.istio-ingressgateway.additionalContainers | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleMax | int | `5` | |
|
||||||
|
| gateways.istio-ingressgateway.autoscaleMin | int | `1` | |
|
||||||
|
| gateways.istio-ingressgateway.configVolumes | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | |
|
||||||
|
| gateways.istio-ingressgateway.customService | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | |
|
||||||
|
| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | |
|
||||||
|
| gateways.istio-ingressgateway.ingressPorts | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | |
|
||||||
|
| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | |
|
||||||
|
| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | |
|
||||||
|
| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | |
|
||||||
|
| gateways.istio-ingressgateway.nodeSelector | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.podAnnotations | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].port | int | `80` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].port | int | `15443` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
|
||||||
|
| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | |
|
||||||
|
| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | |
|
||||||
|
| gateways.istio-ingressgateway.runAsRoot | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | |
|
||||||
|
| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | |
|
||||||
|
| gateways.istio-ingressgateway.tolerations | list | `[]` | |
|
||||||
|
| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | |
|
||||||
|
| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | |
|
||||||
|
| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | |
|
||||||
|
| global.arch.amd64 | int | `2` | |
|
||||||
|
| global.arch.ppc64le | int | `2` | |
|
||||||
|
| global.arch.s390x | int | `2` | |
|
||||||
|
| global.caAddress | string | `""` | |
|
||||||
|
| global.defaultConfigVisibilitySettings | list | `[]` | |
|
||||||
|
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||||
|
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||||
|
| global.defaultTolerations | list | `[]` | |
|
||||||
|
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||||
|
| global.imagePullPolicy | string | `""` | |
|
||||||
|
| global.imagePullSecrets | list | `[]` | |
|
||||||
|
| global.istioNamespace | string | `"istio-system"` | |
|
||||||
|
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||||
|
| global.logAsJson | bool | `false` | |
|
||||||
|
| global.logging.level | string | `"default:info"` | |
|
||||||
|
| global.meshExpansion.enabled | bool | `false` | |
|
||||||
|
| global.meshExpansion.useILB | bool | `false` | |
|
||||||
|
| global.meshID | string | `""` | |
|
||||||
|
| global.mountMtlsCerts | bool | `false` | |
|
||||||
|
| global.multiCluster.clusterName | string | `""` | |
|
||||||
|
| global.multiCluster.enabled | bool | `false` | |
|
||||||
|
| global.multiCluster.globalDomainSuffix | string | `"global"` | |
|
||||||
|
| global.multiCluster.includeEnvoyFilter | bool | `true` | |
|
||||||
|
| global.network | string | `""` | |
|
||||||
|
| global.pilotCertProvider | string | `"istiod"` | |
|
||||||
|
| global.priorityClassName | string | `""` | |
|
||||||
|
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||||
|
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||||
|
| global.proxy.enableCoreDump | bool | `false` | |
|
||||||
|
| global.proxy.image | string | `"proxyv2"` | |
|
||||||
|
| global.proxy.logLevel | string | `"warning"` | |
|
||||||
|
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||||
|
| global.sts.servicePort | int | `0` | |
|
||||||
|
| global.tag | string | `"latest"` | |
|
||||||
|
| meshConfig.defaultConfig.proxyMetadata | object | `{}` | |
|
||||||
|
| meshConfig.defaultConfig.tracing | string | `nil` | |
|
||||||
|
| meshConfig.enablePrometheusMerge | bool | `true` | |
|
||||||
|
| ownerName | string | `""` | |
|
||||||
|
| revision | string | `""` | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
@ -0,0 +1,93 @@
|
|||||||
|
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
|
||||||
|
|
||||||
|
{{- define "nodeaffinity" }}
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityRequiredDuringScheduling" . }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "nodeAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityRequiredDuringScheduling" }}
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
|
||||||
|
{{- range $key, $val := $nodeSelector }}
|
||||||
|
- key: {{ $key }}
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "nodeAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $key, $val := .global.arch }}
|
||||||
|
{{- if gt ($val | int) 0 }}
|
||||||
|
- weight: {{ $val | int }}
|
||||||
|
preference:
|
||||||
|
matchExpressions:
|
||||||
|
- key: kubernetes.io/arch
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ $key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinity" }}
|
||||||
|
{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}}
|
||||||
|
podAntiAffinity:
|
||||||
|
{{- if .podAntiAffinityLabelSelector }}
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityRequiredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .podAntiAffinityTermLabelSelector }}
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
{{- include "podAntiAffinityPreferredDuringScheduling" . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityRequiredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityLabelSelector }}
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "podAntiAffinityPreferredDuringScheduling" }}
|
||||||
|
{{- range $index, $item := .podAntiAffinityTermLabelSelector }}
|
||||||
|
- podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: {{ $item.key }}
|
||||||
|
operator: {{ $item.operator }}
|
||||||
|
{{- if $item.values }}
|
||||||
|
values:
|
||||||
|
{{- $vals := split "," $item.values }}
|
||||||
|
{{- range $i, $v := $vals }}
|
||||||
|
- {{ $v | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
topologyKey: {{ $item.topologyKey }}
|
||||||
|
weight: 100
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,27 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }}
|
||||||
|
apiVersion: autoscaling/v2beta1
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
maxReplicas: {{ $gateway.autoscaleMax }}
|
||||||
|
minReplicas: {{ $gateway.autoscaleMin }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,345 @@
|
|||||||
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.autoscaleEnabled }}
|
||||||
|
{{- if $gateway.replicaCount }}
|
||||||
|
replicas: {{ $gateway.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 6 }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ $gateway.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 8 }}
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
heritage: Tiller
|
||||||
|
release: istio
|
||||||
|
chart: gateways
|
||||||
|
{{- end }}
|
||||||
|
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if not (eq .Values.revision "") }}
|
||||||
|
service.istio.io/canonical-revision: {{ .Values.revision }}
|
||||||
|
{{- else}}
|
||||||
|
service.istio.io/canonical-revision: latest
|
||||||
|
{{- end }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15020"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
prometheus.io/path: "/stats/prometheus"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
|
{{ end }}
|
||||||
|
spec:
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
fsGroup: 1337
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.proxy.enableCoreDump }}
|
||||||
|
initContainers:
|
||||||
|
- name: enable-core-dump
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
privileged: true
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" .Values.global.proxy.image }}
|
||||||
|
image: "{{ .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
- containerPort: {{ $val.targetPort | default $val.port }}
|
||||||
|
protocol: {{ $val.protocol | default "TCP" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- router
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
{{- if .Values.global.proxy.logLevel }}
|
||||||
|
- --proxyLogLevel={{ .Values.global.proxy.logLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.proxy.componentLogLevel }}
|
||||||
|
- --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logging.level }}
|
||||||
|
- --log_output_level={{ .Values.global.logging.level }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
- --serviceCluster
|
||||||
|
- {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not $gateway.runAsRoot }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
{{- end }}
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 30
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
scheme: HTTP
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 2
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
resources:
|
||||||
|
{{- if $gateway.resources }}
|
||||||
|
{{ toYaml $gateway.resources | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
{{- if $.Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.meshID }}"
|
||||||
|
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $val := $gateway.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: {{ $val }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }}
|
||||||
|
{{- if and (not $network_set) .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: {{ .Values.global.network }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.podAnnotations }}
|
||||||
|
- name: "ISTIO_METAJSON_ANNOTATIONS"
|
||||||
|
value: |
|
||||||
|
{{ toJson $gateway.podAnnotations | indent 16}}
|
||||||
|
{{ end }}
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: istio-envoy
|
||||||
|
mountPath: /etc/istio/proxy
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/istio/config
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
mountPath: /var/run/secrets/tokens
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
mountPath: /var/run/ingress_gateway
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
mountPath: /etc/certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
- name: podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
{{- if .mountPath }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
mountPath: {{ .mountPath | quote }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.additionalContainers }}
|
||||||
|
{{ toYaml $gateway.additionalContainers | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
- name: podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
- name: istio-envoy
|
||||||
|
emptyDir: {}
|
||||||
|
- name: gatewaysdsudspath
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
secretName: istio.istio-ingressgateway-service-account
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
optional: true
|
||||||
|
{{- range $gateway.secretVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ .secretName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
{{- range $gateway.configVolumes }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
configMap:
|
||||||
|
name: {{ .configMapName | quote }}
|
||||||
|
optional: true
|
||||||
|
{{- end }}
|
||||||
|
affinity:
|
||||||
|
{{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }}
|
||||||
|
{{- include "podAntiAffinity" $gateway | indent 6 }}
|
||||||
|
{{- if $gateway.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml $gateway.tolerations | indent 6 }}
|
||||||
|
{{- else if .Values.global.defaultTolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,79 @@
|
|||||||
|
{{- if .Values.global.meshExpansion.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-gateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiod
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
protocol: TCP
|
||||||
|
name: tcp-istiodwebhook
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-vs-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
gateways:
|
||||||
|
- meshexpansion-gateway
|
||||||
|
tcp:
|
||||||
|
- match:
|
||||||
|
- port: 15012
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 15012
|
||||||
|
- match:
|
||||||
|
- port: 15017
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
port:
|
||||||
|
number: 443
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: meshexpansion-dr-istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
trafficPolicy:
|
||||||
|
portLevelSettings:
|
||||||
|
- port:
|
||||||
|
number: 15012
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
- port:
|
||||||
|
number: 15017
|
||||||
|
tls:
|
||||||
|
mode: DISABLE
|
||||||
|
|
||||||
|
{{- end }}
|
@ -0,0 +1,19 @@
|
|||||||
|
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 6 }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,78 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if .Values.global.multiCluster.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
istio: ingressgateway
|
||||||
|
servers:
|
||||||
|
- hosts:
|
||||||
|
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
port:
|
||||||
|
name: tls
|
||||||
|
number: 15443
|
||||||
|
protocol: TLS
|
||||||
|
tls:
|
||||||
|
mode: AUTO_PASSTHROUGH
|
||||||
|
---
|
||||||
|
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
listener:
|
||||||
|
portNumber: 15443
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.filters.network.sni_cluster"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_AFTER
|
||||||
|
value:
|
||||||
|
name: "envoy.filters.network.tcp_cluster_rewrite"
|
||||||
|
typed_config:
|
||||||
|
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
|
||||||
|
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
|
||||||
|
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
## To ensure all traffic to globalDomainSuffix is using mTLS
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: DestinationRule
|
||||||
|
metadata:
|
||||||
|
name: istio-multicluster-ingressgateway
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
|
||||||
|
{{- if .Values.global.defaultConfigVisibilitySettings }}
|
||||||
|
exportTo:
|
||||||
|
- '*'
|
||||||
|
{{- end }}
|
||||||
|
trafficPolicy:
|
||||||
|
tls:
|
||||||
|
mode: ISTIO_MUTUAL
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,16 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
---
|
@ -0,0 +1,19 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
---
|
@ -0,0 +1,55 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
{{- if not $gateway.customService }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
annotations:
|
||||||
|
{{- range $key, $val := $gateway.serviceAnnotations }}
|
||||||
|
{{ $key }}: {{ $val | quote }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
||||||
|
spec:
|
||||||
|
{{- if $gateway.loadBalancerIP }}
|
||||||
|
loadBalancerIP: "{{ $gateway.loadBalancerIP }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.loadBalancerSourceRanges }}
|
||||||
|
loadBalancerSourceRanges:
|
||||||
|
{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $gateway.externalTrafficPolicy }}
|
||||||
|
externalTrafficPolicy: {{$gateway.externalTrafficPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
type: {{ $gateway.type }}
|
||||||
|
selector:
|
||||||
|
{{ $gateway.labels | toYaml | indent 4 }}
|
||||||
|
ports:
|
||||||
|
|
||||||
|
{{- range $key, $val := $gateway.ports }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if $.Values.global.meshExpansion.enabled }}
|
||||||
|
{{- range $key, $val := $gateway.meshExpansionPorts }}
|
||||||
|
-
|
||||||
|
{{- range $pkey, $pval := $val }}
|
||||||
|
{{ $pkey}}: {{ $pval }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{ range $app := $gateway.ingressPorts }}
|
||||||
|
-
|
||||||
|
port: {{ $app.port }}
|
||||||
|
name: {{ $app.name }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{ end }}
|
@ -0,0 +1,18 @@
|
|||||||
|
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ $gateway.labels | toYaml | trim | indent 4 }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "IngressGateways"
|
@ -0,0 +1,336 @@
|
|||||||
|
# A-la-carte istio ingress gateway.
|
||||||
|
# Must be installed in a separate namespace, to minimize access to secrets.
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
name: istio-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-ingressgateway
|
||||||
|
istio: ingressgateway
|
||||||
|
ports:
|
||||||
|
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||||
|
# Note that AWS ELB will by default perform health checks on the first port
|
||||||
|
# on this list. Setting this to the health check port will ensure that health
|
||||||
|
# checks always work. https://github.com/istio/istio/issues/12503
|
||||||
|
- port: 15021
|
||||||
|
targetPort: 15021
|
||||||
|
name: status-port
|
||||||
|
protocol: TCP
|
||||||
|
- port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
name: http2
|
||||||
|
protocol: TCP
|
||||||
|
- port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
name: https
|
||||||
|
protocol: TCP
|
||||||
|
# This is the port where sni routing happens
|
||||||
|
- port: 15443
|
||||||
|
targetPort: 15443
|
||||||
|
name: tls
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
# Scalability tunning
|
||||||
|
# replicaCount: 1
|
||||||
|
rollingMaxSurge: 100%
|
||||||
|
rollingMaxUnavailable: 25%
|
||||||
|
autoscaleEnabled: true
|
||||||
|
autoscaleMin: 1
|
||||||
|
autoscaleMax: 5
|
||||||
|
|
||||||
|
cpu:
|
||||||
|
targetAverageUtilization: 80
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
|
||||||
|
loadBalancerIP: ""
|
||||||
|
loadBalancerSourceRanges: []
|
||||||
|
serviceAnnotations: {}
|
||||||
|
|
||||||
|
# Enable cross-cluster access using SNI matching
|
||||||
|
zvpn:
|
||||||
|
enabled: false
|
||||||
|
suffix: global
|
||||||
|
|
||||||
|
# To generate an internal load balancer:
|
||||||
|
# --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
|
||||||
|
#serviceAnnotations:
|
||||||
|
# cloud.google.com/load-balancer-type: "internal"
|
||||||
|
|
||||||
|
podAnnotations: {}
|
||||||
|
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
|
||||||
|
|
||||||
|
#### MESH EXPANSION PORTS ########
|
||||||
|
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
|
||||||
|
# to pilot/citadel if global.meshExpansion settings are enabled.
|
||||||
|
# Delete these ports if mesh expansion is not enabled, to avoid
|
||||||
|
# exposing unnecessary ports on the web.
|
||||||
|
# You can remove these ports if you are not using mesh expansion
|
||||||
|
meshExpansionPorts:
|
||||||
|
- port: 15012
|
||||||
|
targetPort: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
####### end MESH EXPANSION PORTS ######
|
||||||
|
|
||||||
|
##############
|
||||||
|
secretVolumes:
|
||||||
|
- name: ingressgateway-certs
|
||||||
|
secretName: istio-ingressgateway-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-certs
|
||||||
|
- name: ingressgateway-ca-certs
|
||||||
|
secretName: istio-ingressgateway-ca-certs
|
||||||
|
mountPath: /etc/istio/ingressgateway-ca-certs
|
||||||
|
|
||||||
|
customService: false
|
||||||
|
externalTrafficPolicy: ""
|
||||||
|
|
||||||
|
ingressPorts: []
|
||||||
|
additionalContainers: []
|
||||||
|
configVolumes: []
|
||||||
|
|
||||||
|
### Advanced options ############
|
||||||
|
env:
|
||||||
|
# A gateway with this mode ensures that pilot generates an additional
|
||||||
|
# set of clusters for internal services but without Istio mTLS, to
|
||||||
|
# enable cross cluster routing.
|
||||||
|
ISTIO_META_ROUTER_MODE: "sni-dnat"
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
tolerations: []
