ZeroDownTime
/
kubezero
3
0
Fork 0
Code Issues 1 Pull Requests 23 Releases Wiki Activity

feat: Istio RateLimiting, Version bump to 1.11.1, Kiali support

This commit is contained in:
Stefan Reimer 2021-08-25 15:58:55 +02:00
parent 587d9c7b16
commit 1839e9bcdb
84 changed files with 3709 additions and 1386 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
charts/kubezero-istio-ingress/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress
type: application
version: 0.6.1
appVersion: 1.10.3
version: 0.7.2
appVersion: 1.11.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -13,12 +13,12 @@ maintainers:
- name: Quarky9
dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
version: ">= 0.1.4"
repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress
version: 1.10.3
version: 1.11.1
condition: istio-ingress.enabled
- name: istio-private-ingress
version: 1.10.3
version: 1.11.1
condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0"

30
charts/kubezero-istio-ingress/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio-ingress
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version |
|------------|------|---------|
| | istio-ingress | 1.10.2 |
| | istio-private-ingress | 1.10.2 |
| | istio-ingress | 1.11.0 |
| | istio-private-ingress | 1.11.0 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
@ -41,26 +41,28 @@ Kubernetes: `>= 1.18.0`
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | |
| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | |
| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
@ -69,7 +71,7 @@ Kubernetes: `>= 1.18.0`
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-ingress.proxyProtocol | bool | `false` | |
| istio-ingress.proxyProtocol | bool | `true` | |
| istio-ingress.telemetry.enabled | bool | `false` | |
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
@ -83,26 +85,28 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | |
| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | |
| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
@ -111,7 +115,7 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-private-ingress.proxyProtocol | bool | `false` | |
| istio-private-ingress.proxyProtocol | bool | `true` | |
| istio-private-ingress.telemetry.enabled | bool | `false` | |
## Resources

2
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-ingress
version: 1.10.3
version: 1.11.1
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

12
charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl
View File

@ -21,11 +21,16 @@ nodeAffinity:
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
{{- if eq $val "Exists" }}
- key: {{ $key }}
operator: Exists
{{- else }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
@ -70,6 +75,13 @@ nodeAffinity:
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- if $item.namespaces }}
namespaces:
{{- $ns := split "," $item.namespaces }}
{{- range $i, $n := $ns }}
- {{ $n | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
View File

@ -125,8 +125,6 @@ spec:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
@ -200,14 +198,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
@ -240,11 +230,6 @@ spec:
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
@ -301,16 +286,6 @@ spec:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
- name: istio-envoy
emptyDir: {}
- name: istio-data

2
charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
View File

@ -34,9 +34,11 @@ spec:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-

2
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
View File

@ -165,7 +165,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.10.3
tag: 1.11.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-private-ingress
version: 1.10.3
version: 1.11.1
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:

12
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl
View File

@ -21,11 +21,16 @@ nodeAffinity:
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
{{- if eq $val "Exists" }}
- key: {{ $key }}
operator: Exists
{{- else }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
@ -70,6 +75,13 @@ nodeAffinity:
{{- end }}
{{- end }}
topologyKey: {{ $item.topologyKey }}
{{- if $item.namespaces }}
namespaces:
{{- $ns := split "," $item.namespaces }}
{{- range $i, $n := $ns }}
- {{ $n | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
View File

@ -125,8 +125,6 @@ spec:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
- --serviceCluster
- {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
@ -200,14 +198,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name }}
- name: ISTIO_META_OWNER
@ -240,11 +230,6 @@ spec:
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if $gateway.podAnnotations }}
- name: "ISTIO_METAJSON_ANNOTATIONS"
value: |
{{ toJson $gateway.podAnnotations | indent 16}}
{{ end }}
- name: ISTIO_META_CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
volumeMounts:
@ -301,16 +286,6 @@ spec:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
- name: istio-envoy
emptyDir: {}
- name: istio-data

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
View File

@ -34,9 +34,11 @@ spec:
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
{{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{- end }}
{{ range $app := $gateway.ingressPorts }}
-

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
View File

@ -165,7 +165,7 @@ global:
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.10.3
tag: 1.11.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.

42
charts/kubezero-istio-ingress/templates/_gateway.tpl Normal file
View File

@ -0,0 +1,42 @@
{{- define "gatewayServers" }}
{{- range $port := .ports }}
{{- if not $port.noGateway }}
{{- $eachCert := false }}
{{- if $port.tls }}
{{- if not $port.tls.httpsRedirect }}
{{- $eachCert = true }}
{{- end }}
{{- end }}
{{- if $eachCert }}
{{- range $cert := $.certificates }}
- port:
number: {{ $port.port }}
name: {{ $port.name }}
protocol: {{ default "TCP" $port.gatewayProtocol }}
tls:
credentialName: {{ $cert.name }}
{{- toYaml $port.tls | nindent 4 }}
hosts:
{{- toYaml $cert.dnsNames | nindent 2 }}
{{- end }}
{{- else }}
- port:
number: {{ $port.port }}
name: {{ $port.name }}
protocol: {{ default "TCP" $port.gatewayProtocol }}
{{- with $port.tls }}
tls:
{{- toYaml . | nindent 4 }}
{{- end }}
hosts:
{{- range $cert := $.certificates }}
{{- toYaml $cert.dnsNames | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

4
charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
@ -43,7 +43,7 @@ metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:

107
charts/kubezero-istio-ingress/templates/ingress-gateway.yaml
View File

@ -1,4 +1,7 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
# Public Ingress Gateway
{{- $gateway := index .Values "istio-ingress" }}
{{- if and $gateway.enabled $gateway.certificates }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
apiVersion: networking.istio.io/v1beta1
@ -7,108 +10,10 @@ metadata:
name: ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP2
hosts:
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
tls:
httpsRedirect: true
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
- port:
number: 443
name: https
protocol: HTTPS
hosts:
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
credentialName: {{ $cert.name }}
{{- end }}
{{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: private-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
selector:
istio: private-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP2
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
tls:
httpsRedirect: true
# All SSL hosts one entry per ingress-certificate
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
- port:
number: 443
name: https
protocol: HTTPS
hosts:
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
credentialName: {{ $cert.name }}
- port:
number: 24224
name: fluentd-forward
protocol: TLS
hosts:
{{- toYaml $cert.dnsNames | nindent 4 }}
tls:
mode: SIMPLE
credentialName: {{ $cert.name }}
{{- end }}
- port:
number: 5672
name: amqp
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 6379
name: redis
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 6380
name: redis-1
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
{{- end }}

19
charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml Normal file
View File