|
||||||
|
|
||||||
|
# Specify the pod anti-affinity that allows you to constrain which nodes
|
||||||
|
# your pod is eligible to be scheduled based on labels on pods that are
|
||||||
|
# already running on the node rather than based on labels on nodes.
|
||||||
|
# There are currently two types of anti-affinity:
|
||||||
|
# "requiredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# "preferredDuringSchedulingIgnoredDuringExecution"
|
||||||
|
# which denote "hard" vs. "soft" requirements, you can define your values
|
||||||
|
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
|
||||||
|
# correspondingly.
|
||||||
|
# For example:
|
||||||
|
# podAntiAffinityLabelSelector:
|
||||||
|
# - key: security
|
||||||
|
# operator: In
|
||||||
|
# values: S1,S2
|
||||||
|
# topologyKey: "kubernetes.io/hostname"
|
||||||
|
# This pod anti-affinity rule says that the pod requires not to be scheduled
|
||||||
|
# onto a node if that node is already running a pod with label having key
|
||||||
|
# "security" and value "S1".
|
||||||
|
podAntiAffinityLabelSelector: []
|
||||||
|
podAntiAffinityTermLabelSelector: []
|
||||||
|
|
||||||
|
# whether to run the gateway in a privileged container
|
||||||
|
runAsRoot: false
|
||||||
|
|
||||||
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
|
revision: ""
|
||||||
|
|
||||||
|
# For Helm compatibility.
|
||||||
|
ownerName: ""
|
||||||
|
|
||||||
|
global:
|
||||||
|
# set the default set of namespaces to which services, service entries, virtual services, destination
|
||||||
|
# rules should be exported to. Currently only one value can be provided in this list. This value
|
||||||
|
# should be one of the following two options:
|
||||||
|
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
|
||||||
|
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
|
||||||
|
defaultConfigVisibilitySettings: []
|
||||||
|
|
||||||
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# A minimal set of requested resources to applied to all deployments so that
|
||||||
|
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||||
|
# Each component can overwrite these default values by adding its own resources
|
||||||
|
# block in the relevant section below and setting the desired resources values.
|
||||||
|
defaultResources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
# memory: 128Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
# Default node tolerations to be applied to all deployments so that all pods can be
|
||||||
|
# scheduled to a particular nodes with matching taints. Each component can overwrite
|
||||||
|
# these default values by adding its tolerations block in the relevant section below
|
||||||
|
# and setting the desired values.
|
||||||
|
# Configure this field in case that all pods of Istio control plane are expected to
|
||||||
|
# be scheduled to particular nodes with specified taints.
|
||||||
|
defaultTolerations: []
|
||||||
|
|
||||||
|
# Default hub for Istio images.
|
||||||
|
# Releases are published to docker hub under 'istio' project.
|
||||||
|
# Dev builds from prow are on gcr.io
|
||||||
|
hub: gcr.io/istio-testing
|
||||||
|
|
||||||
|
# Default tag for Istio images.
|
||||||
|
tag: latest
|
||||||
|
|
||||||
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
imagePullPolicy: ""
|
||||||
|
|
||||||
|
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||||
|
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - private-registry-key
|
||||||
|
|
||||||
|
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||||
|
logAsJson: false
|
||||||
|
|
||||||
|
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
|
||||||
|
# 0 - Never scheduled
|
||||||
|
# 1 - Least preferred
|
||||||
|
# 2 - No preference
|
||||||
|
# 3 - Most preferred
|
||||||
|
arch:
|
||||||
|
amd64: 2
|
||||||
|
s390x: 2
|
||||||
|
ppc64le: 2
|
||||||
|
|
||||||
|
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||||
|
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||||
|
# If empty, default scope and level will be used as configured in code
|
||||||
|
logging:
|
||||||
|
level: "default:info"
|
||||||
|
|
||||||
|
# If set to true, the pilot and citadel mtls will be exposed on the
|
||||||
|
# ingress gateway
|
||||||
|
meshExpansion:
|
||||||
|
enabled: false
|
||||||
|
# If set to true, the pilot and citadel mtls and the plain text pilot ports
|
||||||
|
# will be exposed on an internal gateway
|
||||||
|
useILB: false
|
||||||
|
|
||||||
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
|
# will not be killed because of low priority class.
|
||||||
|
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||||
|
# for more detail.
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: proxyv2
|
||||||
|
|
||||||
|
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||||
|
# cluster domain. Default value is "cluster.local".
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
|
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||||
|
# not set, then the global "logLevel" will be used.
|
||||||
|
componentLogLevel: "misc:error"
|
||||||
|
|
||||||
|
# If set, newly injected sidecars will have core dumps enabled.
|
||||||
|
enableCoreDump: false
|
||||||
|
|
||||||
|
# Log level for proxy, applies to gateways and sidecars.
|
||||||
|
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||||
|
logLevel: warning
|
||||||
|
|
||||||
|
##############################################################################################
|
||||||
|
# The following values are found in other charts. To effectively modify these values, make #
|
||||||
|
# make sure they are consistent across your Istio helm charts #
|
||||||
|
##############################################################################################
|
||||||
|
|
||||||
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
caAddress: ""
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
# Configure the policy for validating JWT.
|
||||||
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
|
jwtPolicy: "third-party-jwt"
|
||||||
|
|
||||||
|
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||||
|
# meshes will interact with each other, but it is not required to be
|
||||||
|
# globally/universally unique. For example, if any of the following are true,
|
||||||
|
# then two meshes must have different Mesh IDs:
|
||||||
|
# - Meshes will have their telemetry aggregated in one place
|
||||||
|
# - Meshes will be federated together
|
||||||
|
# - Policy will be written referencing one mesh from the other
|
||||||
|
#
|
||||||
|
# If an administrator expects that any of these conditions may become true in
|
||||||
|
# the future, they should ensure their meshes have different Mesh IDs
|
||||||
|
# assigned.
|
||||||
|
#
|
||||||
|
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||||
|
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||||
|
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||||
|
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||||
|
# ID post-install.
|
||||||
|
#
|
||||||
|
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||||
|
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||||
|
# value.
|
||||||
|
meshID: ""
|
||||||
|
|
||||||
|
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||||
|
mountMtlsCerts: false
|
||||||
|
|
||||||
|
multiCluster:
|
||||||
|
# Set to true to connect two kubernetes clusters via their respective
|
||||||
|
# ingressgateway services when pods in each cluster cannot directly
|
||||||
|
# talk to one another. All clusters should be using Istio mTLS and must
|
||||||
|
# have a shared root CA for this model to work.
|
||||||
|
enabled: false
|
||||||
|
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||||
|
# to properly label proxies
|
||||||
|
clusterName: ""
|
||||||
|
# The suffix for global service names
|
||||||
|
globalDomainSuffix: "global"
|
||||||
|
# Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication
|
||||||
|
includeEnvoyFilter: true
|
||||||
|
|
||||||
|
# Network defines the network this cluster belong to. This name
|
||||||
|
# corresponds to the networks in the map of mesh networks.
|
||||||
|
network: ""
|
||||||
|
|
||||||
|
# Configure the certificate provider for control plane communication.
|
||||||
|
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||||
|
# As some platforms may not have kubernetes signing APIs,
|
||||||
|
# Istiod is the default
|
||||||
|
pilotCertProvider: istiod
|
||||||
|
|
||||||
|
sds:
|
||||||
|
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||||
|
# When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
|
||||||
|
# JWT is intended for the CA.
|
||||||
|
token:
|
||||||
|
aud: istio-ca
|
||||||
|
|
||||||
|
sts:
|
||||||
|
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||||
|
# Setting this port to a non-zero value enables STS server.
|
||||||
|
servicePort: 0
|
||||||
|
|
||||||
|
# Deprecated, use meshConfig.trustDomain
|
||||||
|
# trustDomain: ""
|
||||||
|
|
||||||
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
|
# trustDomain: ""
|
||||||
|
defaultConfig:
|
||||||
|
proxyMetadata: {}
|
||||||
|
tracing:
|
||||||
|
# tlsSettings:
|
||||||
|
# mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
|
||||||
|
# clientCertificate: # example: /etc/istio/tracer/cert-chain.pem
|
||||||
|
# privateKey: # example: /etc/istio/tracer/key.pem
|
||||||
|
# caCertificates: # example: /etc/istio/tracer/root-cert.pem
|
||||||
|
# sni: # example: tracer.somedomain
|
||||||
|
# subjectAltNames: []
|
||||||
|
# - tracer.somedomain
|
@ -1,9 +1,9 @@
|
|||||||
{{- if .Values.ingress.public.enabled }}
|
{{- if index .Values "istio-ingress" "enabled" }}
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: ingressgateway-listener-tcp-keepalive
|
name: ingressgateway-listener-tcp-keepalive
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
spec:
|
spec:
|
||||||
workloadSelector:
|
workloadSelector:
|
||||||
labels:
|
labels:
|
||||||
@ -33,13 +33,13 @@ spec:
|
|||||||
state: STATE_LISTENING
|
state: STATE_LISTENING
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.ingress.private.enabled }}
|
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingressgateway-listener-tcp-keepalive
|
name: private-ingressgateway-listener-tcp-keepalive
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
spec:
|
spec:
|
||||||
workloadSelector:
|
workloadSelector:
|
||||||
labels:
|
labels:
|
@ -1,9 +1,9 @@
|
|||||||
{{- if .Values.ingress.dnsNames }}
|
{{- if index .Values "istio-ingress" "dnsNames" }}
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: public-ingress-cert
|
name: public-ingress-cert
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -12,5 +12,5 @@ spec:
|
|||||||
name: letsencrypt-dns-prod
|
name: letsencrypt-dns-prod
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
dnsNames:
|
dnsNames:
|
||||||
{{ toYaml .Values.ingress.dnsNames | indent 4 }}
|
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
@ -1,9 +1,9 @@
|
|||||||
{{- if .Values.ingress.public.enabled }}
|
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
|
||||||
apiVersion: networking.istio.io/v1beta1
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: ingressgateway
|
name: ingressgateway
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -15,7 +15,7 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
- port:
|
- port:
|
||||||
@ -23,20 +23,21 @@ spec:
|
|||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: public-ingress-cert
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.ingress.private.enabled }}
|
|
||||||
|
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1beta1
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingressgateway
|
name: private-ingressgateway
|
||||||
namespace: istio-system
|
namespace: {{ .Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -48,7 +49,7 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
- port:
|
- port:
|
||||||
@ -56,7 +57,7 @@ spec:
|
|||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
@ -67,19 +68,19 @@ spec:
|
|||||||
name: amqp
|
name: amqp
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
- port:
|
- port:
|
||||||
number: 5671
|
number: 5671
|
||||||
name: amqps
|
name: amqps
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
- port:
|
- port:
|
||||||
number: 24224
|
number: 24224
|
||||||
name: fluentd-forward
|
name: fluentd-forward
|
||||||
protocol: TLS
|
protocol: TLS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
@ -90,11 +91,11 @@ spec:
|
|||||||
name: redis
|
name: redis
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
- port:
|
- port:
|
||||||
number: 6380
|
number: 6380
|
||||||
name: redis-1
|
name: redis-1
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
@ -1,8 +1,7 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Namespace
|
kind: Namespace
|
||||||
metadata:
|
metadata:
|
||||||
name: {{.Values.operatorNamespace}}
|
name: istio-ingress
|
||||||
labels:
|
labels:
|
||||||
istio-operator-managed: Reconcile
|
|
||||||
istio-injection: disabled
|
istio-injection: disabled
|
||||||
---
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
120
charts/kubezero-istio-ingress/values.yaml
Normal file
120
charts/kubezero-istio-ingress/values.yaml
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
# Make sure these values match kuberzero-istio !!!
|
||||||
|
global:
|
||||||
|
hub: docker.io/istio
|
||||||
|
tag: 1.8.0
|
||||||
|
|
||||||
|
logAsJson: true
|
||||||
|
jwtPolicy: first-party-jwt
|
||||||
|
|
||||||
|
priorityClassName: "system-cluster-critical"
|
||||||
|
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
|
||||||
|
istio-ingress:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
autoscaleEnabled: false
|
||||||
|
replicaCount: 1
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
# cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
podAntiAffinityLabelSelector:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
values: istio-ingressgateway
|
||||||
|
type: NodePort
|
||||||
|
env:
|
||||||
|
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||||
|
# ISTIO_META_HTTP10: '"1"'
|
||||||
|
|
||||||
|
# The node selector is normally the list of nodeports, see CloudBender
|
||||||
|
nodeSelector:
|
||||||
|
node.kubernetes.io/ingress.public: "30080_30443"
|
||||||
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
nodePort: 30021
|
||||||
|
- name: http2
|
||||||
|
port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
nodePort: 30080
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
nodePort: 30443
|
||||||
|
|
||||||
|
dnsNames: []
|
||||||
|
# - '*.example.com'
|
||||||
|
|
||||||
|
istio-private-ingress:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
gateways:
|
||||||
|
istio-ingressgateway:
|
||||||
|
# name and labels make the ingress private
|
||||||
|
name: istio-private-ingressgateway
|
||||||
|
labels:
|
||||||
|
app: istio-private-ingressgateway
|
||||||
|
istio: private-ingressgateway
|
||||||
|
|
||||||
|
autoscaleEnabled: false
|
||||||
|
replicaCount: 1
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
# cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
podAntiAffinityLabelSelector:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
values: istio-private-ingressgateway
|
||||||
|
type: NodePort
|
||||||
|
env:
|
||||||
|
TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
|
||||||
|
# ISTIO_META_HTTP10: '"1"'
|
||||||
|
|
||||||
|
nodeSelector:
|
||||||
|
node.kubernetes.io/ingress.private: "31080_31443"
|
||||||
|
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||||
|
|
||||||
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
nodePort: 31021
|
||||||
|
- name: http2
|
||||||
|
port: 80
|
||||||
|
targetPort: 8080
|
||||||
|
nodePort: 31080
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
targetPort: 8443
|
||||||
|
nodePort: 31443
|
||||||
|
#- name: fluentd-forward
|
||||||
|
# port: 24224
|
||||||
|
# nodePort: 31224
|
||||||
|
#- name: amqps
|
||||||
|
# port: 5671
|
||||||
|
# nodePort: 31671
|
||||||
|
#- name: amqp
|
||||||
|
# port: 5672
|
||||||
|
# nodePort: 31672
|
||||||
|
#- name: redis
|
||||||
|
# port: 6379
|
||||||
|
# nodePort: 31379
|
||||||
|
|
||||||
|
dnsNames: []
|
||||||
|
# - '*.example.com'
|
||||||
|
|
2
charts/kubezero-istio/.gitignore
vendored
2
charts/kubezero-istio/.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
istioctl
|
istioctl
|
||||||
istio-*
|
istio-?.?.?