@ -0,0 +1,19 @@
# Private Ingress Gateway
{{- $gateway := index .Values "istio-private-ingress" }}
{{- if and $gateway.enabled $gateway.certificates }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: private-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
selector:
istio: private-ingressgateway
servers:
{{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}}
{{- end }}

61
charts/kubezero-istio-ingress/values.yaml
View File

@ -1,7 +1,7 @@
# Make sure these values match kuberzero-istio !!!
global:
#hub: docker.io/istio
#tag: 1.10.2
#tag: 1.11.0
logAsJson: true
@ -50,31 +50,50 @@ istio-ingress:
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
# The node selector is normally the list of nodeports, see CloudBender
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443"
node.kubernetes.io/ingress.public: "Exists"
# Only nodes who are fronted with matching NLB
#affintiy:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node.kubernetes.io/ingress.public
# operator: Exists
# Map port 80/443 to 8080/8443 so we don't need to root
# ports is extended as follows:
# noGateway: true -> this port does NOT get mapped to a Gateway port
# tls: optional gateway port setting
# gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol !
ports:
- name: status-port
port: 15021
nodePort: 30021
protocol: TCP
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 30080
protocol: TCP
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 30443
protocol: TCP
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
certificates:
- name: ingress-cert
dnsNames: []
# - '*.example.com'
proxyProtocol: false
proxyProtocol: true
meshConfig:
defaultConfig:
@ -124,27 +143,43 @@ istio-private-ingress:
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
# Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch
nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224"
node.kubernetes.io/ingress.private: "Exists"
# Only nodes who are fronted with matching NLB
#affintiy:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node.kubernetes.io/ingress.private
# operator: Exists
ports:
- name: status-port
port: 15021
nodePort: 31021
protocol: TCP
noGateway: true
- name: http2
port: 80
targetPort: 8080
nodePort: 31080
protocol: TCP
gatewayProtocol: HTTP2
tls:
httpsRedirect: true
- name: https
port: 443
targetPort: 8443
nodePort: 31443
protocol: TCP
gatewayProtocol: HTTPS
tls:
mode: SIMPLE
#- name: fluentd-forward
# port: 24224
# nodePort: 31224
# gatewayProtocol: TLS
# tls:
# mode: SIMPLE
#- name: amqps
# port: 5671
# nodePort: 31671
@ -160,7 +195,7 @@ istio-private-ingress:
dnsNames: []
#- '*.example.com'
proxyProtocol: false
proxyProtocol: true
meshConfig:
defaultConfig:

3
charts/kubezero-istio/.helmignore
View File

@ -28,4 +28,5 @@ README.md.gotmpl
*.py
istioctl
istio-?.?.?
istio
istio.zdt

14
charts/kubezero-istio/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio
description: KubeZero Umbrella Chart for Istio
type: application
version: 0.6.1
appVersion: 1.10.3
version: 0.7.2
appVersion: 1.11.1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -13,10 +13,14 @@ maintainers:
- name: Quarky9
dependencies:
- name: kubezero-lib
version: ">= 0.1.3"
version: ">= 0.1.4"
repository: https://zero-down-time.github.io/kubezero/
- name: base
version: 1.10.3
version: 1.11.1
- name: istio-discovery
version: 1.10.3
version: 1.11.1
- name: kiali-server
version: 1.38.1
# repository: https://github.com/kiali/helm-charts/tree/master/docs
condition: kiali-server.enabled
kubeVersion: ">= 1.18.0"

27
charts/kubezero-istio/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
KubeZero Umbrella Chart for Istio
@ -20,8 +20,9 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version |
|------------|------|---------|
| | base | 1.10.2 |
| | istio-discovery | 1.10.2 |
| | base | 1.11.1 |
| | istio-discovery | 1.11.1 |
| | kiali-server | 1.38.1 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values
@ -43,6 +44,26 @@ Kubernetes: `>= 1.18.0`
| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| istio-discovery.telemetry.enabled | bool | `false` | |
| kiali-server.auth.strategy | string | `"anonymous"` | |
| kiali-server.deployment.ingress_enabled | bool | `false` | |
| kiali-server.deployment.view_only_mode | bool | `true` | |
| kiali-server.enabled | bool | `false` | |
| kiali-server.external_services.custom_dashboards.enabled | bool | `false` | |
| kiali-server.external_services.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus.monitoring:9090"` | |
| kiali-server.istio.enabled | bool | `false` | |
| kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| kiali-server.server.metrics_enabled | bool | `false` | |
| rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` | |
| rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | |
| rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` | |
| rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` | |
| rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | |
| rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | |
| rateLimiting.enabled | bool | `true` | |
| rateLimiting.failureModeDeny | bool | `false` | |
| rateLimiting.localCacheSize | int | `1048576` | |
| rateLimiting.log.format | string | `"json"` | |
| rateLimiting.log.level | string | `"warn"` | |
## Resources

2
charts/kubezero-istio/charts/base/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: base
version: 1.10.3
version: 1.11.1
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs
keywords:

587
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
View File

File diff suppressed because it is too large Load Diff

654
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
View File

File diff suppressed because it is too large Load Diff

8
charts/kubezero-istio/charts/base/templates/clusterrole.yaml
View File

@ -1,3 +1,8 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -149,6 +154,9 @@ rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list"]
{{- if or .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]

5
charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml
View File

@ -1,3 +1,8 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:

2
charts/kubezero-istio/charts/base/templates/endpoints.yaml
View File

@ -1,5 +1,5 @@
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
{{- if not .Values.global.externalIstiod }}
apiVersion: v1
kind: Endpoints
metadata:

16
charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
# This service account aggregates reader permissions for the revisions in a given cluster
# Should be used for remote secret creation.
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}

5
charts/kubezero-istio/charts/base/templates/role.yaml
View File

@ -1,3 +1,8 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:

5
charts/kubezero-istio/charts/base/templates/rolebinding.yaml
View File

@ -1,3 +1,8 @@
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:

21
charts/kubezero-istio/charts/base/templates/serviceaccount.yaml
View File

@ -1,18 +1,8 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
---
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# DO NOT EDIT!
# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT
# UPDATED CHART AT manifests/charts/istio-control/istio-discovery
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
@ -27,4 +17,3 @@ metadata:
labels:
app: istiod
release: {{ .Release.Name }}
---

2
charts/kubezero-istio/charts/base/templates/services.yaml
View File

@ -1,5 +1,5 @@
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
{{- if not .Values.global.externalIstiod }}
# when istiod is enabled in remote cluster, we can't use istiod service name
apiVersion: v1
kind: Service

40
charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml
View File

@ -1,40 +0,0 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istiod-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
webhooks:
- name: validation.istio.io
clientConfig:
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
---
{{- end }}

2
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1
name: istio-discovery
version: 1.10.3
version: 1.11.1
tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane
keywords:

5
charts/kubezero-istio/charts/istio-discovery/NOTES.txt
View File

@ -4,6 +4,5 @@ MCP and injector should optionally be installed in the same namespace. Alternati
address of an MCP server can be set.
Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/KjkrDnMPByq7akrYA"
Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/kWULBRjUv7hHci7T6

29
charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml
View File

@ -28,12 +28,6 @@ spec:
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
@ -78,14 +72,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@ -112,11 +98,6 @@ spec:
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
@ -187,16 +168,6 @@ spec:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:

1058
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
View File

File diff suppressed because it is too large Load Diff

234
charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml Normal file
View File

@ -0,0 +1,234 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
{{- range $index, $container := .Spec.Containers }}
{{ if not (eq $container.Name "istio-proxy") }}
- name: {{ $container.Name }}
env:
- name: "GRPC_XDS_BOOTSTRAP"
value: "/var/lib/istio/data/grpc-bootstrap.json"
- name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
value: "true"
volumeMounts:
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- end }}
{{- end }}
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
env:
- name: "GRPC_XDS_BOOTSTRAP"
value: "/var/lib/istio/data/grpc-bootstrap.json"
- name: ISTIO_META_GENERATOR
value: grpc
- name: OUTPUT_CERTS
value: /var/lib/istio/data
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
# grpc uses xds:/// to resolve no need to resolve VIP
- name: ISTIO_META_DNS_CAPTURE
value: "false"
- name: DISABLE_ENVOY
value: "true"
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
resources:
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{- end }}
{{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
limits:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
{{ end }}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
{{ end }}
{{- end }}
{{- else }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 6 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# UDS channel between istioagent and gRPC client for XDS/SDS
- mountPath: /etc/istio/proxy
name: istio-xds
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 6 }}
{{ end }}
{{- end }}
volumes:
# UDS channel between istioagent and gRPC client for XDS/SDS
- emptyDir:
medium: Memory
name: istio-xds
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{ end }}

58
charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml Normal file
View File

@ -0,0 +1,58 @@
spec:
initContainers:
- name: grpc-bootstrap-init
image: busybox:1.28
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
env:
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
command:
- sh
- "-c"
- |-
NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
echo '
{
"xds_servers": [
{
"server_uri": "dns:///istiod.istio-system.svc:15010",
"channel_creds": [{"type": "insecure"}],
"server_features" : ["xds_v3"]
}
],
"node": {
"id": "'${NODE_ID}'",
"metadata": {
"GENERATOR": "grpc"
}
}
}' > /var/lib/grpc/data/bootstrap.json
containers:
{{- range $index, $container := .Spec.Containers }}
- name: {{ $container.Name }}
env:
- name: GRPC_XDS_BOOTSTRAP
value: /var/lib/grpc/data/bootstrap.json
- name: GRPC_GO_LOG_VERBOSITY_LEVEL
value: "99"
- name: GRPC_GO_LOG_SEVERITY_LEVEL
value: info
volumeMounts:
- mountPath: /var/lib/grpc/data/
name: grpc-io-proxyless-bootstrap
{{- end }}
volumes:
- name: grpc-io-proxyless-bootstrap
emptyDir: {}

38
charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml
View File

@ -5,7 +5,6 @@ metadata:
security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
@ -138,7 +137,7 @@ spec:
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
{{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- name: enable-core-dump
args:
- -c
@ -181,12 +180,6 @@ spec:
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
@ -196,9 +189,9 @@ spec:
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if gt .ProxyConfig.Concurrency.GetValue 0 }}
{{- if gt .EstimatedConcurrency 0 }}
- --concurrency
- "{{ .ProxyConfig.Concurrency.GetValue }}"
- "{{ .EstimatedConcurrency }}"
{{- end -}}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
@ -246,14 +239,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
@ -280,11 +265,6 @@ spec:
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
@ -344,7 +324,7 @@ spec:
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
runAsGroup: 1337
fsGroup: 1337
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
@ -437,16 +417,6 @@ spec:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:

112
charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,112 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# sidecar injection controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
# configuration validation webhook controller
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
# istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"]
resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported
resources: ["*"]
{{- end }}
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# auto-detect installed CRD definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# discovery and routing
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress controller
{{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
{{- end}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# required for CA's namespace controller
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
# Istiod and bootstrap.
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
verbs: ["approve"]
# Used by Istiod to verify the JWT tokens
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# Used by Istiod to verify gateway SDS
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]

15
charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

4
charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml
View File

@ -49,9 +49,11 @@
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- else }}
{}
{{- end }}
{{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }}
{{- if not .Values.global.externalIstiod }}
discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012
{{- else }}
discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012

2
charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml
View File

@ -54,7 +54,7 @@ spec:
{{ toYaml .Values.pilot.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: istiod-service-account
serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}

8
charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml
View File

@ -52,6 +52,14 @@ data:
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }}
grpc-simple: |
{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }}
{{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }}
grpc-agent: |
{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }}
{{- end }}

60
charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml
View File

@ -5,12 +5,12 @@ a unique prefix to each. */}}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: {{ .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
path: "{{ .Values.istiodRemote.injectionPath }}"
port: 443
{{- end }}
caBundle: ""
@ -40,60 +40,7 @@ metadata:
app: sidecar-injector
release: {{ .Release.Name }}
webhooks:
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
{{- include "core" . }}
namespaceSelector:
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
matchExpressions:
- key: name
operator: NotIn
values:
- {{ .Release.Namespace }}
- key: istio-injection
operator: NotIn
values:
- disabled
- key: istio-env
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
{{- else if .Values.revision }}
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: In
values:
- {{ .Values.revision }}
{{- else }}
matchLabels:
istio-injection: enabled
{{- end }}
{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }}
objectSelector:
{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }}
matchExpressions:
- key: "sidecar.istio.io/inject"
operator: NotIn
values:
- "false"
{{- else if .Values.revision }}
matchExpressions:
- key: "sidecar.istio.io/inject"
operator: DoesNotExist
- key: istio.io/rev
operator: In
values:
- {{ .Values.revision }}
{{- else }}
matchLabels:
"sidecar.istio.io/inject": "true"
{{- end }}
{{- end }}
{{- else }}
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
@ -195,4 +142,3 @@ webhooks:
{{- end }}
{{- end }}
{{- end }}

48
charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml Normal file
View File

@ -0,0 +1,48 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
rules:
- apiGroups:
- "config.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
- "rbac.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list" ]
resources: [ "workloadentries" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- if .Values.global.externalIstiod }}
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
{{- end}}

15
charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
labels:
app: istio-reader
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: {{ .Values.global.istioNamespace }}