|
||||||
|
@ -15,6 +15,8 @@ dependencies:
|
|||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-operator
|
- name: base
|
||||||
version: ">= 1.7"
|
version: 1.1.0
|
||||||
kubeVersion: ">= 1.16.0"
|
- name: istio-discovery
|
||||||
|
version: 1.2.0
|
||||||
|
kubeVersion: ">= 1.17.0"
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
KubeZero Umbrella Chart for Istio
|
KubeZero Umbrella Chart for Istio
|
||||||
|
|
||||||
Installs Istio Operator and KubeZero Istio profile
|
Installs the Istio control plane
|
||||||
|
|
||||||
**Homepage:** <https://kubezero.com>
|
**Homepage:** <https://kubezero.com>
|
||||||
|
|
||||||
@ -16,31 +16,37 @@ Installs Istio Operator and KubeZero Istio profile
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Kubernetes: `>= 1.16.0`
|
Kubernetes: `>= 1.17.0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | istio-operator | >= 1.7 |
|
| | base | 1.1.0 |
|
||||||
|
| | istio-discovery | 1.2.0 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
|
||||||
- mapped istio-operator to run on the controller nodes only
|
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
|
|
||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| ingress.autoscaleEnabled | bool | `false` | |
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
| ingress.dnsNames[0] | string | `"*"` | |
|
| global.hub | string | `"docker.io/istio"` | |
|
||||||
| ingress.private.enabled | bool | `true` | |
|
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
||||||
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
|
| global.logAsJson | bool | `true` | |
|
||||||
| ingress.public.enabled | bool | `true` | |
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
| ingress.replicaCount | int | `2` | |
|
| global.tag | string | `"1.8.0"` | |
|
||||||
| ingress.type | string | `"NodePort"` | |
|
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
|
||||||
| istio-operator.tag | string | `"1.7.4"` | |
|
| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | |
|
||||||
| istiod.autoscaleEnabled | bool | `false` | |
|
| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | |
|
||||||
| istiod.replicaCount | int | `1` | |
|
| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | |
|
||||||
|
| istio-discovery.pilot.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
|
| istio-discovery.pilot.replicaCount | int | `1` | |
|
||||||
|
| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| istio-discovery.telemetry.enabled | bool | `false` | |
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{{ template "chart.description" . }}
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
Installs Istio Operator and KubeZero Istio profile
|
Installs the Istio control plane
|
||||||
|
|
||||||
{{ template "chart.homepageLine" . }}
|
{{ template "chart.homepageLine" . }}
|
||||||
|
|
||||||
@ -15,9 +15,6 @@ Installs Istio Operator and KubeZero Istio profile
|
|||||||
|
|
||||||
{{ template "chart.requirementsSection" . }}
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
## KubeZero default configuration
|
|
||||||
- mapped istio-operator to run on the controller nodes only
|
|
||||||
|
|
||||||
{{ template "chart.valuesSection" . }}
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
11
charts/kubezero-istio/charts/base/Chart.yaml
Normal file
11
charts/kubezero-istio/charts/base/Chart.yaml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: base
|
||||||
|
version: 1.1.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
1
charts/kubezero-istio/charts/base/NOTES.txt
Normal file
1
charts/kubezero-istio/charts/base/NOTES.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts.
|
23
charts/kubezero-istio/charts/base/README.md
Normal file
23
charts/kubezero-istio/charts/base/README.md
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
# base
|
||||||
|
|
||||||
|
![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
Helm chart for deploying Istio cluster resources and CRDs
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <http://github.com/istio/istio>
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| base.enableCRDTemplates | bool | `false` | |
|
||||||
|
| base.validationURL | string | `""` | |
|
||||||
|
| global.configValidation | bool | `true` | |
|
||||||
|
| global.imagePullSecrets | list | `[]` | |
|
||||||
|
| global.istioNamespace | string | `"istio-system"` | |
|
||||||
|
| global.istiod.enableAnalysis | bool | `false` | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
3426
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
Normal file
3426
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
Normal file
File diff suppressed because it is too large
Load Diff
66
charts/kubezero-istio/charts/base/crds/crd-operator.yaml
Normal file
66
charts/kubezero-istio/charts/base/crds/crd-operator.yaml
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# SYNC WITH manifests/charts/istio-operator/templates
|
||||||
|
apiVersion: apiextensions.k8s.io/v1beta1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: istiooperators.install.istio.io
|
||||||
|
labels:
|
||||||
|
release: istio
|
||||||
|
spec:
|
||||||
|
additionalPrinterColumns:
|
||||||
|
- JSONPath: .spec.revision
|
||||||
|
description: Istio control plane revision
|
||||||
|
name: Revision
|
||||||
|
type: string
|
||||||
|
- JSONPath: .status.status
|
||||||
|
description: IOP current state
|
||||||
|
type: string
|
||||||
|
name: Status
|
||||||
|
- JSONPath: .metadata.creationTimestamp
|
||||||
|
description: 'CreationTimestamp is a timestamp representing the server time when
|
||||||
|
this object was created. It is not guaranteed to be set in happens-before order
|
||||||
|
across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||||
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
|
group: install.istio.io
|
||||||
|
names:
|
||||||
|
kind: IstioOperator
|
||||||
|
plural: istiooperators
|
||||||
|
singular: istiooperator
|
||||||
|
shortNames:
|
||||||
|
- iop
|
||||||
|
- io
|
||||||
|
scope: Namespaced
|
||||||
|
subresources:
|
||||||
|
status: {}
|
||||||
|
validation:
|
||||||
|
openAPIV3Schema:
|
||||||
|
properties:
|
||||||
|
apiVersion:
|
||||||
|
description: 'APIVersion defines the versioned schema of this representation
|
||||||
|
of an object. Servers should convert recognized schemas to the latest
|
||||||
|
internal value, and may reject unrecognized values.
|
||||||
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||||
|
type: string
|
||||||
|
kind:
|
||||||
|
description: 'Kind is a string value representing the REST resource this
|
||||||
|
object represents. Servers may infer this from the endpoint the client
|
||||||
|
submits requests to. Cannot be updated. In CamelCase.
|
||||||
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||||
|
type: string
|
||||||
|
spec:
|
||||||
|
description: 'Specification of the desired state of the istio control plane resource.
|
||||||
|
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
||||||
|
type: object
|
||||||
|
status:
|
||||||
|
description: 'Status describes each of istio control plane component status at the current time.
|
||||||
|
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
||||||
|
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
||||||
|
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
||||||
|
type: object
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
---
|
3751
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
Normal file
3751
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
Normal file
File diff suppressed because it is too large
Load Diff
5
charts/kubezero-istio/charts/base/kustomization.yaml
Normal file
5
charts/kubezero-istio/charts/base/kustomization.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- files/gen-istio-cluster.yaml
|
146
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
Normal file
146
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
rules:
|
||||||
|
# sidecar injection controller
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "patch"]
|
||||||
|
|
||||||
|
# configuration validation webhook controller
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["validatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
|
||||||
|
# istio configuration
|
||||||
|
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
resources: ["*"]
|
||||||
|
{{- if .Values.global.istiod.enableAnalysis }}
|
||||||
|
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
|
||||||
|
verbs: ["update"]
|
||||||
|
# TODO: should be on just */status but wildcard is not supported
|
||||||
|
resources: ["*"]
|
||||||
|
{{- end }}
|
||||||
|
- apiGroups: ["networking.istio.io"]
|
||||||
|
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||||
|
resources: [ "workloadentries" ]
|
||||||
|
- apiGroups: ["networking.istio.io"]
|
||||||
|
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
|
||||||
|
resources: [ "workloadentries/status" ]
|
||||||
|
|
||||||
|
# auto-detect installed CRD definitions
|
||||||
|
- apiGroups: ["apiextensions.k8s.io"]
|
||||||
|
resources: ["customresourcedefinitions"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
|
||||||
|
# discovery and routing
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
|
resources: ["endpointslices"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
|
||||||
|
# ingress controller
|
||||||
|
{{- if .Values.global.istiod.enableAnalysis }}
|
||||||
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||||
|
resources: ["ingresses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||||
|
resources: ["ingresses/status"]
|
||||||
|
verbs: ["*"]
|
||||||
|
{{- end}}
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources: ["ingresses", "ingressclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources: ["ingresses/status"]
|
||||||
|
verbs: ["*"]
|
||||||
|
|
||||||
|
# required for CA's namespace controller
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["create", "get", "list", "watch", "update"]
|
||||||
|
|
||||||
|
# Istiod and bootstrap.
|
||||||
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- "certificatesigningrequests"
|
||||||
|
- "certificatesigningrequests/approval"
|
||||||
|
- "certificatesigningrequests/status"
|
||||||
|
verbs: ["update", "create", "get", "delete", "watch"]
|
||||||
|
- apiGroups: ["certificates.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- "signers"
|
||||||
|
resourceNames:
|
||||||
|
- "kubernetes.io/legacy-unknown"
|
||||||
|
verbs: ["approve"]
|
||||||
|
|
||||||
|
# Used by Istiod to verify the JWT tokens
|
||||||
|
- apiGroups: ["authentication.k8s.io"]
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
||||||
|
# Used by Istiod to verify gateway SDS
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["subjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
|
||||||
|
# Use for Kubernetes Service APIs
|
||||||
|
- apiGroups: ["networking.x-k8s.io"]
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
|
||||||
|
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istio-reader
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "config.istio.io"
|
||||||
|
- "security.istio.io"
|
||||||
|
- "networking.istio.io"
|
||||||
|
- "authentication.istio.io"
|
||||||
|
resources: ["*"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["discovery.k8s.io"]
|
||||||
|
resources: ["endpointslices"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["replicasets"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["authentication.k8s.io"]
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
- apiGroups: ["authorization.k8s.io"]
|
||||||
|
resources: ["subjectaccessreviews"]
|
||||||
|
verbs: ["create"]
|
||||||
|
{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }}
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
verbs: ["create", "get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "patch"]
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["validatingwebhookconfigurations"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
{{- end}}
|
||||||
|
---
|
@ -0,0 +1,32 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istio-reader
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: istio-reader-{{ .Values.global.istioNamespace }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: istio-reader-service-account
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: istiod-service-account
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
---
|
4
charts/kubezero-istio/charts/base/templates/crds.yaml
Normal file
4
charts/kubezero-istio/charts/base/templates/crds.yaml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{{- if .Values.base.enableCRDTemplates }}
|
||||||
|
{{ .Files.Get "crds/crd-all.gen.yaml" }}
|
||||||
|
{{ .Files.Get "crds/crd-operator.yaml" }}
|
||||||
|
{{- end }}
|
30
charts/kubezero-istio/charts/base/templates/endpoints.yaml
Normal file
30
charts/kubezero-istio/charts/base/templates/endpoints.yaml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
{{- if .Values.global.remotePilotAddress }}
|
||||||
|
{{- if .Values.pilot.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Endpoints
|
||||||
|
metadata:
|
||||||
|
name: istiod-remote
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
subsets:
|
||||||
|
- addresses:
|
||||||
|
- ip: {{ .Values.global.remotePilotAddress }}
|
||||||
|
ports:
|
||||||
|
- port: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
|
{{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Endpoints
|
||||||
|
metadata:
|
||||||
|
name: istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
subsets:
|
||||||
|
- addresses:
|
||||||
|
- ip: {{ .Values.global.remotePilotAddress }}
|
||||||
|
ports:
|
||||||
|
- port: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
20
charts/kubezero-istio/charts/base/templates/role.yaml
Normal file
20
charts/kubezero-istio/charts/base/templates/role.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
rules:
|
||||||
|
# permissions to verify the webhook is ready and rejecting
|
||||||
|
# invalid config. We use --server-dry-run so no config is persisted.
|
||||||
|
- apiGroups: ["networking.istio.io"]
|
||||||
|
verbs: ["create"]
|
||||||
|
resources: ["gateways"]
|
||||||
|
|
||||||
|
# For storing CA secret
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
|
||||||
|
verbs: ["create", "get", "watch", "list", "update", "delete"]
|
16
charts/kubezero-istio/charts/base/templates/rolebinding.yaml
Normal file
16
charts/kubezero-istio/charts/base/templates/rolebinding.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: istiod-service-account
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
@ -0,0 +1,30 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: istio-reader-service-account
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istio-reader
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
metadata:
|
||||||
|
name: istiod-service-account
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
---
|
37
charts/kubezero-istio/charts/base/templates/services.yaml
Normal file
37
charts/kubezero-istio/charts/base/templates/services.yaml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
{{- if .Values.global.remotePilotAddress }}
|
||||||
|
{{- if .Values.pilot.enabled }}
|
||||||
|
# when istiod is enabled in remote cluster, we can't use istiod service name
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: istiod-remote
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
|
clusterIP: None
|
||||||
|
{{- else }}
|
||||||
|
# when istiod isn't enabled in remote cluster, we can use istiod service name
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: istiod
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 15012
|
||||||
|
name: tcp-istiod
|
||||||
|
protocol: TCP
|
||||||
|
# if the remotePilotAddress is IP addr, we use clusterIP: None.
|
||||||
|
# else, we use externalName
|
||||||
|
{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }}
|
||||||
|
clusterIP: None
|
||||||
|
{{- else }}
|
||||||
|
type: ExternalName
|
||||||
|
externalName: {{ .Values.global.remotePilotAddress }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,42 @@
|
|||||||
|
{{- if .Values.global.configValidation }}
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio: istiod
|
||||||
|
webhooks:
|
||||||
|
- name: validation.istio.io
|
||||||
|
clientConfig:
|
||||||
|
{{- if .Values.base.validationURL }}
|
||||||
|
url: {{ .Values.base.validationURL }}
|
||||||
|
{{- else }}
|
||||||
|
service:
|
||||||
|
name: istiod
|
||||||
|
namespace: {{ .Values.global.istioNamespace }}
|
||||||
|
path: "/validate"
|
||||||
|
{{- end }}
|
||||||
|
caBundle: "" # patched at runtime when the webhook is ready.
|
||||||
|
rules:
|
||||||
|
- operations:
|
||||||
|
- CREATE
|
||||||
|
- UPDATE
|
||||||
|
apiGroups:
|
||||||
|
- config.istio.io
|
||||||
|
- security.istio.io
|
||||||
|
- authentication.istio.io
|
||||||
|
- networking.istio.io
|
||||||
|
apiVersions:
|
||||||
|
- "*"
|
||||||
|
resources:
|
||||||
|
- "*"
|
||||||
|
# Fail open until the validation webhook is ready. The webhook controller
|
||||||
|
# will update this to `Fail` and patch in the `caBundle` when the webhook
|
||||||
|
# endpoint is ready.
|
||||||
|
failurePolicy: Ignore
|
||||||
|
sideEffects: None
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
---
|
||||||
|
{{- end }}
|
22
charts/kubezero-istio/charts/base/values.yaml
Normal file
22
charts/kubezero-istio/charts/base/values.yaml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
global:
|
||||||
|
|
||||||
|
# ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
istiod:
|
||||||
|
enableAnalysis: false
|
||||||
|
|
||||||
|
configValidation: true
|
||||||
|
|
||||||
|
base:
|
||||||
|
# Used for helm2 to add the CRDs to templates.
|
||||||
|
enableCRDTemplates: false
|
||||||
|
|
||||||
|
# Validation webhook configuration url
|
||||||
|
# For example: https://$remotePilotAddress:15017/validate
|
||||||
|
validationURL: ""
|
14
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
Normal file
14
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
name: istio-discovery
|
||||||
|
version: 1.2.0
|
||||||
|
appVersion: 1.2.0
|
||||||
|
tillerVersion: ">=2.7.2"
|
||||||
|
description: Helm chart for istio control plane
|
||||||
|
keywords:
|
||||||
|
- istio
|
||||||
|
- istiod
|
||||||
|
- istio-discovery
|
||||||
|
sources:
|
||||||
|
- http://github.com/istio/istio
|
||||||
|
engine: gotpl
|
||||||
|
icon: https://istio.io/latest/favicons/android-192x192.png
|
5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
Normal file
5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Minimal control plane for Istio. Pilot and mesh config are included.
|
||||||
|
|
||||||
|
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
||||||
|
address of an MCP server can be set.
|
||||||
|
|
133
charts/kubezero-istio/charts/istio-discovery/README.md
Normal file
133
charts/kubezero-istio/charts/istio-discovery/README.md
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
# istio-discovery
|
||||||
|
|
||||||
|
![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square)
|
||||||
|
|
||||||
|
Helm chart for istio control plane
|
||||||
|
|
||||||
|
## Source Code
|
||||||
|
|
||||||
|
* <http://github.com/istio/istio>
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| global.caAddress | string | `""` | |
|
||||||
|
| global.centralIstiod | bool | `false` | |
|
||||||
|
| global.defaultPodDisruptionBudget.enabled | bool | `true` | |
|
||||||
|
| global.defaultResources.requests.cpu | string | `"10m"` | |
|
||||||
|
| global.externalIstiod | bool | `false` | |
|
||||||
|
| global.hub | string | `"gcr.io/istio-testing"` | |
|
||||||
|
| global.imagePullPolicy | string | `""` | |
|
||||||
|
| global.imagePullSecrets | list | `[]` | |
|
||||||
|
| global.istioNamespace | string | `"istio-system"` | |
|
||||||
|
| global.istiod.enableAnalysis | bool | `false` | |
|
||||||
|
| global.jwtPolicy | string | `"third-party-jwt"` | |
|
||||||
|
| global.logAsJson | bool | `false` | |
|
||||||
|
| global.logging.level | string | `"default:info"` | |
|
||||||
|
| global.meshID | string | `""` | |
|
||||||
|
| global.meshNetworks | object | `{}` | |
|
||||||
|
| global.mountMtlsCerts | bool | `false` | |
|
||||||
|
| global.multiCluster.clusterName | string | `""` | |
|
||||||
|
| global.multiCluster.enabled | bool | `false` | |
|
||||||
|
| global.network | string | `""` | |
|
||||||
|
| global.omitSidecarInjectorConfigMap | bool | `false` | |
|
||||||
|
| global.oneNamespace | bool | `false` | |
|
||||||
|
| global.operatorManageWebhooks | bool | `false` | |
|
||||||
|
| global.pilotCertProvider | string | `"istiod"` | |
|
||||||
|
| global.priorityClassName | string | `""` | |
|
||||||
|
| global.proxy.autoInject | string | `"enabled"` | |
|
||||||
|
| global.proxy.clusterDomain | string | `"cluster.local"` | |
|
||||||
|
| global.proxy.componentLogLevel | string | `"misc:error"` | |
|
||||||
|
| global.proxy.enableCoreDump | bool | `false` | |
|
||||||
|
| global.proxy.excludeIPRanges | string | `""` | |
|
||||||
|
| global.proxy.excludeInboundPorts | string | `""` | |
|
||||||
|
| global.proxy.excludeOutboundPorts | string | `""` | |
|
||||||
|
| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | |
|
||||||
|
| global.proxy.image | string | `"proxyv2"` | |
|
||||||
|
| global.proxy.includeIPRanges | string | `"*"` | |
|
||||||
|
| global.proxy.logLevel | string | `"warning"` | |
|
||||||
|
| global.proxy.privileged | bool | `false` | |
|
||||||
|
| global.proxy.readinessFailureThreshold | int | `30` | |
|
||||||
|
| global.proxy.readinessInitialDelaySeconds | int | `1` | |
|
||||||
|
| global.proxy.readinessPeriodSeconds | int | `2` | |
|
||||||
|
| global.proxy.resources.limits.cpu | string | `"2000m"` | |
|
||||||
|
| global.proxy.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
|
| global.proxy.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| global.proxy.resources.requests.memory | string | `"128Mi"` | |
|
||||||
|
| global.proxy.statusPort | int | `15020` | |
|
||||||
|
| global.proxy.tracer | string | `"zipkin"` | |
|
||||||
|
| global.proxy_init.image | string | `"proxyv2"` | |
|
||||||
|
| global.proxy_init.resources.limits.cpu | string | `"2000m"` | |
|
||||||
|
| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
|
| global.proxy_init.resources.requests.cpu | string | `"10m"` | |
|
||||||
|
| global.proxy_init.resources.requests.memory | string | `"10Mi"` | |
|
||||||
|
| global.remotePilotAddress | string | `""` | |
|
||||||
|
| global.sds.token.aud | string | `"istio-ca"` | |
|
||||||
|
| global.sts.servicePort | int | `0` | |
|
||||||
|
| global.tag | string | `"latest"` | |
|
||||||
|
| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | |
|
||||||
|
| global.tracer.lightstep.accessToken | string | `""` | |
|
||||||
|
| global.tracer.lightstep.address | string | `""` | |
|
||||||
|
| global.tracer.stackdriver.debug | bool | `false` | |
|
||||||
|
| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | |
|
||||||
|
| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | |
|
||||||
|
| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | |
|
||||||
|
| global.tracer.zipkin.address | string | `""` | |
|
||||||
|
| global.trustDomain | string | `""` | |
|
||||||
|
| global.useMCP | bool | `false` | |
|
||||||
|
| istiodRemote.injectionURL | string | `""` | |
|
||||||
|
| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | |
|
||||||
|
| meshConfig.rootNamespace | string | `"istio-system"` | |
|
||||||
|
| ownerName | string | `""` | |
|
||||||
|
| pilot.autoscaleEnabled | bool | `true` | |
|
||||||
|
| pilot.autoscaleMax | int | `5` | |
|
||||||
|
| pilot.autoscaleMin | int | `1` | |
|
||||||
|
| pilot.configMap | bool | `true` | |
|
||||||
|
| pilot.configSource.subscribedResources | list | `[]` | |
|
||||||
|
| pilot.cpu.targetAverageUtilization | int | `80` | |
|
||||||
|
| pilot.deploymentLabels | object | `{}` | |
|
||||||
|
| pilot.enableProtocolSniffingForInbound | bool | `true` | |
|
||||||
|
| pilot.enableProtocolSniffingForOutbound | bool | `true` | |
|
||||||
|
| pilot.env | object | `{}` | |
|
||||||
|
| pilot.hub | string | `""` | |
|
||||||
|
| pilot.image | string | `"pilot"` | |
|
||||||
|
| pilot.jwksResolverExtraRootCA | string | `""` | |
|
||||||
|
| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | |
|
||||||
|
| pilot.nodeSelector | object | `{}` | |
|
||||||
|
| pilot.plugins | list | `[]` | |
|
||||||
|
| pilot.podAnnotations | object | `{}` | |
|
||||||
|
| pilot.replicaCount | int | `1` | |
|
||||||
|
| pilot.resources.requests.cpu | string | `"500m"` | |
|
||||||
|
| pilot.resources.requests.memory | string | `"2048Mi"` | |
|
||||||
|
| pilot.rollingMaxSurge | string | `"100%"` | |
|
||||||
|
| pilot.rollingMaxUnavailable | string | `"25%"` | |
|
||||||
|
| pilot.tag | string | `""` | |
|
||||||
|
| pilot.traceSampling | float | `1` | |
|
||||||
|
| revision | string | `""` | |
|
||||||
|
| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | |
|
||||||
|
| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | |
|
||||||
|
| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | |
|
||||||
|
| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | |
|
||||||
|
| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | |
|
||||||
|
| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | |
|
||||||
|
| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | |
|
||||||
|
| telemetry.enabled | bool | `true` | |
|
||||||
|
| telemetry.v2.accessLogPolicy.enabled | bool | `false` | |
|
||||||
|
| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | |
|
||||||
|
| telemetry.v2.enabled | bool | `true` | |
|
||||||
|
| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | |
|
||||||
|
| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | |
|
||||||
|
| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | |
|
||||||
|
| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | |
|
||||||
|
| telemetry.v2.prometheus.enabled | bool | `true` | |
|
||||||
|
| telemetry.v2.prometheus.wasmEnabled | bool | `false` | |
|
||||||
|
| telemetry.v2.stackdriver.configOverride | object | `{}` | |
|
||||||
|
| telemetry.v2.stackdriver.disableOutbound | bool | `false` | |
|
||||||
|
| telemetry.v2.stackdriver.enabled | bool | `false` | |
|
||||||
|
| telemetry.v2.stackdriver.logging | bool | `false` | |
|
||||||
|
| telemetry.v2.stackdriver.monitoring | bool | `false` | |
|
||||||
|
| telemetry.v2.stackdriver.topology | bool | `false` | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
1983
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
Normal file
1983
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,463 @@
|
|||||||
|
template: |
|
||||||
|
{{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }}
|
||||||
|
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
|
||||||
|
initContainers:
|
||||||
|
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
|
||||||
|
{{ if .Values.istio_cni.enabled -}}
|
||||||
|
- name: istio-validation
|
||||||
|
{{ else -}}
|
||||||
|
- name: istio-init
|
||||||
|
{{ end -}}
|
||||||
|
{{- if contains "/" .Values.global.proxy_init.image }}
|
||||||
|
image: "{{ .Values.global.proxy_init.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
args:
|
||||||
|
- istio-iptables
|
||||||
|
- "-p"
|
||||||
|
- "15001"
|
||||||
|
- "-z"
|
||||||
|
- "15006"
|
||||||
|
- "-u"
|
||||||
|
- "1337"
|
||||||
|
- "-m"
|
||||||
|
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
||||||
|
- "-i"
|
||||||
|
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
||||||
|
- "-x"
|
||||||
|
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
||||||
|
- "-b"
|
||||||
|
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
|
||||||
|
- "-d"
|
||||||
|
{{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
|
||||||
|
- "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
||||||
|
{{- else }}
|
||||||
|
- "15090,15021"
|
||||||
|
{{- end }}
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
|
||||||
|
- "-q"
|
||||||
|
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
||||||
|
{{ end -}}
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
|
||||||
|
- "-o"
|
||||||
|
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
||||||
|
{{ end -}}
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
|
||||||
|
- "-k"
|
||||||
|
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
||||||
|
{{ end -}}
|
||||||
|
{{ if .Values.istio_cni.enabled -}}
|
||||||
|
- "--run-validation"
|
||||||
|
- "--skip-rule-apply"
|
||||||
|
{{ end -}}
|
||||||
|
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||||
|
{{- if .ProxyConfig.ProxyMetadata }}
|
||||||
|
env:
|
||||||
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||||
|
requests:
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||||
|
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||||
|
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||||
|
limits:
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||||
|
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||||
|
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
{{- if .Values.global.proxy.resources }}
|
||||||
|
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||||
|
privileged: {{ .Values.global.proxy.privileged }}
|
||||||
|
capabilities:
|
||||||
|
{{- if not .Values.istio_cni.enabled }}
|
||||||
|
add:
|
||||||
|
- NET_ADMIN
|
||||||
|
- NET_RAW
|
||||||
|
{{- end }}
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
{{- if not .Values.istio_cni.enabled }}
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
runAsUser: 0
|
||||||
|
{{- else }}
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
{{- end }}
|
||||||
|
restartPolicy: Always
|
||||||
|
{{ end -}}
|
||||||
|
{{- if eq .Values.global.proxy.enableCoreDump true }}
|
||||||
|
- name: enable-core-dump
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
{{- if contains "/" .Values.global.proxy_init.image }}
|
||||||
|
image: "{{ .Values.global.proxy_init.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||||
|
resources: {}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- SYS_ADMIN
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: true
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsGroup: 0
|
||||||
|
runAsNonRoot: false
|
||||||
|
runAsUser: 0
|
||||||
|
{{ end }}
|
||||||
|
containers:
|
||||||
|
- name: istio-proxy
|
||||||
|
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
|
||||||
|
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
ports:
|
||||||
|
- containerPort: 15090
|
||||||
|
protocol: TCP
|
||||||
|
name: http-envoy-prom
|
||||||
|
args:
|
||||||
|
- proxy
|
||||||
|
- sidecar
|
||||||
|
- --domain
|
||||||
|
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
|
||||||
|
- --serviceCluster
|
||||||
|
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
|
||||||
|
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
|
||||||
|
{{ else -}}
|
||||||
|
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
|
||||||
|
{{ end -}}
|
||||||
|
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}}
|
||||||
|
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}}
|
||||||
|
{{- if .Values.global.sts.servicePort }}
|
||||||
|
- --stsPort={{ .Values.global.sts.servicePort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
|
||||||
|
- --concurrency
|
||||||
|
- "{{ .ProxyConfig.Concurrency.GetValue }}"
|
||||||
|
{{- end -}}
|
||||||
|
{{- if .Values.global.proxy.lifecycle }}
|
||||||
|
lifecycle:
|
||||||
|
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
|
||||||
|
{{- else if $holdProxy }}
|
||||||
|
lifecycle:
|
||||||
|
postStart:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- pilot-agent
|
||||||
|
- wait
|
||||||
|
{{- end }}
|
||||||
|
env:
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: CA_ADDR
|
||||||
|
{{- if .Values.global.caAddress }}
|
||||||
|
value: {{ .Values.global.caAddress }}
|
||||||
|
{{- else }}
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: INSTANCE_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: HOST_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.hostIP
|
||||||
|
- name: CANONICAL_SERVICE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-name']
|
||||||
|
- name: CANONICAL_REVISION
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels['service.istio.io/canonical-revision']
|
||||||
|
- name: PROXY_CONFIG
|
||||||
|
value: |
|
||||||
|
{{ protoToJSON .ProxyConfig }}
|
||||||
|
- name: ISTIO_META_POD_PORTS
|
||||||
|
value: |-
|
||||||
|
[
|
||||||
|
{{- $first := true }}
|
||||||
|
{{- range $index1, $c := .Spec.Containers }}
|
||||||
|
{{- range $index2, $p := $c.Ports }}
|
||||||
|
{{- if (structToJSON $p) }}
|
||||||
|
{{if not $first}},{{end}}{{ structToJSON $p }}
|
||||||
|
{{- $first = false }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end}}
|
||||||
|
{{- end}}
|
||||||
|
]
|
||||||
|
- name: ISTIO_META_APP_CONTAINERS
|
||||||
|
value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}"
|
||||||
|
- name: ISTIO_META_CLUSTER_ID
|
||||||
|
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
|
||||||
|
- name: ISTIO_META_INTERCEPTION_MODE
|
||||||
|
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
|
||||||
|
{{- if .Values.global.network }}
|
||||||
|
- name: ISTIO_META_NETWORK
|
||||||
|
value: "{{ .Values.global.network }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ if .ObjectMeta.Annotations }}
|
||||||
|
- name: ISTIO_METAJSON_ANNOTATIONS
|
||||||
|
value: |
|
||||||
|
{{ toJSON .ObjectMeta.Annotations }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_WORKLOAD_NAME
|
||||||
|
value: "{{ .DeploymentMeta.Name }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
|
||||||
|
- name: ISTIO_META_OWNER
|
||||||
|
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||||
|
- name: ISTIO_BOOTSTRAP_OVERRIDE
|
||||||
|
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.meshID }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ .Values.global.meshID }}"
|
||||||
|
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: ISTIO_META_MESH_ID
|
||||||
|
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
|
||||||
|
- name: TRUST_DOMAIN
|
||||||
|
value: "{{ . }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||||
|
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $value }}"
|
||||||
|
{{- end }}
|
||||||
|
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
||||||
|
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz/ready
|
||||||
|
port: 15021
|
||||||
|
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
|
||||||
|
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
|
||||||
|
timeoutSeconds: 3
|
||||||
|
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
|
||||||
|
{{ end -}}
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
|
||||||
|
capabilities:
|
||||||
|
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||||
|
add:
|
||||||
|
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
|
||||||
|
- NET_ADMIN
|
||||||
|
{{- end }}
|
||||||
|
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: {{ .Values.global.proxy.privileged }}
|
||||||
|
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
|
||||||
|
runAsGroup: 1337
|
||||||
|
fsGroup: 1337
|
||||||
|
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
|
||||||
|
runAsNonRoot: false
|
||||||
|
runAsUser: 0
|
||||||
|
{{- else -}}
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1337
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
|
||||||
|
requests:
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
|
||||||
|
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
|
||||||
|
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
|
||||||
|
limits:
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
|
||||||
|
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
|
||||||
|
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
{{- if .Values.global.proxy.resources }}
|
||||||
|
{{ toYaml .Values.global.proxy.resources | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
volumeMounts:
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- mountPath: /var/run/secrets/istio
|
||||||
|
name: istiod-ca-cert
|
||||||
|
{{- end }}
|
||||||
|
- mountPath: /var/lib/istio/data
|
||||||
|
name: istio-data
|
||||||
|
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||||
|
- mountPath: /etc/istio/custom-bootstrap
|
||||||
|
name: custom-bootstrap-volume
|
||||||
|
{{- end }}
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- mountPath: /etc/istio/proxy
|
||||||
|
name: istio-envoy
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- mountPath: /var/run/secrets/tokens
|
||||||
|
name: istio-token
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- mountPath: /etc/certs/
|
||||||
|
name: istio-certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: istio-podinfo
|
||||||
|
mountPath: /etc/istio/pod
|
||||||
|
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||||
|
- mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
|
||||||
|
name: lightstep-certs
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
|
||||||
|
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
|
||||||
|
- name: "{{ $index }}"
|
||||||
|
{{ toYaml $value | indent 4 }}
|
||||||
|
{{ end }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
|
||||||
|
- name: custom-bootstrap-volume
|
||||||
|
configMap:
|
||||||
|
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
|
||||||
|
{{- end }}
|
||||||
|
# SDS channel between istioagent and Envoy
|
||||||
|
- emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
name: istio-envoy
|
||||||
|
- name: istio-data
|
||||||
|
emptyDir: {}
|
||||||
|
- name: istio-podinfo
|
||||||
|
downwardAPI:
|
||||||
|
items:
|
||||||
|
- path: "labels"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.labels
|
||||||
|
- path: "annotations"
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.annotations
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
path: istio-token
|
||||||
|
expirationSeconds: 43200
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Values.global.pilotCertProvider "istiod" }}
|
||||||
|
- name: istiod-ca-cert
|
||||||
|
configMap:
|
||||||
|
name: istio-ca-root-cert
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.mountMtlsCerts }}
|
||||||
|
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
|
||||||
|
- name: istio-certs
|
||||||
|
secret:
|
||||||
|
optional: true
|
||||||
|
{{ if eq .Spec.ServiceAccountName "" }}
|
||||||
|
secretName: istio.default
|
||||||
|
{{ else -}}
|
||||||
|
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
|
||||||
|
{{ end -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
|
||||||
|
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
|
||||||
|
- name: "{{ $index }}"
|
||||||
|
{{ toYaml $value | indent 2 }}
|
||||||
|
{{ end }}
|
||||||
|
{{ end }}
|
||||||
|
{{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
|
||||||
|
- name: lightstep-certs
|
||||||
|
secret:
|
||||||
|
optional: true
|
||||||
|
secretName: lightstep.cacert
|
||||||
|
{{- end }}
|
||||||
|
podRedirectAnnot:
|
||||||
|
{{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }}
|
||||||
|
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}'
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
|
||||||
|
traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
|
||||||
|
traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
|
||||||
|
traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}"
|
||||||
|
traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
|
||||||
|
traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
|
||||||
|
{{- end }}
|
||||||
|
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
|
||||||
|
traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
|
||||||
|
{{- end }}
|
||||||
|
traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
|
||||||
|
{{- if .Values.global.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- range .Values.global.imagePullSecrets }}
|
||||||
|
- name: {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,5 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- files/gen-istio.yaml
|
@ -0,0 +1,26 @@
|
|||||||
|
{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }}
|
||||||
|
apiVersion: autoscaling/v2beta1
|
||||||
|
kind: HorizontalPodAutoscaler
|
||||||
|
metadata:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
spec:
|
||||||
|
maxReplicas: {{ .Values.pilot.autoscaleMax }}
|
||||||
|
minReplicas: {{ .Values.pilot.autoscaleMin }}
|
||||||
|
scaleTargetRef:
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
metrics:
|
||||||
|
- type: Resource
|
||||||
|
resource:
|
||||||
|
name: cpu
|
||||||
|
targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,14 @@
|
|||||||
|
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
data:
|
||||||
|
extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,92 @@
|
|||||||
|
|
||||||
|
{{- define "mesh" }}
|
||||||
|
# The trust domain corresponds to the trust root of a system.
|
||||||
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
|
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
|
||||||
|
|
||||||
|
defaultConfig:
|
||||||
|
{{- if .Values.global.meshID }}
|
||||||
|
meshId: {{ .Values.global.meshID }}
|
||||||
|
{{- else if .Values.global.trustDomain }}
|
||||||
|
meshId: {{ .Values.global.trustDomain }}
|
||||||
|
{{- end }}
|
||||||
|
tracing:
|
||||||
|
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
||||||
|
lightstep:
|
||||||
|
# Address of the LightStep Satellite pool
|
||||||
|
address: {{ .Values.global.tracer.lightstep.address }}
|
||||||
|
# Access Token used to communicate with the Satellite pool
|
||||||
|
accessToken: {{ .Values.global.tracer.lightstep.accessToken }}
|
||||||
|
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
|
||||||
|
zipkin:
|
||||||
|
# Address of the Zipkin collector
|
||||||
|
address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }}
|
||||||
|
{{- else if eq .Values.global.proxy.tracer "datadog" }}
|
||||||
|
datadog:
|
||||||
|
# Address of the Datadog Agent
|
||||||
|
address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }}
|
||||||
|
{{- else if eq .Values.global.proxy.tracer "stackdriver" }}
|
||||||
|
stackdriver:
|
||||||
|
# enables trace output to stdout.
|
||||||
|
{{- if $.Values.global.tracer.stackdriver.debug }}
|
||||||
|
debug: {{ $.Values.global.tracer.stackdriver.debug }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }}
|
||||||
|
# The global default max number of attributes per span.
|
||||||
|
maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }}
|
||||||
|
# The global default max number of annotation events per span.
|
||||||
|
maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }}
|
||||||
|
# The global default max number of message events per span.
|
||||||
|
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
||||||
|
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
|
||||||
|
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.global.remotePilotAddress }}
|
||||||
|
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
|
||||||
|
{{- else }}
|
||||||
|
discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}}
|
||||||
|
{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}}
|
||||||
|
{{- $originalMesh := include "mesh" . | fromYaml }}
|
||||||
|
{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }}
|
||||||
|
|
||||||
|
{{- if .Values.pilot.configMap }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
data:
|
||||||
|
|
||||||
|
# Configuration file for the mesh networks to be used by the Split Horizon EDS.
|
||||||
|
meshNetworks: |-
|
||||||
|
{{- if .Values.global.meshNetworks }}
|
||||||
|
networks:
|
||||||
|
{{ toYaml .Values.global.meshNetworks | trim | indent 6 }}
|
||||||
|
{{- else }}
|
||||||
|
networks: {}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
mesh: |-
|
||||||
|
{{- if .Values.meshConfig }}
|
||||||
|
{{ $mesh | toYaml | indent 4 }}
|
||||||
|
{{- else }}
|
||||||
|
{{- include "mesh" . }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,245 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
istio: pilot
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
{{- range $key, $val := .Values.pilot.deploymentLabels }}
|
||||||
|
{{ $key }}: "{{ $val }}"
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if not .Values.pilot.autoscaleEnabled }}
|
||||||
|
{{- if .Values.pilot.replicaCount }}
|
||||||
|
replicas: {{ .Values.pilot.replicaCount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: {{ .Values.pilot.rollingMaxSurge }}
|
||||||
|
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- if ne .Values.revision ""}}
|
||||||
|
app: istiod
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
{{- else }}
|
||||||
|
istio: pilot
|
||||||
|
{{- end }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
{{- if eq .Values.revision ""}}
|
||||||
|
istio: pilot
|
||||||
|
{{- else }}
|
||||||
|
istio: istiod
|
||||||
|
{{- end }}
|
||||||
|
annotations:
|
||||||
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
|
prometheus.io/port: "15014"
|
||||||
|
prometheus.io/scrape: "true"
|
||||||
|
{{- end }}
|
||||||
|
sidecar.istio.io/inject: "false"
|
||||||
|
{{- if .Values.pilot.podAnnotations }}
|
||||||
|
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
serviceAccountName: istiod-service-account
|
||||||
|
{{- if .Values.global.priorityClassName }}
|
||||||
|
priorityClassName: "{{ .Values.global.priorityClassName }}"
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1337
|
||||||
|
nodeSelector:
|
||||||
|
node-role.kubernetes.io/master: ""
|
||||||
|
tolerations:
|
||||||
|
- effect: NoSchedule
|
||||||
|
key: node-role.kubernetes.io/master
|
||||||
|
containers:
|
||||||
|
- name: discovery
|
||||||
|
{{- if contains "/" .Values.pilot.image }}
|
||||||
|
image: "{{ .Values.pilot.image }}"
|
||||||
|
{{- else }}
|
||||||
|
image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.global.imagePullPolicy }}
|
||||||
|
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
|
||||||
|
{{- end }}
|
||||||
|
args:
|
||||||
|
- "discovery"
|
||||||
|
- --monitoringAddr=:15014
|
||||||
|
{{- if .Values.global.logging.level }}
|
||||||
|
- --log_output_level={{ .Values.global.logging.level }}
|
||||||
|
{{- end}}
|
||||||
|
{{- if .Values.global.logAsJson }}
|
||||||
|
- --log_as_json
|
||||||
|
{{- end }}
|
||||||
|
- --domain
|
||||||
|
- {{ .Values.global.proxy.clusterDomain }}
|
||||||
|
{{- if .Values.global.oneNamespace }}
|
||||||
|
- "-a"
|
||||||
|
- {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.pilot.plugins }}
|
||||||
|
- --plugins={{ .Values.pilot.plugins }}
|
||||||
|
{{- end }}
|
||||||
|
- --keepaliveMaxServerConnectionAge
|
||||||
|
- "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}"
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 15010
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 15017
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 15053
|
||||||
|
protocol: TCP
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /ready
|
||||||
|
port: 8080
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 3
|
||||||
|
timeoutSeconds: 5
|
||||||
|
env:
|
||||||
|
- name: REVISION
|
||||||
|
value: "{{ .Values.revision | default `default` }}"
|
||||||
|
- name: JWT_POLICY
|
||||||
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
|
- name: PILOT_CERT_PROVIDER
|
||||||
|
value: {{ .Values.global.pilotCertProvider }}
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: SERVICE_ACCOUNT
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.serviceAccountName
|
||||||
|
- name: KUBECONFIG
|
||||||
|
value: /var/run/secrets/remote/config
|
||||||
|
{{- if .Values.pilot.env }}
|
||||||
|
{{- range $key, $val := .Values.pilot.env }}
|
||||||
|
- name: {{ $key }}
|
||||||
|
value: "{{ $val }}"
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.pilot.traceSampling }}
|
||||||
|
- name: PILOT_TRACE_SAMPLING
|
||||||
|
value: "{{ .Values.pilot.traceSampling }}"
|
||||||
|
{{- end }}
|
||||||
|
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
|
||||||
|
value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}"
|
||||||
|
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
|
||||||
|
value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}"
|
||||||
|
{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }}
|
||||||
|
- name: INJECTION_WEBHOOK_CONFIG_NAME
|
||||||
|
{{- if eq .Release.Namespace "istio-system" }}
|
||||||
|
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- else }}
|
||||||
|
value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
- name: ISTIOD_ADDR
|
||||||
|
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012
|
||||||
|
- name: PILOT_ENABLE_ANALYSIS
|
||||||
|
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
||||||
|
- name: CLUSTER_ID
|
||||||
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
|
- name: EXTERNAL_ISTIOD
|
||||||
|
value: "{{ $.Values.global.externalIstiod | default "false" }}"
|
||||||
|
- name: CENTRAL_ISTIOD
|
||||||
|
value: "{{ $.Values.global.centralIstiod | default "false" }}"
|
||||||
|
{{- if .Values.telemetry.v2.enabled }}
|
||||||
|
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
|
resources:
|
||||||
|
{{- if .Values.pilot.resources }}
|
||||||
|
{{ toYaml .Values.pilot.resources | trim | indent 12 }}
|
||||||
|
{{- else }}
|
||||||
|
{{ toYaml .Values.global.defaultResources | trim | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1337
|
||||||
|
runAsGroup: 1337
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-volume
|
||||||
|
mountPath: /etc/istio/config
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
mountPath: /var/run/secrets/tokens
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: local-certs
|
||||||
|
mountPath: /var/run/secrets/istio-dns
|
||||||
|
- name: cacerts
|
||||||
|
mountPath: /etc/cacerts
|
||||||
|
readOnly: true
|
||||||
|
- name: istio-kubeconfig
|
||||||
|
mountPath: /var/run/secrets/remote
|
||||||
|
readOnly: true
|
||||||
|
- name: inject
|
||||||
|
mountPath: /var/lib/istio/inject
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||||
|
- name: extracacerts
|
||||||
|
mountPath: /cacerts
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
# Technically not needed on this pod - but it helps debugging/testing SDS
|
||||||
|
# Should be removed after everything works.
|
||||||
|
- emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
name: local-certs
|
||||||
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
|
- name: istio-token
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- serviceAccountToken:
|
||||||
|
audience: {{ .Values.global.sds.token.aud }}
|
||||||
|
expirationSeconds: 43200
|
||||||
|
path: istio-token
|
||||||
|
{{- end }}
|
||||||
|
# Optional: user-generated root
|
||||||
|
- name: cacerts
|
||||||
|
secret:
|
||||||
|
secretName: cacerts
|
||||||
|
optional: true
|
||||||
|
- name: istio-kubeconfig
|
||||||
|
secret:
|
||||||
|
secretName: istio-kubeconfig
|
||||||
|
optional: true
|
||||||
|
# Optional - image should have
|
||||||
|
- name: inject
|
||||||
|
configMap:
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
- name: config-volume
|
||||||
|
configMap:
|
||||||
|
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||||
|
- name: extracacerts
|
||||||
|
configMap:
|
||||||
|
name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
---
|
@ -0,0 +1,35 @@
|
|||||||
|
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
data:
|
||||||
|
{{/* Scope the values to just top level fields used in the template, to reduce the size. */}}
|
||||||
|
values: |-
|
||||||
|
{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }}
|
||||||
|
|
||||||
|
# To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching
|
||||||
|
# and istiod webhook functionality.
|
||||||
|
#
|
||||||
|
# New fields should not use Values - it is a 'primary' config object, users should be able
|
||||||
|
# to fine tune it or use it with kube-inject.
|
||||||
|
config: |-
|
||||||
|
policy: {{ .Values.global.proxy.autoInject }}
|
||||||
|
alwaysInjectSelector:
|
||||||
|
{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }}
|
||||||
|
neverInjectSelector:
|
||||||
|
{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }}
|
||||||
|
injectedAnnotations:
|
||||||
|
{{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }}
|
||||||
|
"{{ $key }}": "{{ $val }}"
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }}
|
||||||
|
|
||||||
|
{{- end }}
|
@ -0,0 +1,85 @@
|
|||||||
|
# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds)
|
||||||
|
{{- if not .Values.global.operatorManageWebhooks }}
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{ else }}
|
||||||
|
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
app: sidecar-injector
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
webhooks:
|
||||||
|
- name: sidecar-injector.istio.io
|
||||||
|
clientConfig:
|
||||||
|
{{- if .Values.istiodRemote.injectionURL }}
|
||||||
|
url: {{ .Values.istiodRemote.injectionURL }}
|
||||||
|
{{- else }}
|
||||||
|
service:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/inject"
|
||||||
|
{{- end }}
|
||||||
|
caBundle: ""
|
||||||
|
sideEffects: None
|
||||||
|
rules:
|
||||||
|
- operations: [ "CREATE" ]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["v1"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
namespaceSelector:
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||||
|
matchExpressions:
|
||||||
|
- key: name
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- {{ .Release.Namespace }}
|
||||||
|
- key: istio-injection
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- disabled
|
||||||
|
- key: istio-env
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
{{- else if .Values.revision }}
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ .Values.revision }}
|
||||||
|
{{- else }}
|
||||||
|
matchLabels:
|
||||||
|
istio-injection: enabled
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
|
||||||
|
objectSelector:
|
||||||
|
{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
|
||||||
|
matchExpressions:
|
||||||
|
- key: "sidecar.istio.io/inject"
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
{{- else if .Values.revision }}
|
||||||
|
matchExpressions:
|
||||||
|
- key: "sidecar.istio.io/inject"
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ .Values.revision }}
|
||||||
|
{{- else }}
|
||||||
|
matchLabels:
|
||||||
|
"sidecar.istio.io/inject": "true"
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -0,0 +1,25 @@
|
|||||||
|
{{- if .Values.global.defaultPodDisruptionBudget.enabled }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: istiod
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
istio: pilot
|
||||||
|
spec:
|
||||||
|
minAvailable: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: istiod
|
||||||
|
{{- if ne .Values.revision ""}}
|
||||||
|
istio.io/rev: {{ .Values.revision }}
|
||||||
|
{{- else }}
|
||||||
|
istio: pilot
|
||||||
|
{{- end }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
@ -0,0 +1,37 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
app: istiod
|
||||||
|
istio: pilot
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 15010
|
||||||
|
name: grpc-xds # plaintext
|
||||||
|
protocol: TCP
|
||||||
|
- port: 15012
|
||||||
|
name: https-dns # mTLS with k8s-signed cert
|
||||||
|
protocol: TCP
|
||||||
|
- port: 443
|
||||||
|
name: https-webhook # validation and injection
|
||||||
|
targetPort: 15017
|
||||||
|
protocol: TCP
|
||||||
|
- port: 15014
|
||||||
|
name: http-monitoring # prometheus stats
|
||||||
|
protocol: TCP
|
||||||
|
selector:
|
||||||
|
app: istiod
|
||||||
|
{{- if ne .Values.revision ""}}
|
||||||
|
istio.io/rev: {{ .Values.revision }}
|
||||||
|
{{- else }}
|
||||||
|
# Label used by the 'default' service. For versioned deployments we match with app and version.
|
||||||
|
# This avoids default deployment picking the canary
|
||||||
|
istio: pilot
|
||||||
|
{{- end }}
|
||||||
|
---
|
@ -0,0 +1,792 @@
|
|||||||
|
{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }}
|
||||||
|
# Note: metadata exchange filter is wasm enabled only in sidecars.
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{}
|
||||||
|
vm_config:
|
||||||
|
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.metadata_exchange
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{}
|
||||||
|
vm_config:
|
||||||
|
{{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.metadata_exchange
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{}
|
||||||
|
vm_config:
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.metadata_exchange
|
||||||
|
---
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener: {}
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||||
|
value:
|
||||||
|
protocol: istio-peer-exchange
|
||||||
|
- applyTo: CLUSTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
cluster: {}
|
||||||
|
patch:
|
||||||
|
operation: MERGE
|
||||||
|
value:
|
||||||
|
filters:
|
||||||
|
- name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||||
|
value:
|
||||||
|
protocol: istio-peer-exchange
|
||||||
|
- applyTo: CLUSTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
cluster: {}
|
||||||
|
patch:
|
||||||
|
operation: MERGE
|
||||||
|
value:
|
||||||
|
filters:
|
||||||
|
- name: istio.metadata_exchange
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange
|
||||||
|
value:
|
||||||
|
protocol: istio-peer-exchange
|
||||||
|
---
|
||||||
|
# Note: http stats filter is wasm enabled only in sidecars.
|
||||||
|
{{- if .Values.telemetry.v2.prometheus.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
|
{
|
||||||
|
{{- if .Values.global.multiCluster.clusterName }}
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"destination_cluster": "upstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stats_outbound
|
||||||
|
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.stats
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_inbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||||
|
{
|
||||||
|
{{- if .Values.global.multiCluster.clusterName }}
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "downstream_peer.cluster_id",
|
||||||
|
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stats_inbound
|
||||||
|
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.stats
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||||
|
{
|
||||||
|
"disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }},
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"destination_cluster": "upstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stats_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: envoy.wasm.stats
|
||||||
|
---
|
||||||
|
# Note: tcp stats filter is wasm enabled only in sidecars.
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_inbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }}
|
||||||
|
{
|
||||||
|
{{- if .Values.global.multiCluster.clusterName }}
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "downstream_peer.cluster_id",
|
||||||
|
"destination_cluster": "node.metadata['CLUSTER_ID']"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: tcp_stats_inbound
|
||||||
|
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: "envoy.wasm.stats"
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
|
{
|
||||||
|
{{- if .Values.global.multiCluster.clusterName }}
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"destination_cluster": "upstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: tcp_stats_outbound
|
||||||
|
{{- if .Values.telemetry.v2.prometheus.wasmEnabled }}
|
||||||
|
runtime: envoy.wasm.runtime.v8
|
||||||
|
allow_precompiled: true
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
filename: /etc/istio/extensions/stats-filter.compiled.wasm
|
||||||
|
{{- else }}
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: "envoy.wasm.stats"
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stats
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stats_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||||
|
{
|
||||||
|
{{- if .Values.global.multiCluster.clusterName }}
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"source_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"destination_cluster": "upstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{{- end }}
|
||||||
|
}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: tcp_stats_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local:
|
||||||
|
inline_string: "envoy.wasm.stats"
|
||||||
|
---
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.telemetry.v2.stackdriver.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_inbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_inbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "envoy.router"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }}
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_OUTBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
{{- end }}
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_inbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_inbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
- applyTo: NETWORK_FILTER
|
||||||
|
match:
|
||||||
|
context: GATEWAY
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '^1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.tcp_proxy"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.stackdriver
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
root_id: stackdriver_outbound
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
|
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
||||||
|
{{- else }}
|
||||||
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
|
{{- end }}
|
||||||
|
vm_config:
|
||||||
|
vm_id: stackdriver_outbound
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: envoy.wasm.null.stackdriver }
|
||||||
|
---
|
||||||
|
{{- if .Values.telemetry.v2.accessLogPolicy.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
|
{{- else }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
|
spec:
|
||||||
|
configPatches:
|
||||||
|
- applyTo: HTTP_FILTER
|
||||||
|
match:
|
||||||
|
context: SIDECAR_INBOUND
|
||||||
|
proxy:
|
||||||
|
proxyVersion: '1\.8.*'
|
||||||
|
listener:
|
||||||
|
filterChain:
|
||||||
|
filter:
|
||||||
|
name: "envoy.http_connection_manager"
|
||||||
|
subFilter:
|
||||||
|
name: "istio.stackdriver"
|
||||||
|
patch:
|
||||||
|
operation: INSERT_BEFORE
|
||||||
|
value:
|
||||||
|
name: istio.access_log
|
||||||
|
typed_config:
|
||||||
|
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
|
||||||
|
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
|
||||||
|
value:
|
||||||
|
config:
|
||||||
|
configuration:
|
||||||
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
|
value: |
|
||||||
|
{
|
||||||
|
"log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}"
|
||||||
|
}
|
||||||
|
vm_config:
|
||||||
|
runtime: envoy.wasm.runtime.null
|
||||||
|
code:
|
||||||
|
local: { inline_string: "envoy.wasm.access_log_policy" }
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
485
charts/kubezero-istio/charts/istio-discovery/values.yaml
Normal file
485
charts/kubezero-istio/charts/istio-discovery/values.yaml
Normal file
@ -0,0 +1,485 @@
|
|||||||
|
#.Values.pilot for discovery and mesh wide config
|
||||||
|
|
||||||
|
## Discovery Settings
|
||||||
|
pilot:
|
||||||
|
autoscaleEnabled: true
|
||||||
|
autoscaleMin: 1
|
||||||
|
autoscaleMax: 5
|
||||||
|
replicaCount: 1
|
||||||
|
rollingMaxSurge: 100%
|
||||||
|
rollingMaxUnavailable: 25%
|
||||||
|
|
||||||
|
hub: ""
|
||||||
|
tag: ""
|
||||||
|
|
||||||
|
# Can be a full hub/image:tag
|
||||||
|
image: pilot
|
||||||
|
traceSampling: 1.0
|
||||||
|
|
||||||
|
# Resources for a small pilot install
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 2048Mi
|
||||||
|
|
||||||
|
env: {}
|
||||||
|
|
||||||
|
cpu:
|
||||||
|
targetAverageUtilization: 80
|
||||||
|
|
||||||
|
# if protocol sniffing is enabled for outbound
|
||||||
|
enableProtocolSniffingForOutbound: true
|
||||||
|
# if protocol sniffing is enabled for inbound
|
||||||
|
enableProtocolSniffingForInbound: true
|
||||||
|
|
||||||
|
nodeSelector: {}
|
||||||
|
podAnnotations: {}
|
||||||
|
|
||||||
|
# You can use jwksResolverExtraRootCA to provide a root certificate
|
||||||
|
# in PEM format. This will then be trusted by pilot when resolving
|
||||||
|
# JWKS URIs.
|
||||||
|
jwksResolverExtraRootCA: ""
|
||||||
|
|
||||||
|
# This is used to set the source of configuration for
|
||||||
|
# the associated address in configSource, if nothing is specificed
|
||||||
|
# the default MCP is assumed.
|
||||||
|
configSource:
|
||||||
|
subscribedResources: []
|
||||||
|
|
||||||
|
plugins: []
|
||||||
|
|
||||||
|
# The following is used to limit how long a sidecar can be connected
|
||||||
|
# to a pilot. It balances out load across pilot instances at the cost of
|
||||||
|
# increasing system churn.
|
||||||
|
keepaliveMaxServerConnectionAge: 30m
|
||||||
|
|
||||||
|
# Additional labels to apply to the deployment.
|
||||||
|
deploymentLabels: {}
|
||||||
|
|
||||||
|
|
||||||
|
## Mesh config settings
|
||||||
|
|
||||||
|
# Install the mesh config map, generated from values.yaml.
|
||||||
|
# If false, pilot wil use default values (by default) or user-supplied values.
|
||||||
|
configMap: true
|
||||||
|
|
||||||
|
|
||||||
|
sidecarInjectorWebhook:
|
||||||
|
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
||||||
|
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
||||||
|
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
||||||
|
neverInjectSelector: []
|
||||||
|
alwaysInjectSelector: []
|
||||||
|
|
||||||
|
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
|
||||||
|
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
|
||||||
|
#
|
||||||
|
# annotations:
|
||||||
|
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
||||||
|
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
||||||
|
#
|
||||||
|
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
|
||||||
|
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
|
||||||
|
# injectedAnnotations:
|
||||||
|
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
|
||||||
|
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
|
||||||
|
injectedAnnotations: {}
|
||||||
|
|
||||||
|
# This enables injection of sidecar in all namespaces,
|
||||||
|
# with the exception of namespaces with "istio-injection:disabled" annotation
|
||||||
|
# Only one environment should have this enabled.
|
||||||
|
enableNamespacesByDefault: false
|
||||||
|
|
||||||
|
# Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
|
||||||
|
# It is disabled by default since this function will only work after k8s v1.15.
|
||||||
|
objectSelector:
|
||||||
|
enabled: false
|
||||||
|
autoInject: true
|
||||||
|
|
||||||
|
rewriteAppHTTPProbe: true
|
||||||
|
istiodRemote:
|
||||||
|
# Sidecar injector mutating webhook configuration url
|
||||||
|
# For example: https://$remotePilotAddress:15017/inject
|
||||||
|
injectionURL: ""
|
||||||
|
telemetry:
|
||||||
|
enabled: true
|
||||||
|
v2:
|
||||||
|
# For Null VM case now.
|
||||||
|
# This also enables metadata exchange.
|
||||||
|
enabled: true
|
||||||
|
metadataExchange:
|
||||||
|
# Indicates whether to enable WebAssembly runtime for metadata exchange filter.
|
||||||
|
wasmEnabled: false
|
||||||
|
# Indicate if prometheus stats filter is enabled or not
|
||||||
|
prometheus:
|
||||||
|
enabled: true
|
||||||
|
# Indicates whether to enable WebAssembly runtime for stats filter.
|
||||||
|
wasmEnabled: false
|
||||||
|
# overrides stats EnvoyFilter configuration.
|
||||||
|
configOverride:
|
||||||
|
gateway: {}
|
||||||
|
inboundSidecar: {}
|
||||||
|
outboundSidecar: {}
|
||||||
|
# stackdriver filter settings.
|
||||||
|
stackdriver:
|
||||||
|
enabled: false
|
||||||
|
logging: false
|
||||||
|
monitoring: false
|
||||||
|
topology: false
|
||||||
|
disableOutbound: false
|
||||||
|
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
|
||||||
|
|
||||||
|
configOverride: {}
|
||||||
|
# e.g.
|
||||||
|
# enable_mesh_edges_reporting: true
|
||||||
|
# disable_server_access_logging: false
|
||||||
|
# meshEdgesReportingDuration: 500s
|
||||||
|
# disable_host_header_fallback: true
|
||||||
|
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
|
||||||
|
accessLogPolicy:
|
||||||
|
enabled: false
|
||||||
|
# To reduce the number of successful logs, default log window duration is
|
||||||
|
# set to 12 hours.
|
||||||
|
logWindowDuration: "43200s"
|
||||||
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
|
revision: ""
|
||||||
|
|
||||||
|
# For Helm compatibility.
|
||||||
|
ownerName: ""
|
||||||
|
|
||||||
|
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
|
||||||
|
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
|
||||||
|
meshConfig:
|
||||||
|
|
||||||
|
# Config for the default ProxyConfig.
|
||||||
|
# Initially using directly the proxy metadata - can also be activated using annotations
|
||||||
|
# on the pod. This is an unsupported low-level API, pending review and decisions on
|
||||||
|
# enabling the feature. Enabling the DNS listener is safe - and allows further testing
|
||||||
|
# and gradual adoption by setting capture only on specific workloads. It also allows
|
||||||
|
# VMs to use other DNS options, like dnsmasq or unbound.
|
||||||
|
defaultConfig:
|
||||||
|
proxyMetadata:
|
||||||
|
# If empty, agent will not start :15013 DNS listener and will not attempt
|
||||||
|
# to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in
|
||||||
|
# istiod and the dns-over-tls listener.
|
||||||
|
# DNS_AGENT: DNS-TLS
|
||||||
|
DNS_AGENT: ""
|
||||||
|
|
||||||
|
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||||
|
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||||
|
# and if none are found it will search in the root namespace. Any matching declaration found in the root namespace
|
||||||
|
# is processed as if it were declared in the leaf namespace.
|
||||||
|
rootNamespace: "istio-system"
|
||||||
|
|
||||||
|
# TODO: the intent is to eventually have this enabled by default when security is used.
|
||||||
|
# It is not clear if user should normally need to configure - the metadata is typically
|
||||||
|
# used as an escape and to control testing and rollout, but it is not intended as a long-term
|
||||||
|
# stable API.
|
||||||
|
|
||||||
|
# What we may configure in mesh config is the ".global" - and use of other suffixes.
|
||||||
|
# No hurry to do this in 1.6, we're trying to prove the code.
|
||||||
|
|
||||||
|
global:
|
||||||
|
# enable pod disruption budget for the control plane, which is used to
|
||||||
|
# ensure Istio control plane components are gradually upgraded or recovered.
|
||||||
|
defaultPodDisruptionBudget:
|
||||||
|
enabled: true
|
||||||
|
# The values aren't mutable due to a current PodDisruptionBudget limitation
|
||||||
|
# minAvailable: 1
|
||||||
|
|
||||||
|
# A minimal set of requested resources to applied to all deployments so that
|
||||||
|
# Horizontal Pod Autoscaler will be able to function (if set).
|
||||||
|
# Each component can overwrite these default values by adding its own resources
|
||||||
|
# block in the relevant section below and setting the desired resources values.
|
||||||
|
defaultResources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
# memory: 128Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 100m
|
||||||
|
# memory: 128Mi
|
||||||
|
|
||||||
|
# Used to locate istiod.
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
# Default hub for Istio images.
|
||||||
|
# Releases are published to docker hub under 'istio' project.
|
||||||
|
# Dev builds from prow are on gcr.io
|
||||||
|
hub: gcr.io/istio-testing
|
||||||
|
# Default tag for Istio images.
|
||||||
|
tag: latest
|
||||||
|
|
||||||
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
|
imagePullPolicy: ""
|
||||||
|
|
||||||
|
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
|
||||||
|
# to use for pulling any images in pods that reference this ServiceAccount.
|
||||||
|
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
|
||||||
|
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
|
||||||
|
# Must be set for any cluster configured with private docker registry.
|
||||||
|
imagePullSecrets: []
|
||||||
|
# - private-registry-key
|
||||||
|
|
||||||
|
# Enabled by default in master for maximising testing.
|
||||||
|
istiod:
|
||||||
|
enableAnalysis: false
|
||||||
|
|
||||||
|
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
|
||||||
|
logAsJson: false
|
||||||
|
|
||||||
|
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
|
||||||
|
# The control plane has different scopes depending on component, but can configure default log level across all components
|
||||||
|
# If empty, default scope and level will be used as configured in code
|
||||||
|
logging:
|
||||||
|
level: "default:info"
|
||||||
|
|
||||||
|
omitSidecarInjectorConfigMap: false
|
||||||
|
|
||||||
|
# Whether to restrict the applications namespace the controller manages;
|
||||||
|
# If not set, controller watches all namespaces
|
||||||
|
oneNamespace: false
|
||||||
|
|
||||||
|
# Configure whether Operator manages webhook configurations. The current behavior
|
||||||
|
# of Istiod is to manage its own webhook configurations.
|
||||||
|
# When this option is set as true, Istio Operator, instead of webhooks, manages the
|
||||||
|
# webhook configurations. When this option is set as false, webhooks manage their
|
||||||
|
# own webhook configurations.
|
||||||
|
operatorManageWebhooks: false
|
||||||
|
|
||||||
|
# Custom DNS config for the pod to resolve names of services in other
|
||||||
|
# clusters. Use this to add additional search domains, and other settings.
|
||||||
|
# see
|
||||||
|
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
|
||||||
|
# This does not apply to gateway pods as they typically need a different
|
||||||
|
# set of DNS settings than the normal application pods (e.g., in
|
||||||
|
# multicluster scenarios).
|
||||||
|
# NOTE: If using templates, follow the pattern in the commented example below.
|
||||||
|
#podDNSSearchNamespaces:
|
||||||
|
#- global
|
||||||
|
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
|
||||||
|
|
||||||
|
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
|
||||||
|
# system-node-critical, it is better to configure this in order to make sure your Istio pods
|
||||||
|
# will not be killed because of low priority class.
|
||||||
|
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||||
|
# for more detail.
|
||||||
|
priorityClassName: ""
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: proxyv2
|
||||||
|
|
||||||
|
# This controls the 'policy' in the sidecar injector.
|
||||||
|
autoInject: enabled
|
||||||
|
|
||||||
|
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
|
||||||
|
# cluster domain. Default value is "cluster.local".
|
||||||
|
clusterDomain: "cluster.local"
|
||||||
|
|
||||||
|
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
|
||||||
|
# not set, then the global "logLevel" will be used.
|
||||||
|
componentLogLevel: "misc:error"
|
||||||
|
|
||||||
|
# If set, newly injected sidecars will have core dumps enabled.
|
||||||
|
enableCoreDump: false
|
||||||
|
|
||||||
|
# istio ingress capture allowlist
|
||||||
|
# examples:
|
||||||
|
# Redirect only selected ports: --includeInboundPorts="80,8080"
|
||||||
|
excludeInboundPorts: ""
|
||||||
|
|
||||||
|
# istio egress capture allowlist
|
||||||
|
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
|
||||||
|
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
|
||||||
|
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
|
||||||
|
# be allowed by the sidecar
|
||||||
|
includeIPRanges: "*"
|
||||||
|
excludeIPRanges: ""
|
||||||
|
excludeOutboundPorts: ""
|
||||||
|
|
||||||
|
# Log level for proxy, applies to gateways and sidecars.
|
||||||
|
# Expected values are: trace|debug|info|warning|error|critical|off
|
||||||
|
logLevel: warning
|
||||||
|
|
||||||
|
#If set to true, istio-proxy container will have privileged securityContext
|
||||||
|
privileged: false
|
||||||
|
|
||||||
|
# The number of successive failed probes before indicating readiness failure.
|
||||||
|
readinessFailureThreshold: 30
|
||||||
|
|
||||||
|
# The initial delay for readiness probes in seconds.
|
||||||
|
readinessInitialDelaySeconds: 1
|
||||||
|
|
||||||
|
# The period between readiness probes.
|
||||||
|
readinessPeriodSeconds: 2
|
||||||
|
|
||||||
|
# Resources for the sidecar.
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
|
||||||
|
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
|
||||||
|
statusPort: 15020
|
||||||
|
|
||||||
|
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
|
||||||
|
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
|
||||||
|
tracer: "zipkin"
|
||||||
|
|
||||||
|
# Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
|
||||||
|
holdApplicationUntilProxyStarts: false
|
||||||
|
|
||||||
|
proxy_init:
|
||||||
|
# Base name for the proxy_init container, used to configure iptables.
|
||||||
|
image: proxyv2
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 1024Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 10Mi
|
||||||
|
|
||||||
|
# configure remote pilot and istiod service and endpoint
|
||||||
|
remotePilotAddress: ""
|
||||||
|
|
||||||
|
##############################################################################################
|
||||||
|
# The following values are found in other charts. To effectively modify these values, make #
|
||||||
|
# make sure they are consistent across your Istio helm charts #
|
||||||
|
##############################################################################################
|
||||||
|
|
||||||
|
# The customized CA address to retrieve certificates for the pods in the cluster.
|
||||||
|
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
|
||||||
|
caAddress: ""
|
||||||
|
|
||||||
|
# External istiod controls all remote clusters: disabled by default
|
||||||
|
externalIstiod: false
|
||||||
|
# Central istiod controls all remote clusters: disabled by default
|
||||||
|
centralIstiod: false
|
||||||
|
|
||||||
|
# Configure the policy for validating JWT.
|
||||||
|
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
|
||||||
|
jwtPolicy: "third-party-jwt"
|
||||||
|
|
||||||
|
# Mesh ID means Mesh Identifier. It should be unique within the scope where
|
||||||
|
# meshes will interact with each other, but it is not required to be
|
||||||
|
# globally/universally unique. For example, if any of the following are true,
|
||||||
|
# then two meshes must have different Mesh IDs:
|
||||||
|
# - Meshes will have their telemetry aggregated in one place
|
||||||
|
# - Meshes will be federated together
|
||||||
|
# - Policy will be written referencing one mesh from the other
|
||||||
|
#
|
||||||
|
# If an administrator expects that any of these conditions may become true in
|
||||||
|
# the future, they should ensure their meshes have different Mesh IDs
|
||||||
|
# assigned.
|
||||||
|
#
|
||||||
|
# Within a multicluster mesh, each cluster must be (manually or auto)
|
||||||
|
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
|
||||||
|
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
|
||||||
|
# of migration TBD, and it may be a disruptive operation to change the Mesh
|
||||||
|
# ID post-install.
|
||||||
|
#
|
||||||
|
# If the mesh admin does not specify a value, Istio will use the value of the
|
||||||
|
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
|
||||||
|
# value.
|
||||||
|
meshID: ""
|
||||||
|
|
||||||
|
# Configure the mesh networks to be used by the Split Horizon EDS.
|
||||||
|
#
|
||||||
|
# The following example defines two networks with different endpoints association methods.
|
||||||
|
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
|
||||||
|
# mapped to network1. The gateway for this network example is specified by its public IP
|
||||||
|
# address and port.
|
||||||
|
# The second network, `network2`, in this example is defined differently with all endpoints
|
||||||
|
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
|
||||||
|
# gateway is also defined differently with the name of the gateway service on the remote
|
||||||
|
# cluster. The public IP for the gateway will be determined from that remote service (only
|
||||||
|
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
|
||||||
|
# it still need to be configured manually).
|
||||||
|
#
|
||||||
|
# meshNetworks:
|
||||||
|
# network1:
|
||||||
|
# endpoints:
|
||||||
|
# - fromCidr: "192.168.0.1/24"
|
||||||
|
# gateways:
|
||||||
|
# - address: 1.1.1.1
|
||||||
|
# port: 80
|
||||||
|
# network2:
|
||||||
|
# endpoints:
|
||||||
|
# - fromRegistry: reg1
|
||||||
|
# gateways:
|
||||||
|
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
||||||
|
# port: 443
|
||||||
|
#
|
||||||
|
meshNetworks: {}
|
||||||
|
|
||||||
|
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
|
||||||
|
mountMtlsCerts: false
|
||||||
|
|
||||||
|
multiCluster:
|
||||||
|
# Set to true to connect two kubernetes clusters via their respective
|
||||||
|
# ingressgateway services when pods in each cluster cannot directly
|
||||||
|
# talk to one another. All clusters should be using Istio mTLS and must
|
||||||
|
# have a shared root CA for this model to work.
|
||||||
|
enabled: false
|
||||||
|
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
|
||||||
|
# to properly label proxies
|
||||||
|
clusterName: ""
|
||||||
|
|
||||||
|
# Network defines the network this cluster belong to. This name
|
||||||
|
# corresponds to the networks in the map of mesh networks.
|
||||||
|
network: ""
|
||||||
|
|
||||||
|
# Configure the certificate provider for control plane communication.
|
||||||
|
# Currently, two providers are supported: "kubernetes" and "istiod".
|
||||||
|
# As some platforms may not have kubernetes signing APIs,
|
||||||
|
# Istiod is the default
|
||||||
|
pilotCertProvider: istiod
|
||||||
|
|
||||||
|
sds:
|
||||||
|
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
|
||||||
|
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
|
||||||
|
# JWT is intended for the CA.
|
||||||
|
token:
|
||||||
|
aud: istio-ca
|
||||||
|
|
||||||
|
sts:
|
||||||
|
# The service port used by Security Token Service (STS) server to handle token exchange requests.
|
||||||
|
# Setting this port to a non-zero value enables STS server.
|
||||||
|
servicePort: 0
|
||||||
|
|
||||||
|
# Configuration for each of the supported tracers
|
||||||
|
tracer:
|
||||||
|
# Configuration for envoy to send trace data to LightStep.
|
||||||
|
# Disabled by default.
|
||||||
|
# address: the <host>:<port> of the satellite pool
|
||||||
|
# accessToken: required for sending data to the pool
|
||||||
|
#
|
||||||
|
datadog:
|
||||||
|
# Host:Port for submitting traces to the Datadog agent.
|
||||||
|
address: "$(HOST_IP):8126"
|
||||||
|
lightstep:
|
||||||
|
address: "" # example: lightstep-satellite:443
|
||||||
|
accessToken: "" # example: abcdefg1234567
|
||||||
|
stackdriver:
|
||||||
|
# enables trace output to stdout.
|
||||||
|
debug: false
|
||||||
|
# The global default max number of message events per span.
|
||||||
|
maxNumberOfMessageEvents: 200
|
||||||
|
# The global default max number of annotation events per span.
|
||||||
|
maxNumberOfAnnotations: 200
|
||||||
|
# The global default max number of attributes per span.
|
||||||
|
maxNumberOfAttributes: 200
|
||||||
|
zipkin:
|
||||||
|
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
|
||||||
|
# zipkin service (port 9411) in the same namespace as the other istio components.
|
||||||
|
address: ""
|
||||||
|
|
||||||
|
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
||||||
|
useMCP: false
|
||||||
|
|
||||||
|
# Deprecated, use meshConfig.trustDomain
|
||||||
|
trustDomain: ""
|
@ -1,12 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
name: istio-operator
|
|
||||||
version: 1.7.0
|
|
||||||
tillerVersion: ">=2.7.2"
|
|
||||||
description: Helm chart for deploying Istio operator
|
|
||||||
keywords:
|
|
||||||
- istio
|
|
||||||
- operator
|
|
||||||
sources:
|
|
||||||
- https://github.com/istio/istio/tree/master/operator
|
|
||||||
engine: gotpl
|
|
||||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
|
@ -1,74 +0,0 @@
|
|||||||
# SYNC WITH manifests/charts/base/files
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
name: istiooperators.install.istio.io
|
|
||||||
labels:
|
|
||||||
release: istio
|
|
||||||
spec:
|
|
||||||
group: install.istio.io
|
|
||||||
names:
|
|
||||||
kind: IstioOperator
|
|
||||||
plural: istiooperators
|
|
||||||
singular: istiooperator
|
|
||||||
shortNames:
|
|
||||||
- iop
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- description: Istio control plane revision
|
|
||||||
jsonPath: .spec.revision
|
|
||||||
name: Revision
|
|
||||||
type: string
|
|
||||||
- description: IOP current state
|
|
||||||
jsonPath: .status.status
|
|
||||||
type: string
|
|
||||||
name: Status
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
|
||||||
description:
|
|
||||||
"CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before order
|
|
||||||
across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
||||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description:
|
|
||||||
"APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description:
|
|
||||||
"Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
||||||
type: string
|
|
||||||
spec:
|
|
||||||
description:
|
|
||||||
"Specification of the desired state of the istio control plane resource.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
description:
|
|
||||||
"Status describes each of istio control plane component status at the current time.
|
|
||||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
|
||||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
|
||||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
---
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
creationTimestamp: null
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
rules:
|
|
||||||
# istio groups
|
|
||||||
- apiGroups:
|
|
||||||
- authentication.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- config.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- install.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- networking.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- security.istio.io
|
|
||||||
resources:
|
|
||||||
- '*'
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
# k8s groups
|
|
||||||
- apiGroups:
|
|
||||||
- admissionregistration.k8s.io
|
|
||||||
resources:
|
|
||||||
- mutatingwebhookconfigurations
|
|
||||||
- validatingwebhookconfigurations
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- apiextensions.k8s.io
|
|
||||||
resources:
|
|
||||||
- customresourcedefinitions.apiextensions.k8s.io
|
|
||||||
- customresourcedefinitions
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- apps
|
|
||||||
- extensions
|
|
||||||
resources:
|
|
||||||
- daemonsets
|
|
||||||
- deployments
|
|
||||||
- deployments/finalizers
|
|
||||||
- ingresses
|
|
||||||
- replicasets
|
|
||||||
- statefulsets
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- autoscaling
|
|
||||||
resources:
|
|
||||||
- horizontalpodautoscalers
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- monitoring.coreos.com
|
|
||||||
resources:
|
|
||||||
- servicemonitors
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- create
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- policy
|
|
||||||
resources:
|
|
||||||
- poddisruptionbudgets
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- rbac.authorization.k8s.io
|
|
||||||
resources:
|
|
||||||
- clusterrolebindings
|
|
||||||
- clusterroles
|
|
||||||
- roles
|
|
||||||
- rolebindings
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
- endpoints
|
|
||||||
- events
|
|
||||||
- namespaces
|
|
||||||
- pods
|
|
||||||
- pods/proxy
|
|
||||||
- persistentvolumeclaims
|
|
||||||
- secrets
|
|
||||||
- services
|
|
||||||
- serviceaccounts
|
|
||||||
verbs:
|
|
||||||
- '*'
|
|
||||||
---
|
|
@ -1,13 +0,0 @@
|
|||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
namespace: {{.Values.operatorNamespace}}
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
@ -1,6 +0,0 @@
|
|||||||
{{- if .Values.enableCRDTemplates -}}
|
|
||||||
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
|
|
||||||
---
|
|
||||||
{{ $.Files.Get $path }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
@ -1,57 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
namespace: {{.Values.operatorNamespace}}
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: istio-operator
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: istio-operator
|
|
||||||
spec:
|
|
||||||
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
nodeSelector:
|
|
||||||
kubernetes.io/os: linux
|
|
||||||
node-role.kubernetes.io/master: ""
|
|
||||||
tolerations:
|
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
containers:
|
|
||||||
- name: istio-operator
|
|
||||||
image: {{.Values.hub}}/operator:{{.Values.tag}}
|
|
||||||
command:
|
|
||||||
- operator
|
|
||||||
- server
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
privileged: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
runAsGroup: 1337
|
|
||||||
runAsUser: 1337
|
|
||||||
runAsNonRoot: true
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
resources:
|
|
||||||
{{ toYaml .Values.operator.resources | trim | indent 12 }}
|
|
||||||
env:
|
|
||||||
- name: WATCH_NAMESPACE
|
|
||||||
value: {{.Values.watchedNamespaces | quote}}
|
|
||||||
- name: LEADER_ELECTION_NAMESPACE
|
|
||||||
value: {{.Values.operatorNamespace | quote}}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
- name: OPERATOR_NAME
|
|
||||||
value: {{.Values.operatorNamespace | quote}}
|
|
||||||
- name: WAIT_FOR_RESOURCES_TIMEOUT
|
|
||||||
value: {{.Values.waitForResourcesTimeout | quote}}
|
|
||||||
- name: REVISION
|
|
||||||
value: {{.Values.revision | quote}}
|
|
||||||
---
|
|
@ -1,15 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
namespace: {{.Values.operatorNamespace}}
|
|
||||||
labels:
|
|
||||||
name: istio-operator
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: http-metrics
|
|
||||||
port: 8383
|
|
||||||
targetPort: 8383
|
|
||||||
selector:
|
|
||||||
name: istio-operator
|
|
||||||
---
|
|
@ -1,6 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
namespace: {{.Values.operatorNamespace}}
|
|
||||||
name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
---
|
|
@ -1,25 +0,0 @@
|
|||||||
hub: gcr.io/istio-testing
|
|
||||||
tag: latest
|
|
||||||
|
|
||||||
operatorNamespace: istio-operator
|
|
||||||
|
|
||||||
# Used to replace istioNamespace to support operator watch multiple namespaces.
|
|
||||||
watchedNamespaces: istio-system
|
|
||||||
waitForResourcesTimeout: 300s
|
|
||||||
|
|
||||||
# Used for helm2 to add the CRDs to templates.
|
|
||||||
enableCRDTemplates: false
|
|
||||||
|
|
||||||
# revision for the operator resources
|
|
||||||
revision: ""
|
|
||||||
|
|
||||||
# Operator resource defaults
|
|
||||||
operator:
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 200m
|
|
||||||
memory: 256Mi
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,82 +0,0 @@
|
|||||||
kind: CustomResourceDefinition
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: adapters.config.istio.io
|
|
||||||
labels:
|
|
||||||
app: mixer
|
|
||||||
package: adapter
|
|
||||||
istio: mixer-adapter
|
|
||||||
chart: istio
|
|
||||||
heritage: Tiller
|
|
||||||
release: istio
|
|
||||||
annotations:
|
|
||||||
"helm.sh/resource-policy": keep
|
|
||||||
spec:
|
|
||||||
group: config.istio.io
|
|
||||||
names:
|
|
||||||
kind: adapter
|
|
||||||
plural: adapters
|
|
||||||
singular: adapter
|
|
||||||
categories:
|
|
||||||
- istio-io
|
|
||||||
- policy-istio-io
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- name: v1alpha2
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: templates.config.istio.io
|
|
||||||
labels:
|
|
||||||
app: mixer
|
|
||||||
package: template
|
|
||||||
istio: mixer-template
|
|
||||||
chart: istio
|
|
||||||
heritage: Tiller
|
|
||||||
release: istio
|
|
||||||
annotations:
|
|
||||||
"helm.sh/resource-policy": keep
|
|
||||||
spec:
|
|
||||||
group: config.istio.io
|
|
||||||
names:
|
|
||||||
kind: template
|
|
||||||
plural: templates
|
|
||||||
singular: template
|
|
||||||
categories:
|
|
||||||
- istio-io
|
|
||||||
- policy-istio-io
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- name: v1alpha2
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
properties:
|
|
||||||
spec:
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
---
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
# SYNC WITH manifests/charts/istio-operator/templates
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
name: istiooperators.install.istio.io
|
|
||||||
labels:
|
|
||||||
release: istio
|
|
||||||
spec:
|
|
||||||
group: install.istio.io
|
|
||||||
names:
|
|
||||||
kind: IstioOperator
|
|
||||||
plural: istiooperators
|
|
||||||
singular: istiooperator
|
|
||||||
shortNames:
|
|
||||||
- iop
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- description: Istio control plane revision
|
|
||||||
jsonPath: .spec.revision
|
|
||||||
name: Revision
|
|
||||||
type: string
|
|
||||||
- description: IOP current state
|
|
||||||
jsonPath: .status.status
|
|
||||||
type: string
|
|
||||||
name: Status
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
|
||||||
description:
|
|
||||||
"CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before order
|
|
||||||
across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
||||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description:
|
|
||||||
"APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description:
|
|
||||||
"Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
|
||||||
type: string
|
|
||||||
spec:
|
|
||||||
description:
|
|
||||||
"Specification of the desired state of the istio control plane resource.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
description:
|
|
||||||
"Status describes each of istio control plane component status at the current time.
|
|
||||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
|
||||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
|
||||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources:
|
|
||||||
status: {}
|
|
||||||
---
|
|
||||||
|
|
16
charts/kubezero-istio/istio-discovery.patch
Normal file
16
charts/kubezero-istio/istio-discovery.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||||
|
index e4a983a..ba586de 100644
|
||||||
|
--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||||
|
+++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
|
||||||
|
@@ -59,6 +59,11 @@ spec:
|
||||||
|
{{- end }}
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1337
|
||||||
|
+ nodeSelector:
|
||||||
|
+ node-role.kubernetes.io/master: ""
|
||||||
|
+ tolerations:
|
||||||
|
+ - effect: NoSchedule
|
||||||
|
+ key: node-role.kubernetes.io/master
|
||||||
|
containers:
|
||||||
|
- name: discovery
|
||||||
|
{{- if contains "/" .Values.pilot.image }}
|
@ -1,15 +0,0 @@
|
|||||||
--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100
|
|
||||||
+++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100
|
|
||||||
@@ -14,6 +14,12 @@
|
|
||||||
name: istio-operator
|
|
||||||
spec:
|
|
||||||
serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
+ nodeSelector:
|
|
||||||
+ kubernetes.io/os: linux
|
|
||||||
+ node-role.kubernetes.io/master: ""
|
|
||||||
+ tolerations:
|
|
||||||
+ - key: node-role.kubernetes.io/master
|
|
||||||
+ effect: NoSchedule
|
|
||||||
containers:
|
|
||||||
- name: istio-operator
|
|
||||||
image: {{.Values.hub}}/operator:{{.Values.tag}}
|
|
@ -1,140 +0,0 @@
|
|||||||
{{- if .Values.ingress.private.enabled }}
|
|
||||||
apiVersion: install.istio.io/v1alpha1
|
|
||||||
kind: IstioOperator
|
|
||||||
metadata:
|
|
||||||
name: kubezero-istio-private-ingress
|
|
||||||
namespace: istio-system
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
profile: empty
|
|
||||||
components:
|
|
||||||
ingressGateways:
|
|
||||||
- name: istio-private-ingressgateway
|
|
||||||
enabled: true
|
|
||||||
namespace: istio-system
|
|
||||||
k8s:
|
|
||||||
replicaCount: {{ .Values.ingress.replicaCount }}
|
|
||||||
{{- if .Values.ingress.autoscaleEnabled }}
|
|
||||||
hpaSpec:
|
|
||||||
maxReplicas: 5
|
|
||||||
metrics:
|
|
||||||
- resource:
|
|
||||||
name: cpu
|
|
||||||
targetAverageUtilization: 80
|
|
||||||
type: Resource
|
|
||||||
minReplicas: 1
|
|
||||||
scaleTargetRef:
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: istio-private-ingressgateway
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
{{- if .Values.ingress.private.http10 }}
|
|
||||||
- name: ISTIO_META_HTTP10
|
|
||||||
value: '"1"'
|
|
||||||
{{- end }}
|
|
||||||
# https://github.com/istio/istio/issues/26524, not in 1.7 either
|
|
||||||
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
|
||||||
# value: "60"
|
|
||||||
#- name: ISTIO_META_IDLE_TIMEOUT
|
|
||||||
# value: "3600s"
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodeSelector:
|
|
||||||
node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}"
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
# cpu: 2000m
|
|
||||||
memory: 256Mi
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 64Mi
|
|
||||||
strategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxSurge: 100%
|
|
||||||
maxUnavailable: 25%
|
|
||||||
overlays:
|
|
||||||
- apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: istio-private-ingressgateway
|
|
||||||
patches:
|
|
||||||
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
|
||||||
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
|
||||||
- path: spec.template.spec.terminationGracePeriodSeconds
|
|
||||||
value: 90
|
|
||||||
|
|
||||||
meshConfig:
|
|
||||||
accessLogFile: /dev/stdout
|
|
||||||
accessLogEncoding: 'JSON'
|
|
||||||
h2UpgradePolicy: 'DO_NOT_UPGRADE'
|
|
||||||
tcpKeepalive:
|
|
||||||
interval: 30s
|
|
||||||
time: 60s
|
|
||||||
|
|
||||||
values:
|
|
||||||
gateways:
|
|
||||||
istio-ingressgateway:
|
|
||||||
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
|
|
||||||
externalTrafficPolicy: Local
|
|
||||||
labels:
|
|
||||||
app: istio-private-ingressgateway
|
|
||||||
istio: private-ingressgateway
|
|
||||||
meshExpansionPorts: []
|
|
||||||
podAntiAffinityLabelSelector:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
values: istio-private-ingressgateway
|
|
||||||
type: {{ default "NodePort" .Values.ingress.type }}
|
|
||||||
ports:
|
|
||||||
- name: http-status
|
|
||||||
port: 15021
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31021
|
|
||||||
{{- end }}
|
|
||||||
- name: http2
|
|
||||||
port: 80
|
|
||||||
targetPort: 8080
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31080
|
|
||||||
{{- end }}
|
|
||||||
- name: https
|
|
||||||
port: 443
|
|
||||||
targetPort: 8443
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31443
|
|
||||||
{{- end }}
|
|
||||||
- name: fluentd-forward
|
|
||||||
port: 24224
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31224
|
|
||||||
{{- end }}
|
|
||||||
- name: amqps
|
|
||||||
port: 5671
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31671
|
|
||||||
{{- end }}
|
|
||||||
- name: amqp
|
|
||||||
port: 5672
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31672
|
|
||||||
{{- end }}
|
|
||||||
- name: redis
|
|
||||||
port: 6379
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31379
|
|
||||||
{{- end }}
|
|
||||||
- name: redis-1
|
|
||||||
port: 6380
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 31380
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
global:
|
|
||||||
jwtPolicy: first-party-jwt
|
|
||||||
logAsJson: true
|
|
||||||
defaultPodDisruptionBudget:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
{{- end }}
|
|
@ -1,152 +0,0 @@
|
|||||||
apiVersion: install.istio.io/v1alpha1
|
|
||||||
kind: IstioOperator
|
|
||||||
metadata:
|
|
||||||
name: kubezero-istio
|
|
||||||
namespace: istio-system
|
|
||||||
labels:
|
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
|
||||||
spec:
|
|
||||||
profile: empty
|
|
||||||
components:
|
|
||||||
base:
|
|
||||||
enabled: true
|
|
||||||
{{- if .Values.ingress.public.enabled }}
|
|
||||||
ingressGateways:
|
|
||||||
- enabled: true
|
|
||||||
k8s:
|
|
||||||
replicaCount: {{ .Values.ingress.replicaCount }}
|
|
||||||
{{- if .Values.ingress.autoscaleEnabled }}
|
|
||||||
hpaSpec:
|
|
||||||
maxReplicas: 5
|
|
||||||
metrics:
|
|
||||||
- resource:
|
|
||||||
name: cpu
|
|
||||||
targetAverageUtilization: 80
|
|
||||||
type: Resource
|
|
||||||
minReplicas: 1
|
|
||||||
scaleTargetRef:
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: istio-ingressgateway
|
|
||||||
{{- end }}
|
|
||||||
env:
|
|
||||||
{{- if .Values.ingress.http10 }}
|
|
||||||
- name: ISTIO_META_HTTP10
|
|
||||||
value: '"1"'
|
|
||||||
{{- end }}
|
|
||||||
# https://github.com/istio/istio/issues/26524, not in 1.7 !
|
|
||||||
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
|
||||||
# value: "60"
|
|
||||||
#- name: ISTIO_META_IDLE_TIMEOUT
|
|
||||||
# value: "3600s"
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodeSelector:
|
|
||||||
node.kubernetes.io/ingress.public: "30080_30443"
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
#cpu: 2000m
|
|
||||||
memory: 256Mi
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 64Mi
|
|
||||||
strategy:
|
|
||||||
rollingUpdate:
|
|
||||||
maxSurge: 100%
|
|
||||||
maxUnavailable: 25%
|
|
||||||
overlays:
|
|
||||||
- apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
name: istio-ingressgateway
|
|
||||||
patches:
|
|
||||||
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
|
||||||
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
|
||||||
- path: spec.template.spec.terminationGracePeriodSeconds
|
|
||||||
value: 90
|
|
||||||
|
|
||||||
name: istio-ingressgateway
|
|
||||||
{{- end }}
|
|
||||||
pilot:
|
|
||||||
enabled: true
|
|
||||||
k8s:
|
|
||||||
replicaCount: {{ .Values.istiod.replicaCount }}
|
|
||||||
nodeSelector:
|
|
||||||
node-role.kubernetes.io/master: ""
|
|
||||||
tolerations:
|
|
||||||
- effect: NoSchedule
|
|
||||||
key: node-role.kubernetes.io/master
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 128Mi
|
|
||||||
env:
|
|
||||||
- name: PILOT_ENABLE_MYSQL_FILTER
|
|
||||||
value: "true"
|
|
||||||
- name: PILOT_ENABLE_REDIS_FILTER
|
|
||||||
value: "true"
|
|
||||||
- name: PILOT_HTTP10
|
|
||||||
value: "true"
|
|
||||||
policy:
|
|
||||||
enabled: true
|
|
||||||
k8s:
|
|
||||||
replicaCount: {{ .Values.istiod.replicaCount }}
|
|
||||||
nodeSelector:
|
|
||||||
node-role.kubernetes.io/master: ""
|
|
||||||
tolerations:
|
|
||||||
- effect: NoSchedule
|
|
||||||
key: node-role.kubernetes.io/master
|
|
||||||
|
|
||||||
telemetry:
|
|
||||||
enabled: false
|
|
||||||
meshConfig:
|
|
||||||
accessLogFile: /dev/stdout
|
|
||||||
accessLogEncoding: 'JSON'
|
|
||||||
h2UpgradePolicy: 'DO_NOT_UPGRADE'
|
|
||||||
tcpKeepalive:
|
|
||||||
interval: 30s
|
|
||||||
time: 60s
|
|
||||||
values:
|
|
||||||
{{- if .Values.ingress.public.enabled }}
|
|
||||||
gateways:
|
|
||||||
istio-ingressgateway:
|
|
||||||
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
|
|
||||||
externalTrafficPolicy: Local
|
|
||||||
labels:
|
|
||||||
app: istio-ingressgateway
|
|
||||||
istio: ingressgateway
|
|
||||||
meshExpansionPorts: []
|
|
||||||
podAntiAffinityLabelSelector:
|
|
||||||
- key: app
|
|
||||||
operator: In
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
values: istio-ingressgateway
|
|
||||||
type: {{ default "NodePort" .Values.ingress.type }}
|
|
||||||
ports:
|
|
||||||
- name: http-status
|
|
||||||
port: 15021
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 30021
|
|
||||||
{{- end }}
|
|
||||||
- name: http2
|
|
||||||
port: 80
|
|
||||||
targetPort: 8080
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 30080
|
|
||||||
{{- end }}
|
|
||||||
- name: https
|
|
||||||
port: 443
|
|
||||||
targetPort: 8443
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 30443
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
global:
|
|
||||||
jwtPolicy: first-party-jwt
|
|
||||||
logAsJson: true
|
|
||||||
defaultPodDisruptionBudget:
|
|
||||||
enabled: false
|
|
||||||
pilot:
|
|
||||||
autoscaleEnabled: false
|
|
||||||
mixer:
|
|
||||||
policy:
|
|
||||||
autoscaleEnabled: false
|
|
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
export ISTIO_VERSION=1.7.4
|
export ISTIO_VERSION=1.8.0
|
||||||
|
|
||||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||||
NAME="istio-$ISTIO_VERSION"
|
NAME="istio-$ISTIO_VERSION"
|
||||||
@ -10,17 +10,24 @@ if [ ! -d istio-$ISTIO_VERSION ]; then
|
|||||||
curl -sL "$URL" | tar xz
|
curl -sL "$URL" | tar xz
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Extract control plane charts
|
||||||
|
rm -rf charts/base charts/istio-*
|
||||||
|
cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/
|
||||||
|
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/
|
||||||
|
|
||||||
|
# Patch for istiod to control plane
|
||||||
|
patch -p3 -i istio-discovery.patch
|
||||||
|
|
||||||
|
# Minor tweaks
|
||||||
|
rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml
|
||||||
|
|
||||||
|
# Ingress charts
|
||||||
|
rm -rf ../kubezero-istio-ingress/charts/istio-*
|
||||||
|
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/
|
||||||
|
cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress
|
||||||
|
|
||||||
|
# Rename private chart
|
||||||
|
sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
|
||||||
|
|
||||||
# Get matching istioctl
|
# Get matching istioctl
|
||||||
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||||
|
|
||||||
# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
|
|
||||||
# Now lets extract istio-operator chart
|
|
||||||
rm -rf charts/istio-operator
|
|
||||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
|
|
||||||
|
|
||||||
# Apply our patch
|
|
||||||
patch -i istio-operator.patch -p0
|
|
||||||
|
|
||||||
# Extract crds
|
|
||||||
rm -rf crds
|
|
||||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds .
|
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user