6
charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml
View File

@ -5,12 +5,12 @@
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: {{ .Values.istiodRemote.injectionURL }}
url: "{{ .Values.istiodRemote.injectionURL }}"
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
path: "{{ .Values.istiodRemote.injectionPath }}"
{{- end }}
caBundle: ""
sideEffects: None
@ -110,4 +110,4 @@ webhooks:
operator: DoesNotExist
{{- end }}
{{- end }}
{{- end }}

20
charts/kubezero-istio/charts/istio-discovery/templates/role.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
rules:
# permissions to verify the webhook is ready and rejecting
# invalid config. We use --server-dry-run so no config is persisted.
- apiGroups: ["networking.istio.io"]
verbs: ["create"]
resources: ["gateways"]
# For storing CA secret
- apiGroups: [""]
resources: ["secrets"]
# TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
verbs: ["create", "get", "watch", "list", "update", "delete"]

16
charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
subjects:
- kind: ServiceAccount
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}

15
charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
---

53
charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml → charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml
View File

@ -3,7 +3,7 @@
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -19,7 +19,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -54,7 +54,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -89,7 +89,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -124,7 +124,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -138,7 +138,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener: {}
patch:
operation: INSERT_BEFORE
@ -153,7 +153,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
cluster: {}
patch:
operation: MERGE
@ -169,7 +169,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
cluster: {}
patch:
operation: MERGE
@ -187,7 +187,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -201,7 +201,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -247,7 +247,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -271,6 +271,7 @@ spec:
{
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true,
"metrics": [
{
"dimensions": {
@ -301,7 +302,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -349,7 +350,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -363,7 +364,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -415,7 +416,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -459,7 +460,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -505,7 +506,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -520,7 +521,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -555,7 +556,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -589,7 +590,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -623,7 +624,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -638,7 +639,7 @@ spec:
match:
context: SIDECAR_OUTBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -671,7 +672,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -703,7 +704,7 @@ spec:
match:
context: GATEWAY
proxy:
proxyVersion: '^1\.10.*'
proxyVersion: '^1\.11.*'
listener:
filterChain:
filter:
@ -736,7 +737,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }}
@ -750,7 +751,7 @@ spec:
match:
context: SIDECAR_INBOUND
proxy:
proxyVersion: '1\.10.*'
proxyVersion: '1\.11.*'
listener:
filterChain:
filter:

86
charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,86 @@
{{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}
labels:
app: istiod
release: {{ .Release.Name }}
istio: istiod
istio.io/rev: {{ .Values.revision | default "default" }}
webhooks:
# Webhook handling per-revision validation. Mostly here so we can determine whether webhooks
# are rejecting invalid configs on a per-revision basis.
- name: rev.validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: "" # patched at runtime when the webhook is ready.
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
apiVersions:
- "*"
resources:
- "*"
# Fail open until the validation webhook is ready. The webhook controller
# will update this to `Fail` and patch in the `caBundle` when the webhook
# endpoint is ready.
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}"
{{- end }}
# Webhook handling default validation
- name: validation.istio.io
clientConfig:
# Should change from base but cannot for API compat
{{- if .Values.base.validationURL }}
url: {{ .Values.base.validationURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Values.global.istioNamespace }}
path: "/validate"
{{- end }}
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
- networking.istio.io
- telemetry.istio.io
apiVersions:
- "*"
resources:
- "*"
failurePolicy: Ignore
sideEffects: None
admissionReviewVersions: ["v1beta1", "v1"]
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
---
{{- end }}

28
charts/kubezero-istio/charts/istio-discovery/values.yaml
View File

@ -65,10 +65,6 @@ pilot:
sidecarInjectorWebhook:
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
# requests in Istiod, rather than at the webhook selection level.
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
useLegacySelectors: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
@ -116,8 +112,8 @@ sidecarInjectorWebhook:
templates: {}
# Default templates specifies a set of default templates that are used in sidecar injection.
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# the default templates list.
# For example:
#
@ -130,9 +126,15 @@ sidecarInjectorWebhook:
# defaultTemplates: ["sidecar", "hello"]
defaultTemplates: []
istiodRemote:
# Sidecar injector mutating webhook configuration url
# Sidecar injector mutating webhook configuration clientConfig.url value.
# For example: https://$remotePilotAddress:15017/inject
# The host should not refer to a service running in the cluster; use a service reference by specifying
# the clientConfig.service field instead.
injectionURL: ""
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
injectionPath: "/inject"
telemetry:
enabled: true
v2:
@ -237,7 +239,7 @@ global:
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.10.3
tag: 1.11.1
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
@ -386,9 +388,14 @@ global:
# If not set explicitly, default to the Istio discovery address.
caAddress: ""
# External istiod controls all remote clusters: disabled by default
# Configure a remote cluster data plane controlled by an external istiod.
# When set to true, istiod is not deployed locally and only a subset of the other
# discovery charts are enabled.
externalIstiod: false
# Configure a remote cluster as the config cluster for an external istiod.
configCluster: false
# Configure the policy for validating JWT.
# Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
jwtPolicy: "third-party-jwt"
@ -510,6 +517,9 @@ global:
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false
# Determines whether this istiod performs resource validation.
configValidation: true
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true

20
charts/kubezero-istio/charts/kiali-server/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v2
appVersion: v1.38.1
description: Kiali is an open source project for service mesh observability, refer
to https://www.kiali.io for details.
home: https://github.com/kiali/kiali
icon: https://raw.githubusercontent.com/kiali/kiali.io/master/themes/kiali/static/img/kiali_logo_masthead.png
keywords:
- istio
- kiali
maintainers:
- email: kiali-users@googlegroups.com
name: Kiali
url: https://kiali.io
name: kiali-server
sources:
- https://github.com/kiali/kiali
- https://github.com/kiali/kiali-ui
- https://github.com/kiali/kiali-operator
- https://github.com/kiali/helm-charts
version: 1.38.1

5
charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt Normal file
View File

@ -0,0 +1,5 @@
Welcome to Kiali! For more details on Kiali, see: https://kiali.io
The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])

143
charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,143 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create a default fully qualified instance name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride.
For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali,
use fullnameOverride, otherwise use deployment.instance_name.
*/}}
{{- define "kiali-server.fullname" -}}
{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }}
{{- .Values.fullnameOverride | trunc 63 }}
{{- else }}
{{- .Values.deployment.instance_name | trunc 63 }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kiali-server.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Identifies the log_level with the old verbose_mode and the new log_level considered.
*/}}
{{- define "kiali-server.logLevel" -}}
{{- if .Values.deployment.verbose_mode -}}
{{- .Values.deployment.verbose_mode -}}
{{- else -}}
{{- .Values.deployment.logger.log_level -}}
{{- end -}}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kiali-server.labels" -}}
helm.sh/chart: {{ include "kiali-server.chart" . }}
app: kiali
{{ include "kiali-server.selectorLabels" . }}
version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: "kiali"
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kiali-server.selectorLabels" -}}
app.kubernetes.io/name: kiali
app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }}
{{- end }}
{{/*
Determine the default login token signing key.
*/}}
{{- define "kiali-server.login_token.signing_key" -}}
{{- if .Values.login_token.signing_key }}
{{- .Values.login_token.signing_key }}
{{- else }}
{{- randAlphaNum 16 }}
{{- end }}
{{- end }}
{{/*
Determine the default web root.
*/}}
{{- define "kiali-server.server.web_root" -}}
{{- if .Values.server.web_root }}
{{- .Values.server.web_root | trimSuffix "/" }}
{{- else }}
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- "/" }}
{{- else }}
{{- "/kiali" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Determine the default identity cert file. There is no default if on k8s; only on OpenShift.
*/}}
{{- define "kiali-server.identity.cert_file" -}}
{{- if hasKey .Values.identity "cert_file" }}
{{- .Values.identity.cert_file }}
{{- else }}
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- "/kiali-cert/tls.crt" }}
{{- else }}
{{- "" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Determine the default identity private key file. There is no default if on k8s; only on OpenShift.
*/}}
{{- define "kiali-server.identity.private_key_file" -}}
{{- if hasKey .Values.identity "private_key_file" }}
{{- .Values.identity.private_key_file }}
{{- else }}
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- "/kiali-cert/tls.key" }}
{{- else }}
{{- "" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Determine the istio namespace - default is where Kiali is installed.
*/}}
{{- define "kiali-server.istio_namespace" -}}
{{- if .Values.istio_namespace }}
{{- .Values.istio_namespace }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end }}
{{/*
Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift.
*/}}
{{- define "kiali-server.auth.strategy" -}}
{{- if .Values.auth.strategy }}
{{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }}
{{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }}
{{- end }}
{{- .Values.auth.strategy }}
{{- else }}
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- if not .Values.kiali_route_url }}
{{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }}
{{- end }}
{{- "openshift" }}
{{- else }}
{{- "token" }}
{{- end }}
{{- end }}
{{- end }}

13
charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kiali-server.fullname" . }}-cabundle
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
annotations:
service.beta.openshift.io/inject-cabundle: "true"
...
{{- end }}

25
charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml Normal file
View File

@ -0,0 +1,25 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
data:
config.yaml: |
{{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}}
{{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }}
{{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}}
{{- $_ := set $cm.deployment "namespace" .Release.Namespace }}
{{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}}
{{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }}
{{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }}
{{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }}
{{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }}
{{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }}
{{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }}
{{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }}
{{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }}
{{- toYaml $cm | nindent 4 }}
...

165
charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml Normal file
View File

@ -0,0 +1,165 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.deployment.replicas }}
selector:
matchLabels:
{{- include "kiali-server.selectorLabels" . | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
name: {{ include "kiali-server.fullname" . }}
labels:
{{- include "kiali-server.labels" . | nindent 8 }}
{{- if .Values.deployment.pod_labels }}
{{- toYaml .Values.deployment.pod_labels | nindent 8 }}
{{- end }}
annotations:
{{- if .Values.server.metrics_enabled }}
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.server.metrics_port | quote }}
{{- else }}
prometheus.io/scrape: "false"
prometheus.io/port: ""
{{- end }}
kiali.io/dashboards: go,kiali
{{- if .Values.deployment.pod_annotations }}
{{- toYaml .Values.deployment.pod_annotations | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "kiali-server.fullname" . }}
{{- if .Values.deployment.priority_class_name }}
priorityClassName: {{ .Values.deployment.priority_class_name | quote }}
{{- end }}
{{- if .Values.deployment.image_pull_secrets }}
imagePullSecrets:
{{- range .Values.deployment.image_pull_secrets }}
- name: {{ . }}
{{- end }}
{{- end }}
containers:
- image: "{{ .Values.deployment.image_name }}:{{ .Values.deployment.image_version }}"
imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }}
name: {{ include "kiali-server.fullname" . }}
command:
- "/opt/kiali/kiali"
- "-config"
- "/kiali-configuration/config.yaml"
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
ports:
- name: api-port
containerPort: {{ .Values.server.port | default 20001 }}
{{- if .Values.server.metrics_enabled }}
- name: http-metrics
containerPort: {{ .Values.server.metrics_port | default 9090 }}
{{- end }}
readinessProbe:
httpGet:
path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz
port: api-port
{{- if (include "kiali-server.identity.cert_file" .) }}
scheme: HTTPS
{{- else }}
scheme: HTTP
{{- end }}
initialDelaySeconds: 5
periodSeconds: 30
livenessProbe:
httpGet:
path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz
port: api-port
{{- if (include "kiali-server.identity.cert_file" .) }}
scheme: HTTPS
{{- else }}
scheme: HTTP
{{- end }}
initialDelaySeconds: 5
periodSeconds: 30
env:
- name: ACTIVE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LOG_LEVEL
value: "{{ include "kiali-server.logLevel" . }}"
- name: LOG_FORMAT
value: "{{ .Values.deployment.logger.log_format }}"
- name: LOG_TIME_FIELD_FORMAT
value: "{{ .Values.deployment.logger.time_field_format }}"
- name: LOG_SAMPLER_RATE
value: "{{ .Values.deployment.logger.sampler_rate }}"
volumeMounts:
- name: {{ include "kiali-server.fullname" . }}-configuration
mountPath: "/kiali-configuration"
- name: {{ include "kiali-server.fullname" . }}-cert
mountPath: "/kiali-cert"
- name: {{ include "kiali-server.fullname" . }}-secret
mountPath: "/kiali-secret"
- name: {{ include "kiali-server.fullname" . }}-cabundle
mountPath: "/kiali-cabundle"
{{- if .Values.deployment.resources }}
resources:
{{- toYaml .Values.deployment.resources | nindent 10 }}
{{- end }}
volumes:
- name: {{ include "kiali-server.fullname" . }}-configuration
configMap:
name: {{ include "kiali-server.fullname" . }}
- name: {{ include "kiali-server.fullname" . }}-cert
secret:
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
secretName: {{ include "kiali-server.fullname" . }}-cert-secret
{{- else }}
secretName: istio.{{ include "kiali-server.fullname" . }}-service-account
{{- end }}
{{- if not (include "kiali-server.identity.cert_file" .) }}
optional: true
{{- end }}
- name: {{ include "kiali-server.fullname" . }}-secret
secret:
secretName: {{ .Values.deployment.secret_name }}
optional: true
- name: {{ include "kiali-server.fullname" . }}-cabundle
configMap:
name: {{ include "kiali-server.fullname" . }}-cabundle
{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
optional: true
{{- end }}
{{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }}
affinity:
{{- if .Values.deployment.affinity.node }}
nodeAffinity:
{{- toYaml .Values.deployment.affinity.node | nindent 10 }}
{{- end }}
{{- if .Values.deployment.affinity.pod }}
podAffinity:
{{- toYaml .Values.deployment.affinity.pod | nindent 10 }}
{{- end }}
{{- if .Values.deployment.affinity.pod_anti }}
podAntiAffinity:
{{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.deployment.tolerations }}
tolerations:
{{- toYaml .Values.deployment.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.deployment.node_selector }}
nodeSelector:
{{- toYaml .Values.deployment.node_selector | nindent 8 }}
{{- end }}
...

17
charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.deployment.hpa.spec }}
---
apiVersion: {{ .Values.deployment.hpa.api_version }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kiali-server.fullname" . }}
{{- toYaml .Values.deployment.hpa.spec | nindent 2 }}
...
{{- end }}

56
charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml Normal file
View File

@ -0,0 +1,56 @@
{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }}
{{- if .Values.deployment.ingress_enabled }}
---
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
annotations:
{{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}
{{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
{{- else }}
# For ingress-nginx versions older than 0.20.0 use secure-backends.
# (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948)
# For ingress-nginx versions 0.20.0 and later use backend-protocol.
{{- if (include "kiali-server.identity.cert_file" .) }}
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- else }}
nginx.ingress.kubernetes.io/secure-backends: "false"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
{{- end }}
{{- end }}
spec:
{{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
{{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
{{- else }}
rules:
- http:
paths:
- path: {{ include "kiali-server.server.web_root" . }}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
pathType: Prefix
backend:
service:
name: {{ include "kiali-server.fullname" . }}
port:
number: {{ .Values.server.port }}
{{- else }}
backend:
serviceName: {{ include "kiali-server.fullname" . }}
servicePort: {{ .Values.server.port }}
{{- end }}
{{- if not (empty .Values.server.web_fqdn) }}
host: {{ .Values.server.web_fqdn }}
{{- end }}
{{- end }}
...
{{- end }}
{{- end }}

17
charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- if .Values.kiali_route_url }}
---
apiVersion: oauth.openshift.io/v1
kind: OAuthClient
metadata:
name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
redirectURIs:
- {{ .Values.kiali_route_url }}
grantMethod: auto
allowAnyScope: true
...
{{- end }}
{{- end }}

15
charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kiali-server.fullname" . }}-controlplane
namespace: {{ include "kiali-server.istio_namespace" . }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- list
...

89
charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml Normal file
View File

@ -0,0 +1,89 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kiali-server.fullname" . }}-viewer
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- pods/log
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- namespaces
- pods
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods/portforward
verbs:
- create
- post
- apiGroups: ["extensions", "apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- networking.istio.io
- security.istio.io
resources: ["*"]
verbs:
- get
- list
- watch
- apiGroups: ["apps.openshift.io"]
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups: ["project.openshift.io"]
resources:
- projects
verbs:
- get
- apiGroups: ["route.openshift.io"]
resources:
- routes
verbs:
- get
- apiGroups: ["iter8.tools"]
resources:
- experiments
verbs:
- get
- list
- watch
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs:
- create
...

99
charts/kubezero-istio/charts/kiali-server/templates/role.yaml Normal file
View File

@ -0,0 +1,99 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kiali-server.fullname" . }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- pods/log
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- namespaces
- pods
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- patch
- apiGroups: [""]
resources:
- pods/portforward
verbs:
- create
- post
- apiGroups: ["extensions", "apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- patch
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- patch
- apiGroups:
- networking.istio.io
- security.istio.io
resources: ["*"]
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups: ["apps.openshift.io"]
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- patch
- apiGroups: ["project.openshift.io"]
resources:
- projects
verbs:
- get
- apiGroups: ["route.openshift.io"]
resources:
- routes
verbs:
- get
- apiGroups: ["iter8.tools"]
resources:
- experiments
verbs:
- get
- list
- watch
- create
- delete
- patch
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs:
- create
...

17
charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kiali-server.fullname" . }}-controlplane
namespace: {{ include "kiali-server.istio_namespace" . }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kiali-server.fullname" . }}-controlplane
subjects:
- kind: ServiceAccount
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
...

20
charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kiali-server.fullname" . }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- if .Values.deployment.view_only_mode }}
name: {{ include "kiali-server.fullname" . }}-viewer
{{- else }}
name: {{ include "kiali-server.fullname" . }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
...

30
charts/kubezero-istio/charts/kiali-server/templates/route.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
{{- if .Values.deployment.ingress_enabled }}
# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
{{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}}
annotations:
{{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }}
{{- end }}
spec:
{{- if hasKey .Values.deployment.override_ingress_yaml "spec" }}
{{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }}
{{- else }}
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
targetPort: {{ .Values.server.port }}
name: {{ include "kiali-server.fullname" . }}
{{- end }}
...
{{- end }}
{{- end }}

45
charts/kubezero-istio/charts/kiali-server/templates/service.yaml Normal file
View File

@ -0,0 +1,45 @@
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
annotations:
{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }}
service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret
{{- end }}
{{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }}
{{- if empty .Values.server.web_port }}
kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ default "" .Values.server.web_root }}
{{- else }}
kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{(default "" .Values.server.web_root) }}
{{- end }}
{{- end }}
{{- if .Values.deployment.service_annotations }}
{{- toYaml .Values.deployment.service_annotations | nindent 4 }}
{{- end }}
spec:
{{- if .Values.deployment.service_type }}
type: {{ .Values.deployment.service_type }}
{{- end }}
ports:
{{- if (include "kiali-server.identity.cert_file" .) }}
- name: tcp
{{- else }}
- name: http
{{- end }}
protocol: TCP
port: {{ .Values.server.port }}
{{- if .Values.server.metrics_enabled }}
- name: http-metrics
protocol: TCP
port: {{ .Values.server.metrics_port }}
{{- end }}
selector:
{{- include "kiali-server.selectorLabels" . | nindent 4 }}
{{- if .Values.deployment.additional_service_yaml }}
{{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }}
{{- end }}
...

9
charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kiali-server.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kiali-server.labels" . | nindent 4 }}
...

82
charts/kubezero-istio/charts/kiali-server/values.yaml Normal file
View File

@ -0,0 +1,82 @@
# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead.
# This is only supported for backward compatibility and will be removed in a future version.
# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali",
# then 'deployment.instance_name' will take the value of 'fullnameOverride' value.
# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used.
fullnameOverride: "kiali"
# This is required for "openshift" auth strategy.
# You have to know ahead of time what your Route URL will be because
# right now the helm chart can't figure this out at runtime (it would
# need to wait for the Kiali Route to be deployed and for OpenShift
# to start it up). If someone knows how to update this helm chart to
# do this, a PR would be welcome.
kiali_route_url: ""
#
# Settings that mimic the Kiali CR which are placed in the ConfigMap.
# Note that only those values used by the Helm Chart will be here.
#
istio_namespace: "" # default is where Kiali is installed
auth:
openid: {}
openshift: {}
strategy: ""
deployment:
# This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
# For more control over what the Kial Service Account can see, use the Kiali Operator
accessible_namespaces:
- "**"
additional_service_yaml: {}
affinity:
node: {}
pod: {}
pod_anti: {}
hpa:
api_version: "autoscaling/v2beta2"
spec: {}
image_name: quay.io/kiali/kiali
image_pull_policy: "Always"
image_pull_secrets: []
image_version: v1.38.1
ingress_enabled: true
instance_name: "kiali"
logger:
log_format: "text"
log_level: "info"
time_field_format: "2006-01-02T15:04:05Z07:00"
sampler_rate: "1"
node_selector: {}
override_ingress_yaml:
metadata: {}
pod_annotations: {}
pod_labels: {}
priority_class_name: ""
replicas: 1
resources: {}
secret_name: "kiali"
service_annotations: {}
service_type: ""
tolerations: []
version_label: v1.38.1
view_only_mode: false
external_services:
custom_dashboards:
enabled: true
identity: {}
#cert_file:
#private_key_file:
login_token:
signing_key: ""
server:
port: 20001
metrics_enabled: true
metrics_port: 9090
web_root: ""

8
charts/kubezero-istio/dashboards.yaml
View File

@ -4,18 +4,18 @@ folder: Istio
condition: 'index .Values "istio-discovery" "telemetry" "enabled"'
dashboards:
- name: istio-control-plane
url: https://grafana.com/api/dashboards/7645/revisions/60/download
url: https://grafana.com/api/dashboards/7645/revisions/82/download
tags:
- Istio
- name: istio-mesh
url: https://grafana.com/api/dashboards/7639/revisions/60/download
url: https://grafana.com/api/dashboards/7639/revisions/82/download
tags:
- Istio
- name: istio-service
url: https://grafana.com/api/dashboards/7636/revisions/60/download
url: https://grafana.com/api/dashboards/7636/revisions/82/download
tags:
- Istio
- name: istio-workload
url: https://grafana.com/api/dashboards/7630/revisions/60/download
url: https://grafana.com/api/dashboards/7630/revisions/82/download
tags:
- Istio

8
charts/kubezero-istio/templates/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

18
charts/kubezero-istio/templates/kiali/istio-service.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if (index .Values "kiali-server" "istio" "enabled") }}
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: {{ .Release.Name }}-kiali
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
hosts:
- {{ index .Values "kiali-server" "istio" "url" }}
gateways:
- {{ index .Values "kiali-server" "istio" "gateway" }}
http:
- route:
- destination:
host: kiali
{{- end }}

106
charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml Normal file
View File

@ -0,0 +1,106 @@
{{- if .Values.rateLimiting.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-statsd-exporter-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
data:
config.yaml: |
defaults:
ttl: 1m # Resets the metrics every minute
mappings:
- match:
"ratelimit.service.rate_limit.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
- match:
"ratelimit.service.rate_limit.*.*.*.near_limit"
name: "ratelimit_service_rate_limit_near_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.over_limit"
name: "ratelimit_service_rate_limit_over_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.total_hits"
name: "ratelimit_service_rate_limit_total_hits"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.rate_limit.*.*.*.within_limit"
name: "ratelimit_service_rate_limit_within_limit"
timer_type: "histogram"
labels:
domain: "$1"
key1: "$2"
key2: "$3"
- match:
"ratelimit.service.call.should_rate_limit.*"
name: "ratelimit_service_should_rate_limit_error"
match_metric_type: counter
labels:
err_type: "$1"
- match:
"ratelimit_server.*.total_requests"
name: "ratelimit_service_total_requests"
match_metric_type: counter
labels:
grpc_method: "$1"
- match:
"ratelimit_server.*.response_time"
name: "ratelimit_service_response_time_seconds"
timer_type: histogram
labels:
grpc_method: "$1"
- match:
"ratelimit.service.config_load_success"
name: "ratelimit_service_config_load_success"
match_metric_type: counter
ttl: 3m
- match:
"ratelimit.service.config_load_error"
name: "ratelimit_service_config_load_error"
match_metric_type: counter
ttl: 3m
- match: "."
match_type: "regex"
action: "drop"
name: "dropped"
{{- end }}

19
charts/kubezero-istio/templates/ratelimit/config.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.rateLimiting.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: ratelimit-config
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
data:
ingress.yaml: |
domain: ingress
descriptors:
{{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }}
private-ingress.yaml: |
domain: private-ingress
descriptors:
{{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }}
{{- end }}

116
charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml Normal file
View File

@ -0,0 +1,116 @@
{{- if .Values.rateLimiting.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-ratelimit
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: ingress
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
timeout: 0.5s
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_cluster
transport_api_version: V3
- applyTo: CLUSTER
match:
cluster:
service: ratelimit.default.svc.cluster.local
patch:
operation: ADD
value:
name: rate_limit_cluster
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: rate_limit_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ratelimit.istio-system
port_value: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-ratelimit
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
domain: private-ingress
failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }}
timeout: 0.5s
rate_limit_service:
grpc_service:
envoy_grpc:
cluster_name: rate_limit_cluster
transport_api_version: V3
- applyTo: CLUSTER
match:
cluster:
service: ratelimit.default.svc.cluster.local
patch:
operation: ADD
value:
name: rate_limit_cluster
type: STRICT_DNS
connect_timeout: 0.5s
lb_policy: ROUND_ROBIN
http2_protocol_options: {}
load_assignment:
cluster_name: rate_limit_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ratelimit.istio-system
port_value: 8081
{{- end }}

154
charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml Normal file
View File

@ -0,0 +1,154 @@
{{- if .Values.rateLimiting.enabled }}
apiVersion: v1
kind: Service
metadata:
name: ratelimit-redis
namespace: {{ .Release.Namespace }}
labels:
app: ratelimit-redis
spec:
ports:
- name: redis
port: 6379
selector:
app: ratelimit-redis
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit-redis
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit-redis
template:
metadata:
labels:
app: ratelimit-redis
spec:
containers:
- image: redis:6-alpine
imagePullPolicy: IfNotPresent
name: redis
ports:
- name: redis
containerPort: 6379
restartPolicy: Always
serviceAccountName: ""
---
apiVersion: v1
kind: Service
metadata:
name: ratelimit
namespace: {{ .Release.Namespace }}
labels:
app: ratelimit
spec:
ports:
#- name: http-port
# port: 8080
# targetPort: 8080
# protocol: TCP
- name: grpc-port
port: 8081
targetPort: 8081
protocol: TCP
#- name: http-debug
# port: 6070
# targetPort: 6070
# protocol: TCP
- name: http-monitoring
port: 9102
targetPort: 9102
protocol: TCP
selector:
app: ratelimit
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ratelimit
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: ratelimit
strategy:
type: Recreate
template:
metadata:
labels:
app: ratelimit
spec:
containers:
- image: envoyproxy/ratelimit:b42701cb # 2021/08/12
imagePullPolicy: IfNotPresent
name: ratelimit
command: ["/bin/ratelimit"]
env:
- name: LOG_LEVEL
value: {{ default "WARN" .Values.rateLimiting.log.level }}
- name: LOG_FORMAT
value: {{ default "text" .Values.rateLimiting.log.format }}
- name: REDIS_SOCKET_TYPE
value: tcp
- name: REDIS_URL
value: ratelimit-redis:6379
- name: USE_STATSD
value: "true"
- name: STATSD_HOST
value: "localhost"
- name: STATSD_PORT
value: "9125"
- name: RUNTIME_ROOT
value: /data
- name: RUNTIME_SUBDIRECTORY
value: ratelimit
- name: RUNTIME_WATCH_ROOT
value: "false"
- name: RUNTIME_IGNOREDOTFILES
value: "true"
- name: LOCAL_CACHE_SIZE_IN_BYTES
value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}"
ports:
#- containerPort: 8080
- containerPort: 8081
#- containerPort: 6070
volumeMounts:
- name: ratelimit-config
mountPath: /data/ratelimit/config
resources:
requests:
cpu: 50m
memory: 32Mi
limits:
cpu: 1
memory: 256Mi
- name: statsd-exporter
image: docker.io/prom/statsd-exporter:v0.21.0
imagePullPolicy: Always
args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
ports:
- containerPort: 9125
# - containerPort: 9102
resources:
requests:
cpu: 50m
memory: 32Mi
limits:
cpu: 200m
memory: 64Mi
volumeMounts:
- name: statsd-exporter-config
mountPath: /etc/statsd-exporter
volumes:
- name: ratelimit-config
configMap:
name: ratelimit-config
- name: statsd-exporter-config
configMap:
name: ratelimit-statsd-exporter-config
{{- end }}

17
charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: istio-rate-limiting
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
jobLabel: istio
targetLabels: [app]
selector:
matchExpressions:
- {key: app, operator: In, values: [ratelimit]}
endpoints:
- port: http-monitoring
{{- end }}

2
charts/kubezero-istio/templates/servicemonitor.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: istio-component-monitor
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
{{- include "kubezero-lib.labels" . | nindent 4 }}
spec:
jobLabel: istio
targetLabels: [app]

10
charts/kubezero-istio/update.sh
View File

@ -4,7 +4,8 @@ set -ex
### TODO
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
export ISTIO_VERSION=1.10.3
export ISTIO_VERSION=1.11.1
export KIALI_VERSION=1.38.1
rm -rf istio
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
@ -12,8 +13,11 @@ mv istio-${ISTIO_VERSION} istio
# remove unused old telemetry filters
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml
# Patch
#exit 0
#diff -tubr istio istio.zdt/
patch -p0 -i zdt.patch --no-backup-if-mismatch
### Create kubezero istio charts
@ -38,3 +42,7 @@ sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio
# Fetch dashboards from Grafana.com and update ZDT CM
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
# Kiali
rm -rf charts/kiali-server
curl -sL https://github.com/kiali/helm-charts/blob/master/docs/kiali-server-${KIALI_VERSION}.tgz?raw=true | tar xz -C charts

55
charts/kubezero-istio/values.yaml
View File

@ -1,6 +1,6 @@
global:
# hub: docker.io/istio
# tag: 1.10.2
# tag: 1.11.0
logAsJson: true
@ -39,3 +39,56 @@ istio-discovery:
tcpKeepalive:
interval: 60s
time: 120s
kiali-server:
enabled: false
auth:
strategy: anonymous
deployment:
ingress_enabled: false
view_only_mode: true
server:
metrics_enabled: false
external_services:
custom_dashboards:
enabled: false
prometheus:
url: "http://metrics-kube-prometheus-st-prometheus.monitoring:9090"
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway
#url: "kiali.example.com"
rateLimiting:
enabled: true
log:
level: warn
format: json
# 1MB local cache for already reached limits to reduce calls to Redis
localCacheSize: 1048576
# Wether to block requests if ratelimiting is down
failureModeDeny: false
# rate limit descriptors for each domain, examples 10 req/s per sourceIP
descriptors:
ingress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10
privateIngress:
- key: remote_address
rate_limit:
unit: second
requests_per_unit: 10

53
charts/kubezero-istio/zdt.patch
View File

@ -1,7 +1,27 @@
diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-20 12:20:04.401862116 +0200
@@ -17,6 +17,8 @@
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl
--- istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-07-15 07:32:30.000000000 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-08-10 15:49:57.298616463 +0200
@@ -21,11 +21,16 @@
{{- end }}
{{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}}
{{- range $key, $val := $nodeSelector }}
+ {{- if eq $val "Exists" }}
+ - key: {{ $key }}
+ operator: Exists
+ {{- else }}
- key: {{ $key }}
operator: In
values:
- {{ $val | quote }}
{{- end }}
+ {{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml
--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200
@@ -16,6 +16,8 @@
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
@ -10,7 +30,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
{{- end }}
selector:
matchLabels:
@@ -69,6 +71,7 @@
@@ -65,6 +67,7 @@
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
@ -18,7 +38,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
{{- if .Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
@@ -140,6 +143,11 @@
@@ -136,6 +139,11 @@
privileged: false
readOnlyRootFilesystem: true
{{- end }}
@ -30,9 +50,24 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya
readinessProbe:
failureThreshold: 30
httpGet:
diff -turN istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200
+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-19 21:55:45.461749267 +0200
diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/service.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml
--- istio/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-07-15 07:32:30.000000000 +0200
+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-08-10 19:58:01.037876557 +0200
@@ -34,9 +34,11 @@
{{- range $key, $val := $gateway.ports }}
-
{{- range $pkey, $pval := $val }}
+ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
+ {{- end }}
{{ range $app := $gateway.ingressPorts }}
-
diff -tubr istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200
+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200
@@ -60,6 +60,11 @@
{{- end }}
securityContext: