From 1839e9bcdbb449124e101122f04248885edbf975 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 25 Aug 2021 15:58:55 +0200 Subject: [PATCH] feat: Istio RateLimiting, Version bump to 1.11.1, Kiali support --- charts/kubezero-istio-ingress/Chart.yaml | 10 +- charts/kubezero-istio-ingress/README.md | 30 +- .../charts/istio-ingress/Chart.yaml | 2 +- .../istio-ingress/templates/_affinity.tpl | 12 + .../istio-ingress/templates/deployment.yaml | 25 - .../istio-ingress/templates/service.yaml | 2 + .../charts/istio-ingress/values.yaml | 2 +- .../charts/istio-private-ingress/Chart.yaml | 2 +- .../templates/_affinity.tpl | 12 + .../templates/deployment.yaml | 25 - .../templates/service.yaml | 2 + .../charts/istio-private-ingress/values.yaml | 2 +- .../templates/_gateway.tpl | 42 + .../templates/envoyfilter-keepalive-nlb.yaml | 4 +- .../templates/ingress-gateway.yaml | 107 +- .../templates/ingress-private-gateway.yaml | 19 + charts/kubezero-istio-ingress/values.yaml | 61 +- charts/kubezero-istio/.helmignore | 3 +- charts/kubezero-istio/Chart.yaml | 14 +- charts/kubezero-istio/README.md | 27 +- charts/kubezero-istio/charts/base/Chart.yaml | 2 +- .../charts/base/crds/crd-all.gen.yaml | 587 +++------ .../charts/base/files/gen-istio-cluster.yaml | 654 +++------- .../charts/base/templates/clusterrole.yaml | 8 + .../base/templates/clusterrolebinding.yaml | 5 + .../charts/base/templates/endpoints.yaml | 2 +- .../base/templates/reader-serviceaccount.yaml | 16 + .../charts/base/templates/role.yaml | 5 + .../charts/base/templates/rolebinding.yaml | 5 + .../charts/base/templates/serviceaccount.yaml | 21 +- .../charts/base/templates/services.yaml | 2 +- .../validatingwebhookconfiguration.yaml | 40 - .../charts/istio-discovery/Chart.yaml | 2 +- .../charts/istio-discovery/NOTES.txt | 5 +- .../files/gateway-injection-template.yaml | 29 - .../istio-discovery/files/gen-istio.yaml | 1058 ++++++++++++++++- .../istio-discovery/files/grpc-agent.yaml | 234 ++++ .../istio-discovery/files/grpc-simple.yaml | 58 + .../files/injection-template.yaml | 38 +- .../templates/clusterrole.yaml | 112 ++ .../templates/clusterrolebinding.yaml | 15 + .../istio-discovery/templates/configmap.yaml | 4 +- .../istio-discovery/templates/deployment.yaml | 2 +- .../templates/istiod-injector-configmap.yaml | 8 + .../templates/mutatingwebhook.yaml | 60 +- .../templates/reader-clusterrole.yaml | 48 + .../templates/reader-clusterrolebinding.yaml | 15 + .../templates/revision-tags.yaml | 6 +- .../istio-discovery/templates/role.yaml | 20 + .../templates/rolebinding.yaml | 16 + .../templates/serviceaccount.yaml | 15 + ...etryv2_1.10.yaml => telemetryv2_1.11.yaml} | 53 +- .../validatingwebhookconfiguration.yaml | 86 ++ .../charts/istio-discovery/values.yaml | 28 +- .../charts/kiali-server/Chart.yaml | 20 + .../charts/kiali-server/templates/NOTES.txt | 5 + .../kiali-server/templates/_helpers.tpl | 143 +++ .../kiali-server/templates/cabundle.yaml | 13 + .../kiali-server/templates/configmap.yaml | 25 + .../kiali-server/templates/deployment.yaml | 165 +++ .../charts/kiali-server/templates/hpa.yaml | 17 + .../kiali-server/templates/ingress.yaml | 56 + .../charts/kiali-server/templates/oauth.yaml | 17 + .../templates/role-controlplane.yaml | 15 + .../kiali-server/templates/role-viewer.yaml | 89 ++ .../charts/kiali-server/templates/role.yaml | 99 ++ .../templates/rolebinding-controlplane.yaml | 17 + .../kiali-server/templates/rolebinding.yaml | 20 + .../charts/kiali-server/templates/route.yaml | 30 + .../kiali-server/templates/service.yaml | 45 + .../templates/serviceaccount.yaml | 9 + .../charts/kiali-server/values.yaml | 82 ++ charts/kubezero-istio/dashboards.yaml | 8 +- .../templates/grafana-dashboards.yaml | 8 +- .../templates/kiali/istio-service.yaml | 18 + .../ratelimit/config-statds-exporter.yaml | 106 ++ .../templates/ratelimit/config.yaml | 19 + .../ratelimit/envoyfilter-cluster.yaml | 116 ++ .../ratelimit/rate-limit-service.yaml | 154 +++ .../templates/ratelimit/servicemonitor.yaml | 17 + .../templates/servicemonitor.yaml | 2 +- charts/kubezero-istio/update.sh | 10 +- charts/kubezero-istio/values.yaml | 55 +- charts/kubezero-istio/zdt.patch | 53 +- 84 files changed, 3709 insertions(+), 1386 deletions(-) create mode 100644 charts/kubezero-istio-ingress/templates/_gateway.tpl create mode 100644 charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/role.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml rename charts/kubezero-istio/charts/istio-discovery/templates/{telemetryv2_1.10.yaml => telemetryv2_1.11.yaml} (96%) create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/Chart.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/role.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/route.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/service.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml create mode 100644 charts/kubezero-istio/charts/kiali-server/values.yaml create mode 100644 charts/kubezero-istio/templates/kiali/istio-service.yaml create mode 100644 charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml create mode 100644 charts/kubezero-istio/templates/ratelimit/config.yaml create mode 100644 charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml create mode 100644 charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml create mode 100644 charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index 9905182..58476e2 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.6.1 -appVersion: 1.10.3 +version: 0.7.2 +appVersion: 1.11.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -13,12 +13,12 @@ maintainers: - name: Quarky9 dependencies: - name: kubezero-lib - version: ">= 0.1.3" + version: ">= 0.1.4" repository: https://zero-down-time.github.io/kubezero/ - name: istio-ingress - version: 1.10.3 + version: 1.11.1 condition: istio-ingress.enabled - name: istio-private-ingress - version: 1.10.3 + version: 1.11.1 condition: istio-private-ingress.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md index 5ba6c9f..b46c21a 100644 --- a/charts/kubezero-istio-ingress/README.md +++ b/charts/kubezero-istio-ingress/README.md @@ -1,6 +1,6 @@ # kubezero-istio-ingress -![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) +![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.0](https://img.shields.io/badge/AppVersion-1.11.0-informational?style=flat-square) KubeZero Umbrella Chart for Istio based Ingress @@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | istio-ingress | 1.10.2 | -| | istio-private-ingress | 1.10.2 | +| | istio-ingress | 1.11.0 | +| | istio-private-ingress | 1.11.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -41,26 +41,28 @@ Kubernetes: `>= 1.18.0` | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | | istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | | istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | -| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | | +| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | | | istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | | istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | | | istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | | istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | | | istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | | istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | | istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | | | istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | | istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | | istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | | istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | | | istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | | istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | | istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | | istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | | istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | @@ -69,7 +71,7 @@ Kubernetes: `>= 1.18.0` | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-ingress.proxyProtocol | bool | `false` | | +| istio-ingress.proxyProtocol | bool | `true` | | | istio-ingress.telemetry.enabled | bool | `false` | | | istio-private-ingress.certificates[0].dnsNames | list | `[]` | | | istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | | @@ -83,26 +85,28 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | | +| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | | | istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | | istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | @@ -111,7 +115,7 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-private-ingress.proxyProtocol | bool | `false` | | +| istio-private-ingress.proxyProtocol | bool | `true` | | | istio-private-ingress.telemetry.enabled | bool | `false` | | ## Resources diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml index 0c7fc03..ea2d15d 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-ingress -version: 1.10.3 +version: 1.11.1 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl index cb6a91c..f958a95 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl @@ -21,11 +21,16 @@ nodeAffinity: {{- end }} {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} {{- range $key, $val := $nodeSelector }} + {{- if eq $val "Exists" }} + - key: {{ $key }} + operator: Exists + {{- else }} - key: {{ $key }} operator: In values: - {{ $val | quote }} {{- end }} + {{- end }} {{- end }} {{- define "nodeAffinityPreferredDuringScheduling" }} @@ -70,6 +75,13 @@ nodeAffinity: {{- end }} {{- end }} topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml index c7435d0..9ce9008 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -125,8 +125,6 @@ spec: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} - - --serviceCluster - - {{ $gateway.name }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} @@ -200,14 +198,6 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME value: {{ $gateway.name }} - name: ISTIO_META_OWNER @@ -240,11 +230,6 @@ spec: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} -{{- if $gateway.podAnnotations }} - - name: "ISTIO_METAJSON_ANNOTATIONS" - value: | -{{ toJson $gateway.podAnnotations | indent 16}} -{{ end }} - name: ISTIO_META_CLUSTER_ID value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" volumeMounts: @@ -301,16 +286,6 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m - name: istio-envoy emptyDir: {} - name: istio-data diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml index a3b97be..e3893c5 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml @@ -34,9 +34,11 @@ spec: {{- range $key, $val := $gateway.ports }} - {{- range $pkey, $pval := $val }} + {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} {{ $pkey}}: {{ $pval }} {{- end }} {{- end }} + {{- end }} {{ range $app := $gateway.ingressPorts }} - diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml index 22bdc65..e6bbfbb 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -165,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.10.3 + tag: 1.11.1 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml index e5f551f..2f186fc 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-private-ingress -version: 1.10.3 +version: 1.11.1 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl index cb6a91c..f958a95 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl @@ -21,11 +21,16 @@ nodeAffinity: {{- end }} {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} {{- range $key, $val := $nodeSelector }} + {{- if eq $val "Exists" }} + - key: {{ $key }} + operator: Exists + {{- else }} - key: {{ $key }} operator: In values: - {{ $val | quote }} {{- end }} + {{- end }} {{- end }} {{- define "nodeAffinityPreferredDuringScheduling" }} @@ -70,6 +75,13 @@ nodeAffinity: {{- end }} {{- end }} topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml index c7435d0..9ce9008 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -125,8 +125,6 @@ spec: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} - - --serviceCluster - - {{ $gateway.name }} {{- if .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }} {{- end }} @@ -200,14 +198,6 @@ spec: valueFrom: fieldRef: fieldPath: spec.serviceAccountName - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: ISTIO_META_WORKLOAD_NAME value: {{ $gateway.name }} - name: ISTIO_META_OWNER @@ -240,11 +230,6 @@ spec: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} -{{- if $gateway.podAnnotations }} - - name: "ISTIO_METAJSON_ANNOTATIONS" - value: | -{{ toJson $gateway.podAnnotations | indent 16}} -{{ end }} - name: ISTIO_META_CLUSTER_ID value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" volumeMounts: @@ -301,16 +286,6 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m - name: istio-envoy emptyDir: {} - name: istio-data diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml index a3b97be..e3893c5 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml @@ -34,9 +34,11 @@ spec: {{- range $key, $val := $gateway.ports }} - {{- range $pkey, $pval := $val }} + {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} {{ $pkey}}: {{ $pval }} {{- end }} {{- end }} + {{- end }} {{ range $app := $gateway.ingressPorts }} - diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml index 22bdc65..e6bbfbb 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -165,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.10.3 + tag: 1.11.1 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. diff --git a/charts/kubezero-istio-ingress/templates/_gateway.tpl b/charts/kubezero-istio-ingress/templates/_gateway.tpl new file mode 100644 index 0000000..4fcf028 --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/_gateway.tpl @@ -0,0 +1,42 @@ +{{- define "gatewayServers" }} + +{{- range $port := .ports }} +{{- if not $port.noGateway }} + +{{- $eachCert := false }} +{{- if $port.tls }} +{{- if not $port.tls.httpsRedirect }} +{{- $eachCert = true }} +{{- end }} +{{- end }} + +{{- if $eachCert }} +{{- range $cert := $.certificates }} +- port: + number: {{ $port.port }} + name: {{ $port.name }} + protocol: {{ default "TCP" $port.gatewayProtocol }} + tls: + credentialName: {{ $cert.name }} + {{- toYaml $port.tls | nindent 4 }} + hosts: + {{- toYaml $cert.dnsNames | nindent 2 }} +{{- end }} +{{- else }} +- port: + number: {{ $port.port }} + name: {{ $port.name }} + protocol: {{ default "TCP" $port.gatewayProtocol }} + {{- with $port.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} + hosts: + {{- range $cert := $.certificates }} + {{- toYaml $cert.dnsNames | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} + +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml index d72d34a..6f05a12 100644 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml @@ -5,7 +5,7 @@ metadata: name: ingressgateway-listener-tcp-keepalive namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: workloadSelector: labels: @@ -43,7 +43,7 @@ metadata: name: private-ingressgateway-listener-tcp-keepalive namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: workloadSelector: labels: diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index 64d9b34..d8d859b 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -1,4 +1,7 @@ -{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }} +# Public Ingress Gateway +{{- $gateway := index .Values "istio-ingress" }} + +{{- if and $gateway.enabled $gateway.certificates }} # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts apiVersion: networking.istio.io/v1beta1 @@ -7,108 +10,10 @@ metadata: name: ingressgateway namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: selector: istio: ingressgateway servers: - - port: - number: 80 - name: http - protocol: HTTP2 - hosts: - {{- range $cert := (index .Values "istio-ingress" "certificates") }} - {{- toYaml $cert.dnsNames | nindent 4 }} - {{- end }} - tls: - httpsRedirect: true - {{- range $cert := (index .Values "istio-ingress" "certificates") }} - - port: - number: 443 - name: https - protocol: HTTPS - hosts: - {{- toYaml $cert.dnsNames | nindent 4 }} - tls: - mode: SIMPLE - credentialName: {{ $cert.name }} - {{- end }} -{{- end }} - -{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }} ---- -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: private-ingressgateway - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - selector: - istio: private-ingressgateway - servers: - - port: - number: 80 - name: http - protocol: HTTP2 - hosts: - {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} - {{- toYaml $certs.dnsNames | nindent 4 }} - {{- end }} - tls: - httpsRedirect: true - # All SSL hosts one entry per ingress-certificate - {{- range $cert := (index .Values "istio-private-ingress" "certificates") }} - - port: - number: 443 - name: https - protocol: HTTPS - hosts: - {{- toYaml $cert.dnsNames | nindent 4 }} - tls: - mode: SIMPLE - credentialName: {{ $cert.name }} - - port: - number: 24224 - name: fluentd-forward - protocol: TLS - hosts: - {{- toYaml $cert.dnsNames | nindent 4 }} - tls: - mode: SIMPLE - credentialName: {{ $cert.name }} - {{- end }} - - port: - number: 5672 - name: amqp - protocol: TCP - hosts: - {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} - {{- toYaml $certs.dnsNames | nindent 4 }} - {{- end }} - - port: - number: 5671 - name: amqps - protocol: TCP - hosts: - {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} - {{- toYaml $certs.dnsNames | nindent 4 }} - {{- end }} - - port: - number: 6379 - name: redis - protocol: TCP - hosts: - {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} - {{- toYaml $certs.dnsNames | nindent 4 }} - {{- end }} - - port: - number: 6380 - name: redis-1 - protocol: TCP - hosts: - {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} - {{- toYaml $certs.dnsNames | nindent 4 }} - {{- end }} + {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} {{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml new file mode 100644 index 0000000..6ee25df --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml @@ -0,0 +1,19 @@ +# Private Ingress Gateway +{{- $gateway := index .Values "istio-private-ingress" }} + +{{- if and $gateway.enabled $gateway.certificates }} +# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts + +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: private-ingressgateway + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + selector: + istio: private-ingressgateway + servers: + {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} +{{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index 5e83d22..062331a 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -1,7 +1,7 @@ # Make sure these values match kuberzero-istio !!! global: #hub: docker.io/istio - #tag: 1.10.2 + #tag: 1.11.0 logAsJson: true @@ -50,31 +50,50 @@ istio-ingress: mountPath: /etc/istio/custom-bootstrap configMapName: istio-gateway-bootstrap-config - # The node selector is normally the list of nodeports, see CloudBender + # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch nodeSelector: - node.kubernetes.io/ingress.public: "30080_30443" + node.kubernetes.io/ingress.public: "Exists" + # Only nodes who are fronted with matching NLB + #affintiy: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node.kubernetes.io/ingress.public + # operator: Exists + + # Map port 80/443 to 8080/8443 so we don't need to root + + # ports is extended as follows: + # noGateway: true -> this port does NOT get mapped to a Gateway port + # tls: optional gateway port setting + # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! ports: - name: status-port port: 15021 nodePort: 30021 - protocol: TCP + noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 30080 - protocol: TCP + gatewayProtocol: HTTP2 + tls: + httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 30443 - protocol: TCP + gatewayProtocol: HTTPS + tls: + mode: SIMPLE certificates: - name: ingress-cert dnsNames: [] # - '*.example.com' - proxyProtocol: false + proxyProtocol: true meshConfig: defaultConfig: @@ -124,27 +143,43 @@ istio-private-ingress: mountPath: /etc/istio/custom-bootstrap configMapName: istio-gateway-bootstrap-config + # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch nodeSelector: - node.kubernetes.io/ingress.private: "31080_31443" - #nodeSelector: "31080_31443_31671_31672_31224" + node.kubernetes.io/ingress.private: "Exists" + # Only nodes who are fronted with matching NLB + #affintiy: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node.kubernetes.io/ingress.private + # operator: Exists + ports: - name: status-port port: 15021 nodePort: 31021 - protocol: TCP + noGateway: true - name: http2 port: 80 targetPort: 8080 nodePort: 31080 - protocol: TCP + gatewayProtocol: HTTP2 + tls: + httpsRedirect: true - name: https port: 443 targetPort: 8443 nodePort: 31443 - protocol: TCP + gatewayProtocol: HTTPS + tls: + mode: SIMPLE #- name: fluentd-forward # port: 24224 # nodePort: 31224 + # gatewayProtocol: TLS + # tls: + # mode: SIMPLE #- name: amqps # port: 5671 # nodePort: 31671 @@ -160,7 +195,7 @@ istio-private-ingress: dnsNames: [] #- '*.example.com' - proxyProtocol: false + proxyProtocol: true meshConfig: defaultConfig: diff --git a/charts/kubezero-istio/.helmignore b/charts/kubezero-istio/.helmignore index aef2d38..be6d0ce 100644 --- a/charts/kubezero-istio/.helmignore +++ b/charts/kubezero-istio/.helmignore @@ -28,4 +28,5 @@ README.md.gotmpl *.py istioctl -istio-?.?.? +istio +istio.zdt diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index ec52659..256f854 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.6.1 -appVersion: 1.10.3 +version: 0.7.2 +appVersion: 1.11.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -13,10 +13,14 @@ maintainers: - name: Quarky9 dependencies: - name: kubezero-lib - version: ">= 0.1.3" + version: ">= 0.1.4" repository: https://zero-down-time.github.io/kubezero/ - name: base - version: 1.10.3 + version: 1.11.1 - name: istio-discovery - version: 1.10.3 + version: 1.11.1 + - name: kiali-server + version: 1.38.1 + # repository: https://github.com/kiali/helm-charts/tree/master/docs + condition: kiali-server.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index cc3a2be..8b83b90 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) +![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -20,8 +20,9 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | base | 1.10.2 | -| | istio-discovery | 1.10.2 | +| | base | 1.11.1 | +| | istio-discovery | 1.11.1 | +| | kiali-server | 1.38.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -43,6 +44,26 @@ Kubernetes: `>= 1.18.0` | istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | | | istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | istio-discovery.telemetry.enabled | bool | `false` | | +| kiali-server.auth.strategy | string | `"anonymous"` | | +| kiali-server.deployment.ingress_enabled | bool | `false` | | +| kiali-server.deployment.view_only_mode | bool | `true` | | +| kiali-server.enabled | bool | `false` | | +| kiali-server.external_services.custom_dashboards.enabled | bool | `false` | | +| kiali-server.external_services.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus.monitoring:9090"` | | +| kiali-server.istio.enabled | bool | `false` | | +| kiali-server.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | +| kiali-server.server.metrics_enabled | bool | `false` | | +| rateLimiting.descriptors.ingress[0].key | string | `"remote_address"` | | +| rateLimiting.descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | | +| rateLimiting.descriptors.ingress[0].rate_limit.unit | string | `"second"` | | +| rateLimiting.descriptors.privateIngress[0].key | string | `"remote_address"` | | +| rateLimiting.descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | | +| rateLimiting.descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | | +| rateLimiting.enabled | bool | `true` | | +| rateLimiting.failureModeDeny | bool | `false` | | +| rateLimiting.localCacheSize | int | `1048576` | | +| rateLimiting.log.format | string | `"json"` | | +| rateLimiting.log.level | string | `"warn"` | | ## Resources diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml index 50041cd..e6d62f7 100644 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: base -version: 1.10.3 +version: 1.11.1 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio cluster resources and CRDs keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index 0387315..e93fbb8 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -49,24 +49,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -200,11 +196,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -212,12 +206,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -235,7 +227,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -258,10 +249,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -292,6 +281,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -301,6 +293,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -439,11 +435,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -452,12 +446,10 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -475,7 +467,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -498,10 +489,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -532,6 +521,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -542,6 +534,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -553,14 +549,11 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -571,16 +564,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -591,14 +581,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -609,16 +596,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -756,11 +740,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -768,11 +750,9 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -790,7 +770,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -812,10 +791,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -846,6 +823,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -855,6 +835,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -989,11 +973,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1001,12 +983,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1024,7 +1004,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1047,10 +1026,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1081,6 +1058,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1090,6 +1070,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -1101,14 +1085,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1119,16 +1100,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1139,14 +1117,11 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1157,16 +1132,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1205,24 +1177,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -1356,11 +1324,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1368,12 +1334,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1391,7 +1355,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1414,10 +1377,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1448,6 +1409,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1457,6 +1421,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -1595,11 +1563,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1608,12 +1574,10 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1631,7 +1595,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1654,10 +1617,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1688,6 +1649,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -1698,6 +1662,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -1709,14 +1677,11 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1727,16 +1692,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1747,14 +1709,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1765,16 +1724,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1912,11 +1868,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1924,11 +1878,9 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1946,7 +1898,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1968,10 +1919,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -2002,6 +1951,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2011,6 +1963,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -2145,11 +2101,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -2157,12 +2111,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -2180,7 +2132,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -2203,10 +2154,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -2237,6 +2186,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2246,6 +2198,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -2257,14 +2213,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -2275,16 +2228,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -2295,14 +2245,11 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -2313,16 +2260,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -2385,6 +2329,7 @@ spec: - HTTP_ROUTE - CLUSTER - EXTENSION_CONFIG + - BOOTSTRAP type: string match: description: Match on listener/route configuration/cluster. @@ -2409,7 +2354,6 @@ spec: properties: name: description: The exact name of the cluster to match. - format: string type: string portNumber: description: The service port for which this cluster @@ -2418,11 +2362,9 @@ spec: service: description: The fully qualified service name for this cluster. - format: string type: string subset: description: The subset associated with the service. - format: string type: string type: object context: @@ -2442,7 +2384,6 @@ spec: properties: applicationProtocols: description: Applies only to sidecars. - format: string type: string destinationPort: description: The destination_port value used by @@ -2454,36 +2395,29 @@ spec: properties: name: description: The filter name to match on. - format: string type: string subFilter: properties: name: description: The filter name to match on. - format: string type: string type: object type: object name: description: The name assigned to the filter chain. - format: string type: string sni: description: The SNI value used by a filter chain's match condition. - format: string type: string transportProtocol: description: Applies only to `SIDECAR_INBOUND` context. - format: string type: string type: object name: description: Match a specific listener by its name. - format: string type: string portName: - format: string type: string portNumber: type: integer @@ -2493,33 +2427,27 @@ spec: properties: metadata: additionalProperties: - format: string type: string type: object proxyVersion: - format: string type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: - format: string type: string name: description: Route configuration name to match on. - format: string type: string portName: description: Applicable only for GATEWAY context. - format: string type: string portNumber: type: integer vhost: properties: name: - format: string type: string route: description: Match a specific route within the virtual @@ -2535,7 +2463,6 @@ spec: - DIRECT_RESPONSE type: string name: - format: string type: string type: object type: object @@ -2571,11 +2498,15 @@ spec: type: object type: object type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer workloadSelector: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -2625,7 +2556,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2633,34 +2563,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2671,17 +2595,14 @@ spec: properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. - format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2713,25 +2634,20 @@ spec: type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2756,7 +2672,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2764,34 +2679,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2802,17 +2711,14 @@ spec: properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. - format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2844,25 +2750,20 @@ spec: type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2937,7 +2838,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -2945,20 +2845,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -2966,7 +2862,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -2976,13 +2871,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -2996,14 +2889,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3018,7 +2909,6 @@ spec: type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3026,7 +2916,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3072,7 +2961,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -3080,20 +2968,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -3101,7 +2985,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -3111,13 +2994,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -3131,14 +3012,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3153,7 +3032,6 @@ spec: type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3161,7 +3039,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3211,7 +3088,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3221,7 +3097,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3229,14 +3104,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3248,7 +3121,6 @@ spec: properties: bind: description: The IP to which the listener should be bound. - format: string type: string captureMode: enum: @@ -3257,21 +3129,18 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3285,7 +3154,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3296,7 +3164,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3309,7 +3176,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3334,7 +3200,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3344,7 +3209,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3352,14 +3216,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3371,7 +3233,6 @@ spec: properties: bind: description: The IP to which the listener should be bound. - format: string type: string captureMode: enum: @@ -3380,21 +3241,18 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3408,7 +3266,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3419,7 +3276,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3432,7 +3288,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3501,20 +3356,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -3529,21 +3381,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -3566,20 +3415,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -3589,12 +3434,10 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object fault: @@ -3619,10 +3462,8 @@ spec: - http2Error properties: grpcStatus: - format: string type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -3678,17 +3519,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3696,17 +3534,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3732,21 +3567,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -3768,14 +3599,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -3801,19 +3629,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -3838,14 +3662,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -3868,25 +3689,20 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string uri: oneOf: @@ -3906,14 +3722,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -3935,14 +3748,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -3954,7 +3764,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3965,7 +3774,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -3988,19 +3796,16 @@ spec: type: object name: description: The name assigned to the route for debugging purposes. - format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: - format: string type: string redirectCode: type: integer uri: - format: string type: string type: object retries: @@ -4018,7 +3823,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4032,10 +3836,8 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string type: object route: @@ -4048,7 +3850,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4059,7 +3860,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4068,17 +3868,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4086,17 +3883,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4122,14 +3916,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4138,18 +3930,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4163,7 +3952,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4174,7 +3962,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4194,14 +3981,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4211,18 +3996,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -4236,7 +4018,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4247,7 +4028,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4295,20 +4075,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -4323,21 +4100,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -4360,20 +4134,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -4383,12 +4153,10 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object fault: @@ -4413,10 +4181,8 @@ spec: - http2Error properties: grpcStatus: - format: string type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -4472,17 +4238,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4490,17 +4253,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4526,21 +4286,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -4562,14 +4318,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -4595,19 +4348,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -4632,14 +4381,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -4662,25 +4408,20 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string uri: oneOf: @@ -4700,14 +4441,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -4729,14 +4467,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -4748,7 +4483,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -4759,7 +4493,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -4782,19 +4515,16 @@ spec: type: object name: description: The name assigned to the route for debugging purposes. - format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: - format: string type: string redirectCode: type: integer uri: - format: string type: string type: object retries: @@ -4812,7 +4542,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4826,10 +4555,8 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string type: object route: @@ -4842,7 +4569,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4853,7 +4579,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4862,17 +4587,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4880,17 +4602,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4916,14 +4635,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4932,18 +4649,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4957,7 +4671,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4968,7 +4681,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4988,14 +4700,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -5005,18 +4715,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -5030,7 +4737,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -5041,7 +4747,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -5109,20 +4814,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5130,7 +4831,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5166,20 +4866,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5187,7 +4883,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5248,12 +4943,10 @@ spec: properties: annotations: additionalProperties: - format: string type: string type: object labels: additionalProperties: - format: string type: string type: object type: object @@ -5283,7 +4976,6 @@ spec: command: description: Command to run. items: - format: string type: string type: array type: object @@ -5297,29 +4989,24 @@ spec: host: description: Host name to connect to, defaults to the pod IP. - format: string type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: - format: string type: string value: - format: string type: string type: object type: array path: description: Path to access on the HTTP server. - format: string type: string port: description: Port on which the endpoint lives. type: integer scheme: - format: string type: string type: object initialDelaySeconds: @@ -5340,7 +5027,6 @@ spec: description: Health is determined by if the proxy is able to connect. properties: host: - format: string type: string port: type: integer @@ -5355,20 +5041,16 @@ spec: resources that belong to this `WorkloadGroup`. properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5376,7 +5058,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5445,7 +5126,6 @@ spec: properties: name: description: Specifies the name of the extension provider. - format: string type: string type: object rules: @@ -5462,61 +5142,51 @@ spec: ipBlocks: description: Optional. items: - format: string type: string type: array namespaces: description: Optional. items: - format: string type: string type: array notIpBlocks: description: Optional. items: - format: string type: string type: array notNamespaces: description: Optional. items: - format: string type: string type: array notPrincipals: description: Optional. items: - format: string type: string type: array notRemoteIpBlocks: description: Optional. items: - format: string type: string type: array notRequestPrincipals: description: Optional. items: - format: string type: string type: array principals: description: Optional. items: - format: string type: string type: array remoteIpBlocks: description: Optional. items: - format: string type: string type: array requestPrincipals: description: Optional. items: - format: string type: string type: array type: object @@ -5532,49 +5202,41 @@ spec: hosts: description: Optional. items: - format: string type: string type: array methods: description: Optional. items: - format: string type: string type: array notHosts: description: Optional. items: - format: string type: string type: array notMethods: description: Optional. items: - format: string type: string type: array notPaths: description: Optional. items: - format: string type: string type: array notPorts: description: Optional. items: - format: string type: string type: array paths: description: Optional. items: - format: string type: string type: array ports: description: Optional. items: - format: string type: string type: array type: object @@ -5586,18 +5248,15 @@ spec: properties: key: description: The name of an Istio attribute. - format: string type: string notValues: description: Optional. items: - format: string type: string type: array values: description: Optional. items: - format: string type: string type: array type: object @@ -5609,7 +5268,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5703,7 +5361,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5759,7 +5416,6 @@ spec: properties: audiences: items: - format: string type: string type: array forwardOriginalToken: @@ -5772,38 +5428,30 @@ spec: properties: name: description: The HTTP header name. - format: string type: string prefix: description: The prefix that should be stripped before decoding the token. - format: string type: string type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: - format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. - format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string type: string jwks_uri: - format: string type: string jwksUri: - format: string type: string outputPayloadToHeader: - format: string type: string type: object type: array @@ -5813,7 +5461,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5871,12 +5518,114 @@ spec: description: Telemetry defines how the telemetry is generated for workloads within a mesh. properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array selector: description: Optional. properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5908,12 +5657,10 @@ spec: properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the environment variable from which to extract the tag value. - format: string type: string type: object header: @@ -5922,12 +5669,10 @@ spec: properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the header from which to extract the tag value. - format: string type: string type: object literal: @@ -5936,7 +5681,6 @@ spec: properties: value: description: The tag value to use. - format: string type: string type: object type: object @@ -5952,7 +5696,6 @@ spec: properties: name: description: Required. - format: string type: string type: object type: array diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index aec8e17..9fd002f 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -51,24 +51,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -202,11 +198,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -214,12 +208,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -237,7 +229,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -260,10 +251,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -294,6 +283,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -303,6 +295,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -441,11 +437,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -454,12 +448,10 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -477,7 +469,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -500,10 +491,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -534,6 +523,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -544,6 +536,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -555,14 +551,11 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -573,16 +566,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -593,14 +583,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -611,16 +598,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -758,11 +742,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -770,11 +752,9 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -792,7 +772,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -814,10 +793,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -848,6 +825,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -857,6 +837,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -991,11 +975,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1003,12 +985,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1026,7 +1006,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1049,10 +1028,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1083,6 +1060,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1092,6 +1072,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -1103,14 +1087,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1121,16 +1102,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1141,14 +1119,11 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1159,16 +1134,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1207,24 +1179,20 @@ spec: description: A list of namespaces to which this destination rule is exported. items: - format: string type: string type: array host: description: The name of a service from the service registry. - format: string type: string subsets: items: properties: labels: additionalProperties: - format: string type: string type: object name: description: Name of the subset. - format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. @@ -1358,11 +1326,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1370,12 +1336,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1393,7 +1357,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1416,10 +1379,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1450,6 +1411,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -1459,6 +1423,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -1597,11 +1565,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1610,12 +1576,10 @@ spec: httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1633,7 +1597,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1656,10 +1619,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -1690,6 +1651,9 @@ spec: host is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. @@ -1700,6 +1664,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean type: object port: properties: @@ -1711,14 +1679,11 @@ spec: to the upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1729,16 +1694,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1749,14 +1711,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -1767,16 +1726,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -1914,11 +1870,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -1926,11 +1880,9 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -1948,7 +1900,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -1970,10 +1921,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -2004,6 +1953,9 @@ spec: from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2013,6 +1965,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean type: object portLevelSettings: description: Traffic policies specific to individual ports. @@ -2147,11 +2103,9 @@ spec: properties: name: description: Name of the cookie. - format: string type: string path: description: Path to set for the cookie. - format: string type: string ttl: description: Lifetime of the cookie. @@ -2159,12 +2113,10 @@ spec: type: object httpHeaderName: description: Hash based on a specific HTTP header. - format: string type: string httpQueryParameterName: description: Hash based on a specific HTTP query parameter. - format: string type: string minimumRingSize: type: integer @@ -2182,7 +2134,6 @@ spec: from: description: Originating locality, '/' separated, e.g. - format: string type: string to: additionalProperties: @@ -2205,10 +2156,8 @@ spec: properties: from: description: Originating region. - format: string type: string to: - format: string type: string type: object type: array @@ -2239,6 +2188,9 @@ spec: is ejected from the connection pool. nullable: true type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer interval: description: Time interval between ejection sweep analysis. type: string @@ -2248,6 +2200,10 @@ spec: minHealthPercent: format: int32 type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean type: object port: properties: @@ -2259,14 +2215,11 @@ spec: upstream service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -2277,16 +2230,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -2297,14 +2247,11 @@ spec: service. properties: caCertificates: - format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. - format: string type: string credentialName: - format: string type: string mode: enum: @@ -2315,16 +2262,13 @@ spec: type: string privateKey: description: REQUIRED if mode is `MUTUAL`. - format: string type: string sni: description: SNI string to present to the server during TLS handshake. - format: string type: string subjectAltNames: items: - format: string type: string type: array type: object @@ -2387,6 +2331,7 @@ spec: - HTTP_ROUTE - CLUSTER - EXTENSION_CONFIG + - BOOTSTRAP type: string match: description: Match on listener/route configuration/cluster. @@ -2411,7 +2356,6 @@ spec: properties: name: description: The exact name of the cluster to match. - format: string type: string portNumber: description: The service port for which this cluster @@ -2420,11 +2364,9 @@ spec: service: description: The fully qualified service name for this cluster. - format: string type: string subset: description: The subset associated with the service. - format: string type: string type: object context: @@ -2444,7 +2386,6 @@ spec: properties: applicationProtocols: description: Applies only to sidecars. - format: string type: string destinationPort: description: The destination_port value used by @@ -2456,36 +2397,29 @@ spec: properties: name: description: The filter name to match on. - format: string type: string subFilter: properties: name: description: The filter name to match on. - format: string type: string type: object type: object name: description: The name assigned to the filter chain. - format: string type: string sni: description: The SNI value used by a filter chain's match condition. - format: string type: string transportProtocol: description: Applies only to `SIDECAR_INBOUND` context. - format: string type: string type: object name: description: Match a specific listener by its name. - format: string type: string portName: - format: string type: string portNumber: type: integer @@ -2495,33 +2429,27 @@ spec: properties: metadata: additionalProperties: - format: string type: string type: object proxyVersion: - format: string type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: - format: string type: string name: description: Route configuration name to match on. - format: string type: string portName: description: Applicable only for GATEWAY context. - format: string type: string portNumber: type: integer vhost: properties: name: - format: string type: string route: description: Match a specific route within the virtual @@ -2537,7 +2465,6 @@ spec: - DIRECT_RESPONSE type: string name: - format: string type: string type: object type: object @@ -2573,11 +2500,15 @@ spec: type: object type: object type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer workloadSelector: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -2627,7 +2558,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2635,34 +2565,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2673,17 +2597,14 @@ spec: properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. - format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2715,25 +2636,20 @@ spec: type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2758,7 +2674,6 @@ spec: properties: selector: additionalProperties: - format: string type: string type: object servers: @@ -2766,34 +2681,28 @@ spec: items: properties: bind: - format: string type: string defaultEndpoint: - format: string type: string hosts: description: One or more hosts exposed by this gateway. items: - format: string type: string type: array name: description: An optional name of the server, when set must be unique across all servers. - format: string type: string port: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -2804,17 +2713,14 @@ spec: properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. - format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: - format: string type: string type: array credentialName: - format: string type: string httpsRedirect: type: boolean @@ -2846,25 +2752,20 @@ spec: type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string type: string subjectAltNames: items: - format: string type: string type: array verifyCertificateHash: items: - format: string type: string type: array verifyCertificateSpki: items: - format: string type: string type: array type: object @@ -2939,7 +2840,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -2947,20 +2847,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -2968,7 +2864,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -2978,13 +2873,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -2998,14 +2891,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3020,7 +2911,6 @@ spec: type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3028,7 +2918,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3074,7 +2963,6 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: - format: string type: string type: array endpoints: @@ -3082,20 +2970,16 @@ spec: items: properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -3103,7 +2987,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -3113,13 +2996,11 @@ spec: exportTo: description: A list of namespaces to which this service is exported. items: - format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: - format: string type: string type: array location: @@ -3133,14 +3014,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3155,7 +3034,6 @@ spec: type: string subjectAltNames: items: - format: string type: string type: array workloadSelector: @@ -3163,7 +3041,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3213,7 +3090,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3223,7 +3099,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3231,14 +3106,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3250,7 +3123,6 @@ spec: properties: bind: description: The IP to which the listener should be bound. - format: string type: string captureMode: enum: @@ -3259,21 +3131,18 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3287,7 +3156,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3298,7 +3166,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3311,7 +3178,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3336,7 +3202,6 @@ spec: items: properties: bind: - format: string type: string captureMode: enum: @@ -3346,7 +3211,6 @@ spec: type: string hosts: items: - format: string type: string type: array port: @@ -3354,14 +3218,12 @@ spec: properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3373,7 +3235,6 @@ spec: properties: bind: description: The IP to which the listener should be bound. - format: string type: string captureMode: enum: @@ -3382,21 +3243,18 @@ spec: - NONE type: string defaultEndpoint: - format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. - format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. - format: string type: string targetPort: type: integer @@ -3410,7 +3268,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3421,7 +3278,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mode: @@ -3434,7 +3290,6 @@ spec: properties: labels: additionalProperties: - format: string type: string type: object type: object @@ -3503,20 +3358,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -3531,21 +3383,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -3568,20 +3417,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -3591,12 +3436,10 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object fault: @@ -3621,10 +3464,8 @@ spec: - http2Error properties: grpcStatus: - format: string type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -3680,17 +3521,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3698,17 +3536,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -3734,21 +3569,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -3770,14 +3601,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -3803,19 +3631,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -3840,14 +3664,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -3870,25 +3691,20 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string uri: oneOf: @@ -3908,14 +3724,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -3937,14 +3750,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -3956,7 +3766,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -3967,7 +3776,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -3990,19 +3798,16 @@ spec: type: object name: description: The name assigned to the route for debugging purposes. - format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: - format: string type: string redirectCode: type: integer uri: - format: string type: string type: object retries: @@ -4020,7 +3825,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4034,10 +3838,8 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string type: object route: @@ -4050,7 +3852,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4061,7 +3862,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4070,17 +3870,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4088,17 +3885,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4124,14 +3918,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4140,18 +3932,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4165,7 +3954,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4176,7 +3964,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4196,14 +3983,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4213,18 +3998,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -4238,7 +4020,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4249,7 +4030,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4297,20 +4077,17 @@ spec: description: A list of namespaces to which this virtual service is exported. items: - format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: - format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: - format: string type: string type: array http: @@ -4325,21 +4102,18 @@ spec: type: boolean allowHeaders: items: - format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: - format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: - format: string type: string type: array allowOrigins: @@ -4362,20 +4136,16 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: array exposeHeaders: items: - format: string type: string type: array maxAge: @@ -4385,12 +4155,10 @@ spec: properties: name: description: Name specifies the name of the delegate VirtualService. - format: string type: string namespace: description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string type: string type: object fault: @@ -4415,10 +4183,8 @@ spec: - http2Error properties: grpcStatus: - format: string type: string http2Error: - format: string type: string httpStatus: description: HTTP status code to use to abort the Http @@ -4474,17 +4240,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4492,17 +4255,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4528,21 +4288,17 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array headers: @@ -4564,14 +4320,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object type: object @@ -4597,19 +4350,15 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object name: description: The name assigned to a match. - format: string type: string port: description: Specifies the ports on the host that is being @@ -4634,14 +4383,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: Query parameters for matching. @@ -4664,25 +4410,20 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string uri: oneOf: @@ -4702,14 +4443,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object withoutHeaders: @@ -4731,14 +4469,11 @@ spec: - regex properties: exact: - format: string type: string prefix: - format: string type: string regex: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string type: string type: object description: withoutHeader has the same syntax with the @@ -4750,7 +4485,6 @@ spec: properties: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is being @@ -4761,7 +4495,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object mirror_percent: @@ -4784,19 +4517,16 @@ spec: type: object name: description: The name assigned to the route for debugging purposes. - format: string type: string redirect: description: A HTTP rule can either redirect or forward (default) traffic. properties: authority: - format: string type: string redirectCode: type: integer uri: - format: string type: string type: object retries: @@ -4814,7 +4544,6 @@ spec: retryOn: description: Specifies the conditions under which retry takes place. - format: string type: string retryRemoteLocalities: description: Flag to specify whether the retries should @@ -4828,10 +4557,8 @@ spec: authority: description: rewrite the Authority/Host header with this value. - format: string type: string uri: - format: string type: string type: object route: @@ -4844,7 +4571,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4855,7 +4581,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object headers: @@ -4864,17 +4589,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4882,17 +4604,14 @@ spec: properties: add: additionalProperties: - format: string type: string type: object remove: items: - format: string type: string type: array set: additionalProperties: - format: string type: string type: object type: object @@ -4918,14 +4637,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -4934,18 +4651,15 @@ spec: type: integer sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. - format: string type: string type: object type: array @@ -4959,7 +4673,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -4970,7 +4683,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -4990,14 +4702,12 @@ spec: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: - format: string type: string type: array gateways: description: Names of gateways where the rule should be applied. items: - format: string type: string type: array port: @@ -5007,18 +4717,15 @@ spec: sniHosts: description: SNI (server name indicator) to match on. items: - format: string type: string type: array sourceLabels: additionalProperties: - format: string type: string type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string type: string type: object type: array @@ -5032,7 +4739,6 @@ spec: host: description: The name of a service from the service registry. - format: string type: string port: description: Specifies the port on the host that is @@ -5043,7 +4749,6 @@ spec: type: object subset: description: The name of a subset within the service. - format: string type: string type: object weight: @@ -5111,20 +4816,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5132,7 +4833,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5168,20 +4868,16 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5189,7 +4885,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5250,12 +4945,10 @@ spec: properties: annotations: additionalProperties: - format: string type: string type: object labels: additionalProperties: - format: string type: string type: object type: object @@ -5285,7 +4978,6 @@ spec: command: description: Command to run. items: - format: string type: string type: array type: object @@ -5299,29 +4991,24 @@ spec: host: description: Host name to connect to, defaults to the pod IP. - format: string type: string httpHeaders: description: Headers the proxy will pass on to make the request. items: properties: name: - format: string type: string value: - format: string type: string type: object type: array path: description: Path to access on the HTTP server. - format: string type: string port: description: Port on which the endpoint lives. type: integer scheme: - format: string type: string type: object initialDelaySeconds: @@ -5342,7 +5029,6 @@ spec: description: Health is determined by if the proxy is able to connect. properties: host: - format: string type: string port: type: integer @@ -5357,20 +5043,16 @@ spec: resources that belong to this `WorkloadGroup`. properties: address: - format: string type: string labels: additionalProperties: - format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. - format: string type: string network: - format: string type: string ports: additionalProperties: @@ -5378,7 +5060,6 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: - format: string type: string weight: description: The load balancing weight associated with the endpoint. @@ -5447,7 +5128,6 @@ spec: properties: name: description: Specifies the name of the extension provider. - format: string type: string type: object rules: @@ -5464,61 +5144,51 @@ spec: ipBlocks: description: Optional. items: - format: string type: string type: array namespaces: description: Optional. items: - format: string type: string type: array notIpBlocks: description: Optional. items: - format: string type: string type: array notNamespaces: description: Optional. items: - format: string type: string type: array notPrincipals: description: Optional. items: - format: string type: string type: array notRemoteIpBlocks: description: Optional. items: - format: string type: string type: array notRequestPrincipals: description: Optional. items: - format: string type: string type: array principals: description: Optional. items: - format: string type: string type: array remoteIpBlocks: description: Optional. items: - format: string type: string type: array requestPrincipals: description: Optional. items: - format: string type: string type: array type: object @@ -5534,49 +5204,41 @@ spec: hosts: description: Optional. items: - format: string type: string type: array methods: description: Optional. items: - format: string type: string type: array notHosts: description: Optional. items: - format: string type: string type: array notMethods: description: Optional. items: - format: string type: string type: array notPaths: description: Optional. items: - format: string type: string type: array notPorts: description: Optional. items: - format: string type: string type: array paths: description: Optional. items: - format: string type: string type: array ports: description: Optional. items: - format: string type: string type: array type: object @@ -5588,18 +5250,15 @@ spec: properties: key: description: The name of an Istio attribute. - format: string type: string notValues: description: Optional. items: - format: string type: string type: array values: description: Optional. items: - format: string type: string type: array type: object @@ -5611,7 +5270,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5705,7 +5363,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5761,7 +5418,6 @@ spec: properties: audiences: items: - format: string type: string type: array forwardOriginalToken: @@ -5774,38 +5430,30 @@ spec: properties: name: description: The HTTP header name. - format: string type: string prefix: description: The prefix that should be stripped before decoding the token. - format: string type: string type: object type: array fromParams: description: List of query parameters from which JWT is expected. items: - format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. - format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string type: string jwks_uri: - format: string type: string jwksUri: - format: string type: string outputPayloadToHeader: - format: string type: string type: object type: array @@ -5815,7 +5463,6 @@ spec: properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5873,12 +5520,114 @@ spec: description: Telemetry defines how the telemetry is generated for workloads within a mesh. properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array selector: description: Optional. properties: matchLabels: additionalProperties: - format: string type: string type: object type: object @@ -5910,12 +5659,10 @@ spec: properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the environment variable from which to extract the tag value. - format: string type: string type: object header: @@ -5924,12 +5671,10 @@ spec: properties: defaultValue: description: Optional. - format: string type: string name: description: Name of the header from which to extract the tag value. - format: string type: string type: object literal: @@ -5938,7 +5683,6 @@ spec: properties: value: description: The tag value to use. - format: string type: string type: object type: object @@ -5954,7 +5698,6 @@ spec: properties: name: description: Required. - format: string type: string type: object type: array @@ -6027,7 +5770,9 @@ spec: --- --- -# Source: base/templates/serviceaccount.yaml +# Source: base/templates/reader-serviceaccount.yaml +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. apiVersion: v1 kind: ServiceAccount metadata: @@ -6038,6 +5783,11 @@ metadata: release: istio --- # Source: base/templates/serviceaccount.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: v1 kind: ServiceAccount metadata: @@ -6048,6 +5798,11 @@ metadata: release: istio --- # Source: base/templates/clusterrole.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -6185,8 +5940,16 @@ rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] --- # Source: base/templates/clusterrolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -6221,6 +5984,11 @@ subjects: namespace: istio-system --- # Source: base/templates/role.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -6243,6 +6011,11 @@ rules: verbs: ["create", "get", "watch", "list", "update", "delete"] --- # Source: base/templates/rolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -6259,38 +6032,3 @@ subjects: - kind: ServiceAccount name: istiod-service-account namespace: istio-system ---- -# Source: base/templates/validatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml index 014970c..e07d5cd 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -1,3 +1,8 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -149,6 +154,9 @@ rules: - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] {{- if or .Values.global.externalIstiod }} - apiGroups: [""] resources: ["configmaps"] diff --git a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml index ff24868..d61729b 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml @@ -1,3 +1,8 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/kubezero-istio/charts/base/templates/endpoints.yaml b/charts/kubezero-istio/charts/base/templates/endpoints.yaml index fb4dd5e..996152b 100644 --- a/charts/kubezero-istio/charts/base/templates/endpoints.yaml +++ b/charts/kubezero-istio/charts/base/templates/endpoints.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} + {{- if not .Values.global.externalIstiod }} apiVersion: v1 kind: Endpoints metadata: diff --git a/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000..d9ce18c --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/charts/kubezero-istio/charts/base/templates/role.yaml b/charts/kubezero-istio/charts/base/templates/role.yaml index 557af5a..ca1a424 100644 --- a/charts/kubezero-istio/charts/base/templates/role.yaml +++ b/charts/kubezero-istio/charts/base/templates/role.yaml @@ -1,3 +1,8 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml index aabc0c3..2b591fb 100644 --- a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml +++ b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml @@ -1,3 +1,8 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml index 36e0e08..ec25fd2 100644 --- a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml +++ b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml @@ -1,18 +1,8 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} ---- +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} @@ -27,4 +17,3 @@ metadata: labels: app: istiod release: {{ .Release.Name }} ---- diff --git a/charts/kubezero-istio/charts/base/templates/services.yaml b/charts/kubezero-istio/charts/base/templates/services.yaml index f654508..606fd44 100644 --- a/charts/kubezero-istio/charts/base/templates/services.yaml +++ b/charts/kubezero-istio/charts/base/templates/services.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} + {{- if not .Values.global.externalIstiod }} # when istiod is enabled in remote cluster, we can't use istiod service name apiVersion: v1 kind: Service diff --git a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index bd5d1cf..0000000 --- a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] ---- -{{- end }} \ No newline at end of file diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml index 17a1f8e..1fe2964 100644 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-discovery -version: 1.10.3 +version: 1.11.1 tillerVersion: ">=2.7.2" description: Helm chart for istio control plane keywords: diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt index 620f3e1..298b692 100644 --- a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt +++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt @@ -4,6 +4,5 @@ MCP and injector should optionally be installed in the same namespace. Alternati address of an MCP server can be set. -Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience! - https://forms.gle/KjkrDnMPByq7akrYA" - +Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience! + https://forms.gle/kWULBRjUv7hHci7T6 diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml index 865d2c1..6d75883 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml @@ -28,12 +28,6 @@ spec: - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} @@ -78,14 +72,6 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -112,11 +98,6 @@ spec: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" @@ -187,16 +168,6 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml index 817cce5..5f37436 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -19,6 +19,16 @@ spec: app: istiod istio: pilot --- +# Source: istio-discovery/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +--- # Source: istio-discovery/templates/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -63,6 +73,8 @@ data: { "global": { "caAddress": "", + "configCluster": false, + "configValidation": true, "defaultPodDisruptionBudget": { "enabled": true }, @@ -181,8 +193,7 @@ data: "enabled": true }, "rewriteAppHTTPProbe": true, - "templates": {}, - "useLegacySelectors": false + "templates": {} } } @@ -210,7 +221,6 @@ data: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ .Revision | default "default" | quote }} annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -343,7 +353,7 @@ data: {{- end }} restartPolicy: Always {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - name: enable-core-dump args: - -c @@ -386,12 +396,6 @@ data: - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} @@ -401,9 +405,9 @@ data: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} - {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + {{- if gt .EstimatedConcurrency 0 }} - --concurrency - - "{{ .ProxyConfig.Concurrency.GetValue }}" + - "{{ .EstimatedConcurrency }}" {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: @@ -451,14 +455,6 @@ data: valueFrom: fieldRef: fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -485,11 +481,6 @@ data: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" @@ -549,7 +540,7 @@ data: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} runAsGroup: 1337 fsGroup: 1337 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} @@ -642,16 +633,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: @@ -730,12 +711,6 @@ data: - router - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} @@ -780,14 +755,6 @@ data: valueFrom: fieldRef: fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -814,11 +781,6 @@ data: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" @@ -889,16 +851,6 @@ data: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: @@ -934,6 +886,513 @@ data: securityContext: fsGroup: 1337 {{- end }} + grpc-simple: | + spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + echo ' + { + "xds_servers": [ + { + "server_uri": "dns:///istiod.istio-system.svc:15010", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} + grpc-agent: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} +--- +# Source: istio-discovery/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] +--- +# Source: istio-discovery/templates/reader-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: istio-discovery/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istio-discovery/templates/reader-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: istio-discovery/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: istio-discovery/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system --- # Source: istio-discovery/templates/service.yaml apiVersion: v1 @@ -1004,7 +1463,7 @@ spec: prometheus.io/scrape: "true" sidecar.istio.io/inject: "false" spec: - serviceAccountName: istiod-service-account + serviceAccountName: istiod securityContext: fsGroup: 1337 containers: @@ -1369,6 +1828,7 @@ spec: { "debug": "false", "stat_prefix": "istio", + "disable_host_header_fallback": true, "metrics": [ { "dimensions": { @@ -1536,6 +1996,399 @@ spec: local: inline_string: "envoy.wasm.stats" --- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.11 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- # Source: istio-discovery/templates/telemetryv2_1.9.yaml # Note: metadata exchange filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 @@ -2092,3 +2945,76 @@ webhooks: - "true" - key: istio.io/rev operator: DoesNotExist +--- +# Source: istio-discovery/templates/validatingwebhookconfiguration.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator-istio-system + labels: + app: istiod + release: istio + istio: istiod + istio.io/rev: default +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + # Webhook handling default validation + - name: validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist diff --git a/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml b/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml new file mode 100644 index 0000000..b20a9c4 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml @@ -0,0 +1,234 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml b/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml new file mode 100644 index 0000000..cf592e6 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml @@ -0,0 +1,58 @@ +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + echo ' + { + "xds_servers": [ + { + "server_uri": "dns:///istiod.istio-system.svc:15010", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml index 39a6424..e8659bb 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -5,7 +5,6 @@ metadata: security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ .Revision | default "default" | quote }} annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", @@ -138,7 +137,7 @@ spec: {{- end }} restartPolicy: Always {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - name: enable-core-dump args: - -c @@ -181,12 +180,6 @@ spec: - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} @@ -196,9 +189,9 @@ spec: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} - {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + {{- if gt .EstimatedConcurrency 0 }} - --concurrency - - "{{ .ProxyConfig.Concurrency.GetValue }}" + - "{{ .EstimatedConcurrency }}" {{- end -}} {{- if .Values.global.proxy.lifecycle }} lifecycle: @@ -246,14 +239,6 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - name: PROXY_CONFIG value: | {{ protoToJSON .ProxyConfig }} @@ -280,11 +265,6 @@ spec: - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: "{{ .DeploymentMeta.Name }}" @@ -344,7 +324,7 @@ spec: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} runAsGroup: 1337 fsGroup: 1337 {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} @@ -437,16 +417,6 @@ spec: - path: "annotations" fieldRef: fieldPath: metadata.annotations - - path: "cpu-limit" - resourceFieldRef: - containerName: istio-proxy - resource: limits.cpu - divisor: 1m - - path: "cpu-request" - resourceFieldRef: - containerName: istio-proxy - resource: requests.cpu - divisor: 1m {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token projected: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml new file mode 100644 index 0000000..0956c9b --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml @@ -0,0 +1,112 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..cadb599 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml index f63fff1..17b52f1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -49,9 +49,11 @@ {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} {{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} {{- end }} {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} + {{- if not .Values.global.externalIstiod }} discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 {{- else }} discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml index 9c226dc..7ca98c5 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -54,7 +54,7 @@ spec: {{ toYaml .Values.pilot.podAnnotations | indent 8 }} {{- end }} spec: - serviceAccountName: istiod-service-account + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml index b874bc2..b6b1fa8 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml @@ -52,6 +52,14 @@ data: gateway: | {{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} {{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} {{- with .Values.sidecarInjectorWebhook.templates }} {{ toYaml . | trim | indent 6 }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml index b50f0b7..dcb84dd 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -5,12 +5,12 @@ a unique prefix to each. */}} - name: {{.Prefix}}sidecar-injector.istio.io clientConfig: {{- if .Values.istiodRemote.injectionURL }} - url: {{ .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" {{- else }} service: name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Release.Namespace }} - path: "/inject" + path: "{{ .Values.istiodRemote.injectionPath }}" port: 443 {{- end }} caBundle: "" @@ -40,60 +40,7 @@ metadata: app: sidecar-injector release: {{ .Release.Name }} webhooks: -{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}} -{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}} -{{- include "core" . }} - namespaceSelector: - {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} - matchExpressions: - - key: name - operator: NotIn - values: - - {{ .Release.Namespace }} - - key: istio-injection - operator: NotIn - values: - - disabled - - key: istio-env - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - {{- else if .Values.revision }} - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: In - values: - - {{ .Values.revision }} - {{- else }} - matchLabels: - istio-injection: enabled - {{- end }} - {{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }} - objectSelector: - {{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }} - matchExpressions: - - key: "sidecar.istio.io/inject" - operator: NotIn - values: - - "false" - {{- else if .Values.revision }} - matchExpressions: - - key: "sidecar.istio.io/inject" - operator: DoesNotExist - - key: istio.io/rev - operator: In - values: - - {{ .Values.revision }} - {{- else }} - matchLabels: - "sidecar.istio.io/inject": "true" - {{- end }} - {{- end }} -{{- else }} - - {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} {{- /* Case 1: namespace selector matches, and object doesn't disable */}} {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} @@ -195,4 +142,3 @@ webhooks: {{- end }} {{- end }} -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml new file mode 100644 index 0000000..f19f1e8 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000..4f9925c --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml index 3df335d..fc500eb 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml @@ -5,12 +5,12 @@ - name: {{.Prefix}}sidecar-injector.istio.io clientConfig: {{- if .Values.istiodRemote.injectionURL }} - url: {{ .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" {{- else }} service: name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Release.Namespace }} - path: "/inject" + path: "{{ .Values.istiodRemote.injectionPath }}" {{- end }} caBundle: "" sideEffects: None @@ -110,4 +110,4 @@ webhooks: operator: DoesNotExist {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml new file mode 100644 index 0000000..25c4f5c --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml new file mode 100644 index 0000000..0d700f0 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml new file mode 100644 index 0000000..ee6cbc3 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml similarity index 96% rename from charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml rename to charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml index 3e4e597..0fe4ff6 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml @@ -3,7 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -19,7 +19,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -54,7 +54,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -89,7 +89,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -124,7 +124,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -138,7 +138,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: {} patch: operation: INSERT_BEFORE @@ -153,7 +153,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' cluster: {} patch: operation: MERGE @@ -169,7 +169,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' cluster: {} patch: operation: MERGE @@ -187,7 +187,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -201,7 +201,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -247,7 +247,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -271,6 +271,7 @@ spec: { "debug": "false", "stat_prefix": "istio", + "disable_host_header_fallback": true, "metrics": [ { "dimensions": { @@ -301,7 +302,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -349,7 +350,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -363,7 +364,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -415,7 +416,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -459,7 +460,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -505,7 +506,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -520,7 +521,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -555,7 +556,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -589,7 +590,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -623,7 +624,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -638,7 +639,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -671,7 +672,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -703,7 +704,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.10.*' + proxyVersion: '^1\.11.*' listener: filterChain: filter: @@ -736,7 +737,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -750,7 +751,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '1\.10.*' + proxyVersion: '1\.11.*' listener: filterChain: filter: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000..890370e --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,86 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + # Webhook handling default validation + - name: validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml index b159557..1e8b4cf 100644 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -65,10 +65,6 @@ pilot: sidecarInjectorWebhook: - # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook - # requests in Istiod, rather than at the webhook selection level. - # This is option is intended for migration purposes only and will be removed in Istio 1.10. - useLegacySelectors: false # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # always skip the injection on pods that match that label selector, regardless of the global policy. # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions @@ -116,8 +112,8 @@ sidecarInjectorWebhook: templates: {} # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to # the default templates list. # For example: # @@ -130,9 +126,15 @@ sidecarInjectorWebhook: # defaultTemplates: ["sidecar", "hello"] defaultTemplates: [] istiodRemote: - # Sidecar injector mutating webhook configuration url + # Sidecar injector mutating webhook configuration clientConfig.url value. # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" telemetry: enabled: true v2: @@ -237,7 +239,7 @@ global: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.10.3 + tag: 1.11.1 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -386,9 +388,14 @@ global: # If not set explicitly, default to the Istio discovery address. caAddress: "" - # External istiod controls all remote clusters: disabled by default + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. externalIstiod: false + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + # Configure the policy for validating JWT. # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". jwtPolicy: "third-party-jwt" @@ -510,6 +517,9 @@ global: # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. useMCP: false + # Determines whether this istiod performs resource validation. + configValidation: true + base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/charts/kiali-server/Chart.yaml b/charts/kubezero-istio/charts/kiali-server/Chart.yaml new file mode 100644 index 0000000..76dd122 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: v1.38.1 +description: Kiali is an open source project for service mesh observability, refer + to https://www.kiali.io for details. +home: https://github.com/kiali/kiali +icon: https://raw.githubusercontent.com/kiali/kiali.io/master/themes/kiali/static/img/kiali_logo_masthead.png +keywords: +- istio +- kiali +maintainers: +- email: kiali-users@googlegroups.com + name: Kiali + url: https://kiali.io +name: kiali-server +sources: +- https://github.com/kiali/kiali +- https://github.com/kiali/kiali-ui +- https://github.com/kiali/kiali-operator +- https://github.com/kiali/helm-charts +version: 1.38.1 diff --git a/charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt b/charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt new file mode 100644 index 0000000..7510194 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/NOTES.txt @@ -0,0 +1,5 @@ +Welcome to Kiali! For more details on Kiali, see: https://kiali.io + +The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon. + +(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}]) diff --git a/charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl b/charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl new file mode 100644 index 0000000..1cabf2c --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/_helpers.tpl @@ -0,0 +1,143 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified instance name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +To simulate the way the operator works, use deployment.instance_name rather than the old fullnameOverride. +For backwards compatibility, if fullnameOverride is not kiali but deployment.instance_name is kiali, +use fullnameOverride, otherwise use deployment.instance_name. +*/}} +{{- define "kiali-server.fullname" -}} +{{- if (and (eq .Values.deployment.instance_name "kiali") (ne .Values.fullnameOverride "kiali")) }} + {{- .Values.fullnameOverride | trunc 63 }} +{{- else }} + {{- .Values.deployment.instance_name | trunc 63 }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kiali-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Identifies the log_level with the old verbose_mode and the new log_level considered. +*/}} +{{- define "kiali-server.logLevel" -}} +{{- if .Values.deployment.verbose_mode -}} +{{- .Values.deployment.verbose_mode -}} +{{- else -}} +{{- .Values.deployment.logger.log_level -}} +{{- end -}} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kiali-server.labels" -}} +helm.sh/chart: {{ include "kiali-server.chart" . }} +app: kiali +{{ include "kiali-server.selectorLabels" . }} +version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/version: {{ .Values.deployment.version_label | default .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: "kiali" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kiali-server.selectorLabels" -}} +app.kubernetes.io/name: kiali +app.kubernetes.io/instance: {{ include "kiali-server.fullname" . }} +{{- end }} + +{{/* +Determine the default login token signing key. +*/}} +{{- define "kiali-server.login_token.signing_key" -}} +{{- if .Values.login_token.signing_key }} + {{- .Values.login_token.signing_key }} +{{- else }} + {{- randAlphaNum 16 }} +{{- end }} +{{- end }} + +{{/* +Determine the default web root. +*/}} +{{- define "kiali-server.server.web_root" -}} +{{- if .Values.server.web_root }} + {{- .Values.server.web_root | trimSuffix "/" }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/" }} + {{- else }} + {{- "/kiali" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity cert file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.cert_file" -}} +{{- if hasKey .Values.identity "cert_file" }} + {{- .Values.identity.cert_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.crt" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the default identity private key file. There is no default if on k8s; only on OpenShift. +*/}} +{{- define "kiali-server.identity.private_key_file" -}} +{{- if hasKey .Values.identity "private_key_file" }} + {{- .Values.identity.private_key_file }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- "/kiali-cert/tls.key" }} + {{- else }} + {{- "" }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Determine the istio namespace - default is where Kiali is installed. +*/}} +{{- define "kiali-server.istio_namespace" -}} +{{- if .Values.istio_namespace }} + {{- .Values.istio_namespace }} +{{- else }} + {{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Determine the auth strategy to use - default is "token" on Kubernetes and "openshift" on OpenShift. +*/}} +{{- define "kiali-server.auth.strategy" -}} +{{- if .Values.auth.strategy }} + {{- if (and (eq .Values.auth.strategy "openshift") (not .Values.kiali_route_url)) }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or use a different auth strategy via the --set auth.strategy=... option." }} + {{- end }} + {{- .Values.auth.strategy }} +{{- else }} + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + {{- if not .Values.kiali_route_url }} + {{- fail "You did not define what the Kiali Route URL will be (--set kiali_route_url=...). Without this set, the openshift auth strategy will not work. Either set that or explicitly indicate another auth strategy you want via the --set auth.strategy=... option." }} + {{- end }} + {{- "openshift" }} + {{- else }} + {{- "token" }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml b/charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml new file mode 100644 index 0000000..7462b95 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/cabundle.yaml @@ -0,0 +1,13 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }}-cabundle + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + service.beta.openshift.io/inject-cabundle: "true" +... +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml b/charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml new file mode 100644 index 0000000..f4bfa09 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/configmap.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +data: + config.yaml: | + {{- /* Most of .Values is simply the ConfigMap - strip out the keys that are not part of the ConfigMap */}} + {{- $cm := omit .Values "nameOverride" "fullnameOverride" "kiali_route_url" }} + {{- /* The helm chart defines namespace for us, but pass it to the ConfigMap in case the server needs it */}} + {{- $_ := set $cm.deployment "namespace" .Release.Namespace }} + {{- /* Some values of the ConfigMap are generated, but might not be identical, from .Values */}} + {{- $_ := set $cm "istio_namespace" (include "kiali-server.istio_namespace" .) }} + {{- $_ := set $cm.auth "strategy" (include "kiali-server.auth.strategy" .) }} + {{- $_ := set $cm.auth.openshift "client_id_prefix" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.deployment "instance_name" (include "kiali-server.fullname" .) }} + {{- $_ := set $cm.identity "cert_file" (include "kiali-server.identity.cert_file" .) }} + {{- $_ := set $cm.identity "private_key_file" (include "kiali-server.identity.private_key_file" .) }} + {{- $_ := set $cm.login_token "signing_key" (include "kiali-server.login_token.signing_key" .) }} + {{- $_ := set $cm.server "web_root" (include "kiali-server.server.web_root" .) }} + {{- toYaml $cm | nindent 4 }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml b/charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml new file mode 100644 index 0000000..ce47d8a --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/deployment.yaml @@ -0,0 +1,165 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.deployment.replicas }} + selector: + matchLabels: + {{- include "kiali-server.selectorLabels" . | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 8 }} + {{- if .Values.deployment.pod_labels }} + {{- toYaml .Values.deployment.pod_labels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.server.metrics_enabled }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.server.metrics_port | quote }} + {{- else }} + prometheus.io/scrape: "false" + prometheus.io/port: "" + {{- end }} + kiali.io/dashboards: go,kiali + {{- if .Values.deployment.pod_annotations }} + {{- toYaml .Values.deployment.pod_annotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kiali-server.fullname" . }} + {{- if .Values.deployment.priority_class_name }} + priorityClassName: {{ .Values.deployment.priority_class_name | quote }} + {{- end }} + {{- if .Values.deployment.image_pull_secrets }} + imagePullSecrets: + {{- range .Values.deployment.image_pull_secrets }} + - name: {{ . }} + {{- end }} + {{- end }} + containers: + - image: "{{ .Values.deployment.image_name }}:{{ .Values.deployment.image_version }}" + imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }} + name: {{ include "kiali-server.fullname" . }} + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + ports: + - name: api-port + containerPort: {{ .Values.server.port | default 20001 }} + {{- if .Values.server.metrics_enabled }} + - name: http-metrics + containerPort: {{ .Values.server.metrics_port | default 9090 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: {{ include "kiali-server.server.web_root" . | trimSuffix "/" }}/healthz + port: api-port + {{- if (include "kiali-server.identity.cert_file" .) }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "{{ include "kiali-server.logLevel" . }}" + - name: LOG_FORMAT + value: "{{ .Values.deployment.logger.log_format }}" + - name: LOG_TIME_FIELD_FORMAT + value: "{{ .Values.deployment.logger.time_field_format }}" + - name: LOG_SAMPLER_RATE + value: "{{ .Values.deployment.logger.sampler_rate }}" + volumeMounts: + - name: {{ include "kiali-server.fullname" . }}-configuration + mountPath: "/kiali-configuration" + - name: {{ include "kiali-server.fullname" . }}-cert + mountPath: "/kiali-cert" + - name: {{ include "kiali-server.fullname" . }}-secret + mountPath: "/kiali-secret" + - name: {{ include "kiali-server.fullname" . }}-cabundle + mountPath: "/kiali-cabundle" + {{- if .Values.deployment.resources }} + resources: + {{- toYaml .Values.deployment.resources | nindent 10 }} + {{- end }} + volumes: + - name: {{ include "kiali-server.fullname" . }}-configuration + configMap: + name: {{ include "kiali-server.fullname" . }} + - name: {{ include "kiali-server.fullname" . }}-cert + secret: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + secretName: {{ include "kiali-server.fullname" . }}-cert-secret + {{- else }} + secretName: istio.{{ include "kiali-server.fullname" . }}-service-account + {{- end }} + {{- if not (include "kiali-server.identity.cert_file" .) }} + optional: true + {{- end }} + - name: {{ include "kiali-server.fullname" . }}-secret + secret: + secretName: {{ .Values.deployment.secret_name }} + optional: true + - name: {{ include "kiali-server.fullname" . }}-cabundle + configMap: + name: {{ include "kiali-server.fullname" . }}-cabundle + {{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} + optional: true + {{- end }} + {{- if or (.Values.deployment.affinity.node) (or (.Values.deployment.affinity.pod) (.Values.deployment.affinity.pod_anti)) }} + affinity: + {{- if .Values.deployment.affinity.node }} + nodeAffinity: + {{- toYaml .Values.deployment.affinity.node | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod }} + podAffinity: + {{- toYaml .Values.deployment.affinity.pod | nindent 10 }} + {{- end }} + {{- if .Values.deployment.affinity.pod_anti }} + podAntiAffinity: + {{- toYaml .Values.deployment.affinity.pod_anti | nindent 10 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.tolerations }} + tolerations: + {{- toYaml .Values.deployment.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.deployment.node_selector }} + nodeSelector: + {{- toYaml .Values.deployment.node_selector | nindent 8 }} + {{- end }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml b/charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml new file mode 100644 index 0000000..934c4c1 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.hpa.spec }} +--- +apiVersion: {{ .Values.deployment.hpa.api_version }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kiali-server.fullname" . }} + {{- toYaml .Values.deployment.hpa.spec | nindent 2 }} +... +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml b/charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml new file mode 100644 index 0000000..6868695 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/ingress.yaml @@ -0,0 +1,56 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1") }} +{{- if .Values.deployment.ingress_enabled }} +--- +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }} + {{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }} + {{- else }} + # For ingress-nginx versions older than 0.20.0 use secure-backends. + # (see: https://github.com/kubernetes/ingress-nginx/issues/3416#issuecomment-438247948) + # For ingress-nginx versions 0.20.0 and later use backend-protocol. + {{- if (include "kiali-server.identity.cert_file" .) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- else }} + nginx.ingress.kubernetes.io/secure-backends: "false" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- end }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.override_ingress_yaml "spec" }} + {{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }} + {{- else }} + rules: + - http: + paths: + - path: {{ include "kiali-server.server.web_root" . }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ include "kiali-server.fullname" . }} + port: + number: {{ .Values.server.port }} + {{- else }} + backend: + serviceName: {{ include "kiali-server.fullname" . }} + servicePort: {{ .Values.server.port }} + {{- end }} + {{- if not (empty .Values.server.web_fqdn) }} + host: {{ .Values.server.web_fqdn }} + {{- end }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml b/charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml new file mode 100644 index 0000000..a178bb8 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/oauth.yaml @@ -0,0 +1,17 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.kiali_route_url }} +--- +apiVersion: oauth.openshift.io/v1 +kind: OAuthClient +metadata: + name: {{ include "kiali-server.fullname" . }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +redirectURIs: +- {{ .Values.kiali_route_url }} +grantMethod: auto +allowAnyScope: true +... +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml b/charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml new file mode 100644 index 0000000..a22c767 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/role-controlplane.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - list +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml b/charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml new file mode 100644 index 0000000..706b956 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/role-viewer.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }}-viewer + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["iter8.tools"] + resources: + - experiments + verbs: + - get + - list + - watch +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/role.yaml b/charts/kubezero-istio/charts/kiali-server/templates/role.yaml new file mode 100644 index 0000000..4ce52ee --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/role.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["iter8.tools"] + resources: + - experiments + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml new file mode 100644 index 0000000..5a00158 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding-controlplane.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }}-controlplane + namespace: {{ include "kiali-server.istio_namespace" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kiali-server.fullname" . }}-controlplane +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml new file mode 100644 index 0000000..1eaabd6 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/rolebinding.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kiali-server.fullname" . }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + {{- if .Values.deployment.view_only_mode }} + name: {{ include "kiali-server.fullname" . }}-viewer + {{- else }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/route.yaml b/charts/kubezero-istio/charts/kiali-server/templates/route.yaml new file mode 100644 index 0000000..27940dc --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/route.yaml @@ -0,0 +1,30 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} +{{- if .Values.deployment.ingress_enabled }} +# As of OpenShift 4.5, need to use --disable-openapi-validation when installing via Helm +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + {{- if hasKey .Values.deployment.override_ingress_yaml.metadata "annotations" }}} + annotations: + {{- toYaml .Values.deployment.override_ingress_yaml.metadata.annotations | nindent 4 }} + {{- end }} +spec: + {{- if hasKey .Values.deployment.override_ingress_yaml "spec" }} + {{- toYaml .Values.deployment.override_ingress_yaml.spec | nindent 2 }} + {{- else }} + tls: + termination: reencrypt + insecureEdgeTerminationPolicy: Redirect + to: + kind: Service + targetPort: {{ .Values.server.port }} + name: {{ include "kiali-server.fullname" . }} + {{- end }} +... +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/kiali-server/templates/service.yaml b/charts/kubezero-istio/charts/kiali-server/templates/service.yaml new file mode 100644 index 0000000..e7618d6 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/service.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} + annotations: + {{- if .Capabilities.APIVersions.Has "route.openshift.io/v1" }} + service.beta.openshift.io/serving-cert-secret-name: {{ include "kiali-server.fullname" . }}-cert-secret + {{- end }} + {{- if and (not (empty .Values.server.web_fqdn)) (not (empty .Values.server.web_schema)) }} + {{- if empty .Values.server.web_port }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}{{ default "" .Values.server.web_root }} + {{- else }} + kiali.io/external-url: {{ .Values.server.web_schema }}://{{ .Values.server.web_fqdn }}:{{ .Values.server.web_port }}{{(default "" .Values.server.web_root) }} + {{- end }} + {{- end }} + {{- if .Values.deployment.service_annotations }} + {{- toYaml .Values.deployment.service_annotations | nindent 4 }} + {{- end }} +spec: + {{- if .Values.deployment.service_type }} + type: {{ .Values.deployment.service_type }} + {{- end }} + ports: + {{- if (include "kiali-server.identity.cert_file" .) }} + - name: tcp + {{- else }} + - name: http + {{- end }} + protocol: TCP + port: {{ .Values.server.port }} + {{- if .Values.server.metrics_enabled }} + - name: http-metrics + protocol: TCP + port: {{ .Values.server.metrics_port }} + {{- end }} + selector: + {{- include "kiali-server.selectorLabels" . | nindent 4 }} + {{- if .Values.deployment.additional_service_yaml }} + {{- toYaml .Values.deployment.additional_service_yaml | nindent 2 }} + {{- end }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml new file mode 100644 index 0000000..9151b6f --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kiali-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kiali-server.labels" . | nindent 4 }} +... diff --git a/charts/kubezero-istio/charts/kiali-server/values.yaml b/charts/kubezero-istio/charts/kiali-server/values.yaml new file mode 100644 index 0000000..4c299a3 --- /dev/null +++ b/charts/kubezero-istio/charts/kiali-server/values.yaml @@ -0,0 +1,82 @@ +# 'fullnameOverride' is deprecated. Use 'deployment.instance_name' instead. +# This is only supported for backward compatibility and will be removed in a future version. +# If 'fullnameOverride' is not "kiali" and 'deployment.instance_name' is "kiali", +# then 'deployment.instance_name' will take the value of 'fullnameOverride' value. +# Otherwise, 'fullnameOverride' is ignored and 'deployment.instance_name' is used. +fullnameOverride: "kiali" + +# This is required for "openshift" auth strategy. +# You have to know ahead of time what your Route URL will be because +# right now the helm chart can't figure this out at runtime (it would +# need to wait for the Kiali Route to be deployed and for OpenShift +# to start it up). If someone knows how to update this helm chart to +# do this, a PR would be welcome. +kiali_route_url: "" + +# +# Settings that mimic the Kiali CR which are placed in the ConfigMap. +# Note that only those values used by the Helm Chart will be here. +# + +istio_namespace: "" # default is where Kiali is installed + +auth: + openid: {} + openshift: {} + strategy: "" + +deployment: + # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. + # For more control over what the Kial Service Account can see, use the Kiali Operator + accessible_namespaces: + - "**" + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + hpa: + api_version: "autoscaling/v2beta2" + spec: {} + image_name: quay.io/kiali/kiali + image_pull_policy: "Always" + image_pull_secrets: [] + image_version: v1.38.1 + ingress_enabled: true + instance_name: "kiali" + logger: + log_format: "text" + log_level: "info" + time_field_format: "2006-01-02T15:04:05Z07:00" + sampler_rate: "1" + node_selector: {} + override_ingress_yaml: + metadata: {} + pod_annotations: {} + pod_labels: {} + priority_class_name: "" + replicas: 1 + resources: {} + secret_name: "kiali" + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.38.1 + view_only_mode: false + +external_services: + custom_dashboards: + enabled: true + +identity: {} + #cert_file: + #private_key_file: + +login_token: + signing_key: "" + +server: + port: 20001 + metrics_enabled: true + metrics_port: 9090 + web_root: "" diff --git a/charts/kubezero-istio/dashboards.yaml b/charts/kubezero-istio/dashboards.yaml index e8c9234..4c0a715 100644 --- a/charts/kubezero-istio/dashboards.yaml +++ b/charts/kubezero-istio/dashboards.yaml @@ -4,18 +4,18 @@ folder: Istio condition: 'index .Values "istio-discovery" "telemetry" "enabled"' dashboards: - name: istio-control-plane - url: https://grafana.com/api/dashboards/7645/revisions/60/download + url: https://grafana.com/api/dashboards/7645/revisions/82/download tags: - Istio - name: istio-mesh - url: https://grafana.com/api/dashboards/7639/revisions/60/download + url: https://grafana.com/api/dashboards/7639/revisions/82/download tags: - Istio - name: istio-service - url: https://grafana.com/api/dashboards/7636/revisions/60/download + url: https://grafana.com/api/dashboards/7636/revisions/82/download tags: - Istio - name: istio-workload - url: https://grafana.com/api/dashboards/7630/revisions/60/download + url: https://grafana.com/api/dashboards/7630/revisions/82/download tags: - Istio diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index e0e0de3..5bcc608 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -11,11 +11,11 @@ metadata: k8s-sidecar-target-directory: Istio binaryData: istio-control-plane.json.gz: - H4sIAAAAAAAC/+1dW1PjOBZ+71+h8sMWbAGVcOvuqZoHGugeaukZCrp7tvpSLsUWiRbHcksyJMOyv32PJDu+5+qAYfwCieRI56ZzPh1dfP8KIcu2qR+EUli/oG/wHaF7/RdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqkaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oEH+Ptjy7DEyc+QclLCVNx/n+Nr7OOkceqWFsdC+JCvuCVcRNwd7uzv7EVEbJV3F2AfhFXsLBiUdpUuTnU0vY8ykdJKYfpFMZZ1ebDT2ekswZvEPY8Ue/uULS7yNlEi9n0msTIgpUXTqeVRISc6TUiBml5IPXmmWupuJaUpkZSzCs8QX9P0C5I8JKnyAXVLSqnD/GPmMa4a5P0e3uhsod1uF/4cHGyh7ma66Zjro4QX9A905BEuMyQkGhSDHsPctaK6B/3/x6tI+PlhdSbgEzpmvuTMQxceKAKdxG2gSLiou/MWzFP/nrhURtxeY09oxqy+T6QedK8P9w9MibLAT4x5kgaxREH2/o0eUEY/WuslA8xhnocDQdx0H7qmz6l7wRJtGinnNHYH33f3UwUjKOikvo/V91g8WaM77CSuYkLdj8T1UOkZh0YCj42Ji74YCYmie+LsrtzosUex0AagGUko6GFdkmVZKfSc+H2p2exkyknZ4zPM1bqmnpeWWLVQDxYVardcqAeHiccnfeK72a7wbT/PhjKCkHPiy5KaIR6VlVK/pFQM2F1xBEoYSl7J07fYCxOZFpgB89W16dZ04R11ZcYKc5ZuRnLoeReM+vIj015BF6QiEwGd+RL3SUGngfoVxy4NRVorprxoAiA2l3Ci3cu1x2TShyCcEvEHjGpQOcnRJwLskDJLExI7N4VehCRBQNxzYL9QJzHvkxQeyDpa5URGgSZPhMMNqjyQrZyve++wYcB8EMOv362AAu3frYdN1BujDRBM2i8qO2Z8iKUOFHRIbMNb9hEQD+Gg1PfYkdrddjPVxhjfT9q5v0fQDXp4yLbCybUBFEfWpPgh+pRyDQMACwPmuQWXMSTvYRhCqVJ4pvyS9KPglPvB1YBey+IvIudzoSRT5nkm7vY+PQIw1540NwYE4zI3hLX527H/or5Lb6kbwkgpjIQUBErjjBEe0Zwf6YXOjTGFNC9qvEajQLFbEvByT5eP48l4/fajQOIYj8gUC0ysB5rmMqvxGJdmiVAVrP8OC1KwJOOSCo8bn1QoTjGTGNRWY+lMO8Myyx8XtQ4hrl/mjnX5ObmdUJ0BKflA+Rg44LACB+zOhwMuiQm26LNQnvsFgoDXOYkezhDo6woM0EKAFgKUQQCYWDpECPuWcgmxxh6SIeNjuzeWRNzjIAAkoBGCC1BgCQAAlJdZUBk42J0KDr4Y+tBHTV8FQjjLlisBqYZnevm8MABKgHZ8Wbc0FuL4MiJiOsu/rchynykmQU1S2AOCA1uMRU38lk6/F5eDogoBVXOgwkV5xZ7HnAZyq+mq4PdkOX7rZHVBlo6mcPO+bvOlfihIvSpd2Xf9pnRK/W2grEIMpzWKQQeLWuWwILtXioDp/H5YkV+HQZyGuMdjD33H+A31+0C+jJiePPLr/75bLhUOg6A7/m5toYC5qszIY3vnn//Vn7b1hBe+PqWlnMR0oo0J/ZsVMnz3yDKMpMTZaF1SXDBfcAVCdzCfQ1THDckc5CJ5mzFYKmOgbbPNGDQwY/BiZtWH882q28R6O6uuTqxzLEkSm2wnCO1Qpakg9kGpK2ytrlSQXRinfOsOf2yuPS+/CChZYDZm5BNPuZV0snLJoVbNaxOAWURxNdZYDZYtazoLw7Mljacuic6P3mYC3aeEdMcXn1s8164APSKdLZxbGM51d+fDc69bPNfiuem5kmsRReJ8hmT9SaZlIcva80dTZNLUpFHDt5iA7m5aWLG2NJFlPTGoABukQ+yJsnYSDnzmk0UZ6KS3XLQJpCdDHG/mQxz7T4048sUt5GgI5Ogzu884C6WS7GMv4f0eDnuEI3aNPkxoqAyZDZ6dl1DfRtO6J+lPHk3/xlP0x9ij2d2v2FP4Zr5Nmma/9EUoBujMN7pSp1/q26yZCTq1g4LciZ0rULhA8AxSSVrlIvXsBQWhbn8JLPEmp5A3s/RxULVpdvdl5S+ymloNTSAs0F+EsxSqqIjpzUcbGXuveb1KG7M9coVtDPpejU6AHo4rHm3B6dgLgSs+x2aOrVXZIo/I1qnvRoay8s6+2Yx5j8jYOeBS4hNewxbN2YzxR2TsEsBjJfA9rZMrUclVTHIJ0MqntojDSaV1vauTXL8GctUpcH2UVVTuDW3Sea+LXHyfPo0oxMcXNY9Iq8vE+EnJClMMFqx1V5fVsdpNXc8vJ5eD38c4kCEMfYTRLQYHL8cJBAc0xfhaIPibeSF4vSuIaq/F6TCQ4/K7Db4qPFuoaZcdX9Q2siQEAwS3OfkPcWQ+HbiJGEcbuCdAQnP+YDt70UXde39m4CpNFHHR8cmVuvzimvZFPWg/YZ4sKi3SeGmdzpTWybLS4otKizdeWpczpXW0rLS8RaXlNV5a5zOlteAEIjd/uONUAtoFfmBOVbq3c+2zuT8VCeiTIWGeScdiXOqoqXnVdPnwxQCSmritS+VnEXXoNAuX8udKV5eDsfim8W+sHBnLV7crXQLt9czxS+bMttoNQ0aymbagk/LHhsLp9vCv5z76NaszBv+HRmUccvpoFy7b3cXt7uL1L+vp+IWU3SIqkcQ3BMqZXt9DGDkmeoSBq1b/oBwjvbtxHVmH7uHcK3/77c7l+lIIuy8ohTCAMMvAjw/tnyH2JfXIRmfnYAvlgrS2YYVVgHKwH8cEa9u4dxOg9T1wHll/pA4OOmj1GVsp42+bzfjbzupzr3K+m87429XTPxWMN57znbdzJHOeFI0qeaEJfm4B6YqAtAWjLRhdeuN5HjNmjraV7Rbb3avYeX7QLlXViTNLNpj9Le8T1CFWzZI86kib+j0W+q7tRVuEHvFOrllZUE0YmrV3aQHklWOdhTLLuz2QMrDVkTw7Gke2dILGSOSPiN5EJGhDUYwUxSiiGAHFNdz9MFNU0M3zkhTQN7egjtcpKKWy5yUpRfFmwzHwcaSBNh3bpmPbfV4Nh8CF6x4qMXB74UO786o07oLqo2yRuhhbxchb6hTPYa49PxRfe30VEbA69Eo4ezKmZjDzbsltOcWtNSqLFzB3/QdWmO9HW7TiMx7o/h56rnyXyWlDcM3RyRX6yHwKXFK/34KbFty0x2SXPCa7V/H6rcP9+Y7Jnvq3bLymE7JPsZbuEompJxCGGaBEhju19ALOFlFfL7UPwc09xonZvd0K/Ndp8V+L/6YfgSPKcG3HHEm1w0BITvDQdkbxHZxRjQo2gD4Ah2z3eeA8/d6+f5sdvb7Z5SjqPE1bLRPHdGhfw9B/LqJB74FYdaaopuOrvgPSELGUFMpWuV/AqNAFGKC0ScCcwWOdOVZu99J0PA/gfkowaog9MXGjxaKrYdE1n6asCYk+EZVtkq3uE5GVEKvbQqwWYlXFymogAeGN3pIpEGJz3XegKZBwpKmYC0Y1+Ba0GZy0AbZN9rR7udZ/sEDQv/R9YWo4cvITLFAKhH0XvogABuR6bg8rHCKojNS7a9sQVlYX7QhrA/yLDfCgyo0Z6QI+MneGP4dcymU0StE7RTH6CIa68iH87JmMlyusI7DK9Au6l17wm8Om5JrFtJQ0tLefaTlHS1jOHIbTeIlMN4+mvL0xRbdAVxDMWwS9GoJ+16aoGpiiql4rzWDfzBipbxV1v1N1xPVwvmXUP0lvwNiNaOTqaUZoBYyvCj4oKGgQdWcNp0H2i4vUEPZd4l8Zv56nPpL923ZqMN/UYMY8gAUyijwp8SkLOZ9MKQq9/y2PLU+ObPax55GxDRqirt4VYQdYgHNa7e7RL5PmBNq4Cp1pL3Q8WuLmkyLVakG0PqrRRrRmudnwJT1z2U7IDdUJAy10apOPbfKxPiyRSzpajwoyCvvtl0MZe53aUUaLJFokEcdkYd78Z1M/uvjNFibwm7TIaqH5LG50PXiiSPu1if910/5MYEX88ugJ6S2eaPHEy8ATr6Jm1aBT40lxvdcx6QxLOAMyxF8IFybQm9cMgqMcm3HhYm7eGwr+sZ8o3jpTZ2KsSdOSDAMPcLjfn5BsqRPFKUu5LwuxGaUI4ukzLwWL1B2MtLpcco1DL6cwbbDp2jL9x6sR6aFJfccLXXLklUXecjOwhtABLXk8GmFpSJWqTaJr4paQSrqr1+mqY9nFdd+4+kvMXbom0WU3U9ono/yj4oYGn7l3NfadstczRj4nRXbGfJQLeDA6pprBSLvXxv9aPrvb7sbOCnxlVGZlfhZQcFc8+XFEvR2HlLRHsQ5SmbZuJ/VlL/2lO0w+H6Q+d9Nf9jrpmpRL3U197rqG4x8xD2pVIqWvmb2kGz5MN5zuZXc//cVNPr920/TGtGTE9xfTeMXqcXYnotcYJaFLD0V95ypnHrrwsE/QCcD9HsPctG2FGg9be9vbH8+/fP0ajejbZNR3Xz38H2KxXAX6owAA + H4sIAAAAAAAC/+1dW1PcOBZ+z69Q+WELtoDq5pZkquaBAMlQS2YoSDJbuZRLbYtuLW7LkWToHpb97Xsk2e17X91gGL8kbclI56ZzPh1dfP8KIcu2qR+EUli/oG/wjNC9/hdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqlaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oUH+PfHlmGJk58h5aSEqbj/PsfX2MdJ49QtLY6F8CFfcUu4iLg73Nnf2YuI2CrvLsA+CKvYWTAo7SpdnOpoeh9lIqWVwvSLYizr8mCns9NZgjeJex4p9vYpW1zkbaJE7PtMYmVASoumU8ujQk50mpACNb2QevJMtdTdSkpTIilnFd4hvqbpFyR5SFLlA+qWlFKH+cfMY1w1yPs9vNHZQrvdLvxzcLCFupvppmOujxJe0D/QkUe4zJCQaFAMegxz14rqHvT/P15Fws8PqzMBv9Ax8yVnHrrwQBHoJG4DRcJF3Z1uF3SoGyAulRG719gTmjOr7xOpR93rw/0DU6JM8BNjnqRBLFIQvn+jR5RRkFZ7yQhzmOfhQBA33Yeu6XPqXrBEnUbMOZXdwfPufqpgBAWd1PNYPcfyyVrdYSfxFRPqfiS+h0rPeDQSeGxMXPTFiEgU/RNnd+VWjz2KhbYAzUhCQQ/rkizLSqPnxO9LzWYnU07KXp9hr9Y19by0xKqFerCoULvlQj04TFw+6RPfzXaFb/t5NpQRhJwTX5bUDPGorJT6JaViwO6KQ1DCWPJK3r7FXpjItMAMmK+uTbemC++oKzNWmLN0M5RDz7tg1JcfmXYLuiAVmgjozJe4Two6DdRfcezSUKS1YsqLJgBicwkn2r9ce0wmfQjCKRF/wLAGlZMcfSLADimzNCGxc1PoRUgSBMQ9B/YLdRLzPkkBgqynVU5kFGjyRDjcoMoF2cr7uvcOGwbMBzH8+t0KKND+3XrYRL0x2gDBpB2jsmPGh1jqSEGHxDa8ZV8B8RAOSn2PHan9bTdTbYzx/aSd+3sE3aCHh2wrnFwbRHFkTYofol8p1zAAtDBgnltwGUPyHoYhlCqFZ8ovST+KTrk/uBrQa1n8i8j5XCjJlHmeibu9T48AzLUnzY0BwbjMDWFt/nbsv6jv0lvqhjBSCiMhhYHSQGOERzTnR3qhc2NMIc2LGq/RKFDslkS83Nvl43gyXr/9KJA4xiMyxQIT64GmucxqPAamWSJUBeu/w4IULMm4pMLrxicVilPMJAa11Vg6086wzPLHRa1DiOuXuWNdfk5uJ1RnUEo+UD4GDjiswAG78+GAS2KCLfoslOd+gSDgdU6ihzME+roCA7QQoIUAZRAAZpYOEcK+pVxCrLGHZMj42O6NJRH3OAgACWiE4AIUWAIAAOVlFlQGDnangoMvhj70UdNXgRDOsuVKQKrhmV4+LwyAEqAdX9YtjYU4voyImM7ybyuy3GeKSVCTFPaA4MAWY1ETv6Xz78XloKhCQNUcqHBRXrHnMaeB3Gq6Kvg9WY7fOlldkKWjKdy8r9t8qR8KUq9KV/ZdvymdUn8bKKsQw2mNYtDBolY5LMjulSJgOr8fVuTXYRCnIe7x2EPfMX5D/T6QLyOmJ6/8+r/vlkuFwyDojr9bWyhgrioz8tje+ed/9a9tPeGFx6e0lJOYTrQxoX+zQobvHlmGkZQ4G61LigvmC65A6A7mc4jquCGZg1wkbzMGS2UMtG22GYMGZgxezKz6cL5ZdZtYb2fV1Yl1jiVJYpPtBKEdqjQVxD4odYWt1ZUKsgvjlG/d4Y/NteflFwElC8zGjHziKbeSTlYuOdSqeW0CMIsorsYaq8GyZU1nYXi2pPHUJdH50dtMoPuUkO744nOL59oVoEeks4VzC8O57u58eO51i+daPDc9V3Itokicz5CsP8m0LGRZe/5oikyamjRq+BYT0N1NCyvWliayrCcGFWCDdIg9UdZOwoHPfLIoA530los2gfRkiOPNfIhj/6kRR764hRwNgRx9ZvcZZ6FUkn3sJbzfw2GPcMSu0YcJDZUhs8Gz8xLq22ha9yT9yaPp33iK/hh7NLv7FXsK38y3SdPsl74IxQCd+UZX6vhLfZs1M0GndlCQO7JzBQoXCN5BKkmrXKSevaAg1O0vgSXe5BTyZpY+Dqo2ze6+rPxFVlOroQmEBfqLcJZCFRUxvfloI2PvNa9XaWO2R66wjUHfq9EJ0MNxxaMtOB17IXDF59jMsbUqW+QR2Tr13chQVt7ZN5sx7xEZOwdcSnzCa9iiOZsx/oiMXQJ4rAS+p3VyJSq5ikkuAVr51BZxOKm0rnd1kuvXQK46Bq6PsorKvaFNOu91kYvv06cRhfj4ouYRaXWZGD8pWWGKwYK17uqyOla7qev55eRy8PsYBzKEoY8wusXg4OU4geCAphhfCwR/My8Er3cFUe21OB0Gclx+ucFXhWcLNe2y44vaRpaEYIDgNif/IY7MpwM3EeNoA/cESGjOP9jO3nRR996fGbhKE0VcdHxypW6/uKZ9UQ/aT5gni0qLNF5apzOldbKstPii0uKNl9blTGkdLSstb1FpeY2X1vlMaS04gcjNH+44lYB2gR+YU5Xu7Vz7bO5PRQL6ZEiYZ9KxGJc6ampeNV0+PBhAUhO3dan8LKIOnWbhUv5c6epyMBbfNP6NlSNj+ep6pUugvZ45fsmc2Va7YchINtMWdFL+2FA43R7+9dxHv2Z1xuD/0KiMQ04f7cJlu7u43V28/mU9Hb+QsltEJZL4hkA50+t7CCPHRI8wcNXqH5RjpHc3riPr0D2ce+Vvv925XF8KYfcFpRAGEGYZ+PGh/TPEvqQe2ejsHGyhXJDWNqywClAO9uOYYG0b924CtL4HziPrj9TBQQetPmMrZfxtsxl/21l97lXOd9MZf7t6+qeC8cZzvvN2jmTOk6JRJS80wc8tIF0RkLZgtAWjS288z2PGzNG2st1iu3sVO88P2qWqOnFmyQazv+V9gjrEqlmSRx1pU7/HQt+1vWiL0CPeyTUrC6oJQ7P2Li2AvHKss1BmebcHUga2OpJnR+PIlk7QGIn8EdGbiARtKIqRohhFFCOguIa7H2aKCrp5XpIC+uYW1PE6BaVU9rwkpSjebDgGPo400KZj23Rsu8+r4RC4cN1DJQZuL3xod16Vxl1QfZQtUhdjqxh5S53iOcy154fia6+vIgJWh14JZ0/G1Axm3i25Lae4tUZl8QLmrv/ACvP9aItWfMYD3d9Dz5XfMjltCK45OrlCH5lPgUvq91tw04Kb9pjsksdk9yo+v3W4P98x2VP/lo3XdEL2KdbSXSIx9QTCMAOUyHCnll7A2SLq66X2Ibi5xzgxu7dbgf86Lf5r8d/0I3BEGa7tmCOpdhgIyQke2s4ovoMzqlHBBtAH4JDtPg+cp9/b92+zo9c3uxxFnadpq2XimA7taxj6z0U06D0Qq84U1XR81XdAGiKWkkLZKvcLGBW6AAOUNgmYM3isM8fK7V6ajucB3E8JRg2xJyZutFh0NSy65tOUNSHRJ6KyTbLVfSKyEmJ1W4jVQqyqWFkNJCC80VsyBUJsrvsONAUSjjQVc8GoBt+CNoOTNsC2yZ52L9f6DxYI+pe+L0wNR05+ggVKgbDvwoMIYECu5/awwiGCyki9u7YNYWV10Y6wNsC/2AAPqtyYkS7gI3Nn+HPIpVxGoxS9UxSjj2CoKx/Cz57JeLnCOgKrTH+ge+kFvzlsSq5ZTEtJQ3v7mZZztITlzGE4jZfIdPNoytcbU3QLdAXBvEXQqyHod22KqoEpquq10gz2zYyR+lZR9ztVR1wP51tG/ZP0BozdiEaunmaEVsD4quCDgoIGUXfWcBpkv7hIDWHfJf6V8et56iPZv22nBvNNDWbMA1ggo8iTEp+ykPPJlKLQ+9/y2PLkyGYfex4Z26Ah6updEXaABTin1e4e/TJpTqCNq9CZ9kHHoyVuPilSrRZE66MabURrlpsNX9Izl+2E3FCdMNBCpzb52CYf68MSuaSj9aggo7DffjmUsdepHWW0SKJFEnFMFubLfzb1o4vfbGECv0mLrBaaz+JG14MnirRfm/hfN+3PBFbEH4+ekN7iiRZPvAw88SpqVg06NZ4U13sdk86whDMgQ/yFcGECvfnMIDjKsRkXLubmu6HgH/uJ4q0zdSbGmjQtyTDwAIf7/QnJljpRnLKU+7IQm1GKIJ4+81KwSN3BSKvLJdc49HIK0wabri3Tf7wakR6a1He80CVHXlnkLTcDawgd0JLXoxGWhlSp2iS6Jm4JqaS7+pyuOpZdXPeNq7/E3KVrEl12M6V9Msq/Km5o8Jl7V2PfKfs8Y+RzUmRnzEe5gAejY6oZjLR7bfyv5bO77W7srMBXRmVW5s8CCu6KJ38cUW/HISXtUayDVKat20k97KUfusPk90Hqdzf9sNdJ16Rc6m7qd9c1HP+IeVCrEil9zewl3fBhuuF0L7v76Qc3+f3aTdMb05IR319M4xWrx9mdiD5jlIQuPRT1nauceejCwz5BJwD3ewxz07YVajxs7W1vfzz/8vVrNKJvk1HfffXwf2l43t/7owAA istio-mesh.json.gz: - H4sIAAAAAAAC/+1de2/bthb/v5+CV9uKdEhsy47TOFs3NE3Xdmi6oMl6cW9TGLREy1z0Gkk5yYLcz34PKcmiLPkRJ2lTlwXq2DwUyfPkjw+RV48Qsvp9GsaJ4NYe+gi/EbpSn0AJcUAg1To47h+9/+Pw5cnrl38eW5s52ccD4kv6EYsCIkYk4QXRJdxhNBY0CmWWgiAuY1WoiwXmUcIcUtBiP/Fo+MaV9Lim0JT+LmuWVq3KcA2fnzZTlhj5O6GM1DCV1+8xPMQhLgqnbm1yLoRX04QxYTzjbqex3ehkjdisry7GIQirWlk8qq1KT9Yqml9HnUjpTGGGVTHWVdlttBqtFXgTeOCTam0n5eQqbxMl4jCMBJYGJLWYVmr5lIuJToumAGWQUF+8kSXZm0WqJpJ6ViEPCVWb9pBgCdHSR9StSaVOFL6I/IjJApk3wButTdS2bfjodjeR/UQvOuf6ecELeoye+4SJUhMKDfLRIMLMtTLatfr76VEm/Gm3esPhGzokfIQO8kdRJlNkN3pgleox4lKRMTnEPlf8WF5IhPK1pzudXpoiDe8kinxBY0hvqUSlzjDxffXLp+GZ8qpUSUr1NV4GQhIklKqyfnbp+JfTECH5BXFx6ZNnp1YccSq52EN4wCM/EeQnNIiEiAKo99RSD8AjGI0YGUL+kRAx32s2qeS4QaNTCwnMPCKA1h/4ODyDlLzwIdS+xek/ZA91WvHFT0iQC7HlEidiOK00jEKo0JF63EM0HBFGBdT6Mw08xJlTU2HTx4Jw0YQcadrWwE+IH3nRVhgNsHPmsSgJ3a0kHDLQutvgY09r0ohQbyT2UBfaAxUhpbmfmziVTPPmMvoJsbRE+Kbxa3dV+an4UvOgHOGwRpQeFaNk0HCiIGUo/awT7C9RTEIUgwSGEQtkq5EYYYEgrIzBSaB8lIRU0tA5vkQiAsmGIXHE5iI1Nt3I4U3I7ZBY8KaAIDukzlYAkdYjAVhQMwJzHlNy3hiJwK9tXJpZtmoTGHXRDesELziP2NkWPLqFEzFqyo/ZtXHiJEzVhgLqsIjL5jmEN7JqBywT/jtCXDQifvwr+j2iIUiMzGsUqCEAIYrLZm21qSonmWT9Dd100r9FYPUYdY+iInKmEQ1+drSwcw6/29tawkXu9dnvS/k7D0WTslNbVp0DWPNU4Lc7BUAoxQqVFEQqplpSvMWDyuDLTZ2YtMxt78bCqjRDUKGe0sEFwyGPMUtDjx65JyFWhoL67szBzoic0IBEidBCXhbPIFLsT7xcj6MF/QOGiFBP4lqnhbJ+o70N/UV3O/3favRKPUeao/MUepR2bxNtt2SW3Zo8XaDYT9uQpatKefokl1Qh9YW9oCV9FyuVRrGW7OHEm1JMgC9yPu2WbisBDXOCnsxH0fm0TKQ6wA+A5LtvJYrk83IcYnZGlASlQitmsLSl7yww9E6laGXQ7VbxGzo1Nsb+tHXUGHoUl5FLYQqHmQuMlbC0NqjeN6eCDWOd+FcCAWB4OSEnItLJEaNg8zjHBSP4/Q94EPZL9kLcxCF/1LRMWb/vlK00A/lcvIvEO2DX0iifNvVnh5T4Li+5YoruJIsT3U4o17qWwR1LTFWUEOA4pqF3kvqvXZdebneJrRyBqabInkn5f7WVsui6BtYWBlHGW1BYuyis4o7gQgfgkUfQK6hhl+ZHlrQrRciFkvWkxLVKeU5kzVNmCHhBDOlFOSRmib+BNRxn4bTb+kGjQ39UeUalzXxEsX+I4zliH0KMkc/J9pUFJNKGW++az6cI0eSBObKT0f0M/G26u6C+X0blHUDktr0LH7s9GRjt3VLsHMp6KuBeFqwXk5bSliG21yk9n4W12oikoDYUkwTTY1/Vrc8RG7mI06plJ7PBk2CDAmIlGwolqEEtQFDeFzCY8K8YiSMGAQlgQhrcT63rj3bw6ckTyW+rVRqKaNHrN+wIxaFdIoPO05H3lF64IHIwsD1HKZNQzaf4zXvoVz5AZB+9TxlAH6RsSHVOgIM/+5ABC22EKB1KN8Vd3RQVdb4pRrL11rMlrTD334WGqDLmUxF47BlMMRtTxASyhUIi11tji937Ahd6H3UH6GJnSXRhG3Rh0IVBFwZdfD50IXHFjWDFJoJoGYNbk74DhvOv/51a3caPE7iBmujGRWaPlpVU9BgCusw+JxB3+JcBMT3o+Xo9+b/RnQ1ojhPHIZyj98A62gijcKt7cTERFn9iII6ZNlm3aRO7vSSyaRtkY5CNQTYG2XxeZENvA22eAbTZ1qDNg8UnNZhk++KCG8BhAMfaAY7dJQFHxwAOAzgM4DCA4ysDHN2vFHB0DeC4a8DxXbvXc7Z3boowvnO3t3EH3w5RyD1x3+jWj516RGHbBlIYSGEgxXpCiumo81AwBZjIRkz9SPTPdnnfGXp9MgYH51eyhwUk8YEykWD/ON14KhGFogMFuy4AiSdoC22sXohLfCKIKidiSJaTxOhH1LpXbLISDAnIb6mplTxBph+P6FBUCRluyXhHGfPrhGGchKnNrwbHfBM4ZmdZHLNtcIzBMQbHGBzzgHDMAXSwNFT+/j7xVwUyc0pZfySjMY8k9wbKGCizLttKZmKZrsEyBssYLGOwzAPCMq+wIOf4ckUMU/P0+mOXjGkDWQxkWZeNKTMhy46BLAayGMhiIMsDgiz/jkAKEXZfhoKtClxmlrH+8CVnHUneqZl5MTBm7TfDPDUoxqAYg2IMinlAKCbbw3EbEDOriPXHMBnnBsIYCPNN7IPpmaPcDIIxCMYgmIeEYI4IYc8TiOKhoI5y+xVxzPyC1h/NVPlHR5FPHYNsDLJZ+20xPXOOnIE2BtoYaPOQoE123uudoJuFZa0/wKkVgcE4BuN8I/toeuZEOYNxDMYxGOchYRzZG0sfVx6v+uJV16EWlLT++KYkgG8P1ygrneq8lkEMBc8Qvn5Y4gqotn3TO6B61TugqKtA2B9jwlh6UV4ZT6ke++ncy6Bi7JGs6SWDYCQmWNSnHlAGMTjrXMfaFVIOiyoHRanQ8Jpgl7AKJWKiAgkgoatfHki4MyuwqCur5pgT9inm+j6xsv3o+EPnchYU1bDnnNMIl0WoRb7ZpxJWsQXYInhYHlz+A/+2Dg+3Dg7Q69d7QbDHp4KMSxwaYIUo2yWCtIRqwM8IJyou78tbz2bnmdxQWOzCK25OrGT/k6lbSpuTLE13kF3hd549vjWh/TrGbEuiC+jeHPLs+6t+3yG+3+/sMXx+/VhS84cKYlsRyzXHWECQVWbqFm9p9s9rzQG6eXmPXCHeKuMch1SkzlIllmLxx7La8qgJHuuSsFyvupFjT/kJE9ZC1DUxamPMNWqW4dD6omrJJgi4UU+NetSYGH33/OYqCpNgAD1IrYrkMazLK+io20JvgbXQuTQ6mq2j/bvV0Y001DMaWkJDL76khnpGQ4s1dPDlNKTfijJbRZaETta3raSX85RUbnWj151mBNmNVmt2s5dRq34z2/IKNmOaGWOa8inF1eHK9+mA4W5HK7PGI4/nDmVuNFrpQ1F3HE9uCG2zrcrG4j6rxWWXm08ZXJZaWJS9vEXxOj0uY0xcMBp6Zvh6b11Srd9Pwsf9Dmyrk8vLTs/7ctWy/1dEw43bXmsHlHarVdxqN7hEG3VC2UTzRVWmZwb/ZBOdzgytsimnViP9U5dpNqWo9tSavRAgV0HKxFHNnG22NsAFDkVdaFmwbOATj4RuYZVXV7WCur5uzKAUvKDrqWhSuySxubRpbIzAJiKP4aD/dwLcUZ9stBrS4eqNpu8mLG1bQH2fcuJEocv7g8Q5I2LOdYbKZnxSbyGL7EZdpGi3Wi21wLNyiz9XY41B34lB79+hQfe+OoPuGYN+eAaNbmfRL+7SontfnUX3jEWvm0UfrGbRd37P8qqI9DY3NK9e6TqZX3XU+CAM8+XcMdTMjTjZfpvXJydHzVfvj16gfEJP32zDcMilPKvSnAzx0uQvvJultHt0qd0sndaK21nsVm/1/Sxm54rZuXLfU8Fm48oCm96/FISjY7kJz1j1anskyq2+3fLT/o12T6TKe08cQsfEhKXPt4HiZmoyinmQm8NMd/6QFm0/Q0+92qKtWWdb43U2s8puVtnvbMvGfSzaCifuswzg9QcS793fBJVZp100NXWna7A1muYwDjNafqBa3r/V3OLJi6N7mFVUHdWLvMu5Kia1BphVXl23ZDx9S0JPqGnCVimd1GVfODtJ1USdvXhSsnfTOcnt3VmnLhe1pSotVwYS8cLn/ETJrPoWrbzTvpqav4dYpQT4oi6VhjWpjHojcVxrufo7ufor5tLJa3LXvp1+rU+1Ej49DSoTz6mb6nberGzlPe7Sm9D5DljsVed8Y/kUwy5NuD6/mqZX7QdE6hKmJmytoR9pL6em7+Dmc8tT7VPhos5MwfOdylQipJI4Ju7b9MXrMm3pDljG4jQMDxLqu2l0daIgjkKQxSYCcdz5W8U1AWlSI0QhsOorWe9y3c78t5E/flrqbeT3xMvOX5h6YP5rym+k4NCLvO1cCu8DYVxO7Re5J+DwSvcKzIhb9YtsSr817RL9PCTS0KVj6ibYr57KkOdRh1YUDbjAF3QqMKXLzbwC460g8wxRnqTIT1mYyl3v2xMf/vip0sRLfDFvxaGwrRRils1GIoi6kYcfefuYk4qdpSGskj2NYZXk6uEBs0HNA2jn1PEdFTe4rGpd9RB1XYNMf0vGk1Y/0guVn6pY6X/StSTbnVbq8hZ3RiTAudHna3Dp0pIai2B2luYEjy40n7qONSlakCD2AY+E3qTJEMG50Ezlqq7XKmmFEz89laMGI+Xv77tkiBN/xgEhE2rtsSgZNNN9k4aOn7jkef25FbV2YAVQAa3Jnh9kooEP/TCZyQkx+njN+jsh7FK9vlEFKTk5PwLIKp87k+vSLqV65GI6Kz+jMYxZjy9Dp+5MoCzoaM0umY+MAdepjmlQnBBSnEYSnW/ZebTKDxwBCy89FlOIV6x4OGt9P+9o9JBidTWcZre0Hx39hx0U37vad1v/0WnpFC2mtrXvtpty/CnnQXaLmr4W1qIXvKMXrNfS3tZ/aCfPPHX19uZtKYnvn0hBBGvAonOeDeqne7FDkCc6KM1aWIkCntar3fO37Pc3/80ceTxx9u6j6/8DB3BWLzm0AAA= + H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugMhTggl7GtK6bbdKV2msL1zb+lkFFtJtPi1khxgGe5nv0eyHcux8iDQlqbqTEOiI+txnj89LF0/Qsjp9WiUpII7++g9/EboWn0CJcIhgVTn8KR3/PaPo+enL5//eeJsFuQA90kg6ccsDokYkZSXRJ9wj9FE0DiSWUqCuEpUoT4WmMcp80hJS4J0SKNXvqQnhkIz+pu8WVq1KsMNfH7YzLrEyN8pZcTQqaL+IcMDHOGycOobkwsmvJgmjAnjee92GzuNdt6ITXN1CY6AWfXKkpGxKj1Zq2h+HSaW0pnMjOpsNFXZaTQbzRX6JnA/IPXaTqvJ9b5NhIijKBZYKpCUYlapE1AuJjItmwKUfkoD8UqW5G6WqRpLzF2FPCRSbdpHgqVESx9R35BKvTh6FgcxkwWyYR9vNDdRy3Xho9PZRO5jveii10/LvqDv0dOAMFFpQilBPurHmPlOTrtRfz88ypk/bVavOHxDR4SP0GHxKMp5ityG64Lo1HPEpyLv5QAHXHXIGUZEKGN7stvuZilS807jOBA0gfSmSlTyjNIgUL8CGp0rs8qkpGRvMDPgkiCRlJXzk0/Hv5xFCMkviIurgPx85iQxp7Ib+wj3eRykgvyI+rEQcQj1njnqAXgEoxEjA8g/EiLh+9vbVHa5QeMzBwnMhkQArdcPcHQOKUXhA6h9i9N/yD5qN5PLH5Egl2LLJ17McFZpFEdQoScFuY9oNCKMCqj1JxoOEWeeocLtAAvCxTbkyNK2+kFKgngYb0VxH3vnQxankb+VRgMGYvcbfDzUmjQidDgS+6gD7YGKkBLdT9s448z27Xn0I2JZifBN66/bUeVn7Mv0g3KEIwMrh1SM0n7Di8OsQ9mnibG/xAmJUAIcGMQslK1GYoQFAr8yBiuB8lEaUUlDF/gKiXiO4Lb92OPboB8eSQTf5sRLgfdX28Z6FZXICjcXKcRUuQL89YB6WyE47SEJQRfNNcADEfGEqgLY5KNb1hP3OWFj3KfBzE6EcURFzBTbQuqxWD5BPcIbeV19lsvrDSE+GpEg+XVeA6D4LRqN42BMfHONv8c0AgmRXAFAwiHIR1zJJjR0hcv+lv54yKh/HJcON3OE8LOteasL+N3a0RIuC1+R/76SvwsPNik7swAVU8AGpuKF2y5xRcXDqKQwVq4YWBFqgUaZSbWpE0OQud29RDi1Zggq1FM6JmE44glmmcPSHf7EM0sHYo6CHvZG5JSGJE6F5ihzLwj+5WDiG3TvW9LfYfAjZhLXYh3Kw01rB8JMZyf732x0KwEny9F+AoGo1d1EO02ZZc+QpwMU90kLsnRUKU8eF5wqub4weDrS4rESaZxoyUOcDqcEE+LLop9uU9eVkEYFQU/mo/himidSHGATQAr81xJ88nk5jjA7J4qDUqA1NVha03cXKHq7VrRS6Faz/A2hEFxEMK0dBkWPkyrgKVXhKDeBsWKW1gYVswsq6DDWiX+l4AAGVxNyKmKdHDMKOo8LODGC3/+ABeGgoi/ETz3yh6FlSvsDr6ql+diAizexeAPddTTKh0392QElgc8rppiBQtnFiWwnlBtdymCOlU7VhBDiJKHR8DSzX9eUXm13pVsFcFNNkfFM2X+9lbJoUwONhYGXGS4orFUWVjNHMKFDsMhj8O1qtKbZkSP1ShEKpuRhjfhOJc+prHlKDQFliAG9rLrEPPE30IaT3J12mt9pdIhNtWdU2sxHVPePcDKH7QPwMfI52b4qg0TWcOfN9tMpQjx5YA7vpHc/B3ubDhc0CKpgvg1A3nX34GOvKx2ju1fxnQNZT21MIAvWi8lKaUkX221Xns/dmtEjKYAOxaTh9JBZxfc5bCOXSVa1DDIbPA03KOBcsqEQgxoLA3DlPQFjkOCakSRm4JAAL2TO/cy5ee+GHx4/lv1tNisjGM17/YY9oXroVsgg82zAPiUXLogcQuzMEcrEVfOp/hYR+kUAwDpAb7MOoHeSN6Q+lcDBngPIgIU2sJQGpavinq6KijpfFWPZeufnJbWwsN+FiqgyFjMYeDy0mGI2pkgIZIuERK53xhZ7Hwtc6DHqHtDF7pLowrXowqILiy4suvh06ELiilvBik0E3jIBsyY9DxTnX/87czqNHyZwA22jWxeZP1oVUhkxBITMHifgd/jnATFdiHzdrvzf6MwGNCep5xHO0VvoOtqI4mirc3k5YRZ/bCGOnTZZt2kTt7UksmlZZGORjUU2Ftl8WmRD7wJtfgZos6NBmweLTwyYZOfyklvAYQHH2gGOvSUBR9sCDgs4LOCwgOMLAxydLxRwdCzguG/A8U2r2/V2dm+LML7xd3ZwG98NUciddF/p1o9dM6JwXQspLKSwkGI9IcW013komAJUZCOhQSx653u85w2GPTIGA+fXMsICknhHmUhxcJLtPZWIQtGBgn0fgMRjtIU2Vi/EJwERRJUTMyTLSRP0A2p+VGyyEgwJyW+ZqlUsQaafjOhA1Ak5bsn7jvLOrxOG8VKmNr9aHPNV4JjdZXHMjsUxFsdYHGNxzAPCMYcQYGmk7P1tGqwKZOaUsv5IRus8kr23UMZCmXXZVjITy3QslrFYxmIZi2UeEJZ5gQW5wFcrYhjD0+uPXfJOW8hiIcu6bEyZCVl2LWSxkMVCFgtZHhBk+XcMXIix/zwSbFXgMrOM9YcvRdeR7Du1My8Wxqz9ZpgnFsVYFGNRjEUxDwjF5Hs47gJiZhWx/hgm77mFMBbCfBX7YLr2KDeLYCyCsQjmISGYY0LY0xS8eCSop8x+RRwzv6D1RzP1/qPjOKCeRTYW2az9tpiuPUfOQhsLbSy0eUjQJj/v9V7QzcKy1h/gGFlgMY7FOF/JPpquPVHOYhyLcSzGeUgYR0ZjaePK4lUsXnUdakFJ649vKgz4+nCN0tKp4LUMYij7DO7ruyWugGq5t70Dqlu/A4r6CoT9MSaMZffrVfGUithP5l4GleAhyZteUQhGEoKFOfWQMvDBeXAda1dIeSyuHRSlXMNLgn3CapSYiRokgISOfucg4d4sx6KurJqjTjigmOv7xKr6o+MPvZezoKiGPeecRrgsQi3zzT6VsI4tQBfBwgrn8h/4t3V0tHV4iF6+3A/DfT7lZHzi0RArRNmqEKQm1B1+TjhVfvlAXn82O8/kXsNyF1554WIt+59MXW66Pcmy7ffzi/8u8se3JrRfx5htSXQB4c0jP3973et5JAh67X2GL26+l9TioZLYUsRqzQkW4GSVmvrlW5q9C6M6QJiXV8mV7K13nOOIisxY6sSKL35fFVvhNcFifRJV61U3cuwrO2HCWYi6JkptldkgZukOnc8qlnyCgFvxGMSjxsTom6e3F1GUhn2IIEYRyWNYlxfQcaeJXkPXIu/Kymi2jA7uV0a3klDXSmgJCT37nBLqWgktltDh55OQfivKbBE5Ejo5X7eQns8TUrXVjW5nuiPIbTSbs5u9jFj1m9mWF7Ad08wY01RPKa4PV77NBgz3O1qZNR75fu5Q5lajlR4Udc/+5JbQNt+qbDXuk2pcfr/5lMLlqaVGuctrFDfJcRll4oLRaGiHrx8tJBntfuI+Pu7Atj65vOz0fCBXLXt/xTTauOu1dkBpNZvlrXb9K7RhYsomms+qKj1X+Meb6Gyma5VNOXMa2R9TptmUstozZ/ZCgFwFqRJHhjnbfG2ACxwJk2tZsGwQkCGJ/FIrr6+NjLq5acyglH1BN1PexLgksbm0amyMQCfiIcNh7+8UekcDstFsSIMzK03PT1nWtpAGAeXEiyOf9/qpd07EnOsMlc4ExKwhi/RGXaToNptNtcCzcos/VWOtQt+LQh/co0J3vziF7lqFfngKje6m0c/uU6O7X5xGd61Gr5tGH66m0fd+z/KqiPQuNzSvXuk6qV991PggFPP53DHUzI04+X6bl6enx9sv3h4/Q8WEnr7ZhuGIS37WuTkZ4mXJn3k3S2X36FK7WdrNFbezuM3u6vtZ7M4Vu3PlY08F240rC3T64EoQjk7kJjyr1avtkai2+m7LTwe32j2RCe8t8QgdE+uWPt0GituJyQrmQW4Os+H8IS3afoJIvdqirV1nW+N1NrvKblfZ723LxsdYtBVe0mM5wOv1Jd77eBNUdp120dTUva7BGiTNYRxmpfxApXxwp7nF02fHH2FWUQWqZ0XIuS4ntfqY1V5dd6Q/fU2ioVDThM1KOjFlXzg7SdVEnbt4UrJ72znJnb1Zpy6XtWUirVYGHBlGT/mp4ln9LVp5p309tXgPsU4J8aUplUaGVEaHI3Fi1Fz9nVz9FXNp5IbcxrfTb/SpVsKnp0Fl4gX1M9nOm5WtvcddeRO62AGLh/U530Q+xbBPU67Pr2bpdf0BlvqEqQlbZxDE2sup2Tu4xdzyVPuUuzCpKVi+V5tKhFSSJMR/nb14XaUtHYClL87ccD+lgZ95Vy8OkzgCXmwiYMe9v1VscEiTGsELgVZfy3qXCzvz30Z+/2Gpt5HfkmF+/sLUA/NfU34lGYeeFW3nknnvCONyar/MPQGH17pVYEb8ul3kU/rNaZPoFS6RRj4dUz/FQf1UhiKPOrSibMAlvqRTjilbbuY1GO+EuWWI6iRFccrCVG6zbU9s+P2HWhOv8OW8FYdStzKIWVUbiSBMI48gHh5gTmp6lrmwWvbMh9WS64cHzAY1D6CdU8d31Mzgqi51FSFMoUGmvybjSasf6YXKT1WstD9pWrLb7WZm8g73RiTEhdIXa3DZ0pIai2B2nuUEiy4ln5mOMylakDAJAI9Ew0mTwYNzoanKtSlqVaTCSZCdymHASMX7+z4Z4DSYcUDIhGo8FiWHZrpt0sgLUp88NZ9bYdQDJ4QKqCF7cZCJBj70w2QmJ8To4zXn75SwK/X6Rh2kFOTiCCCneu5MIUu3kjokl9NZ+TlNYMx6chV5pjOBcqejNbuiPtIH3GQypmF5Qkh5Gkl8seUW3qo4cAQ0vPJYQsFfsfLhvPW9ItDoLsXpaDjNbWo/2voPNyy/d7Tvrv6j3dQpmk9tad9dP+vxh6IPMixq8lpYi17wrl6wXktrR/+hnTzzxNfbW7Slwr5/YgURnD6LL3g+qJ+OYkfAT3RYmbVwUgU8nRd7F6/Z76/+mxvyeGLsnUc3/wfxZH2NcLQAAA== istio-service.json.gz: - H4sIAAAAAAAC/+1dbVPbSLb+zq9otHNvQYoQy2CwpjKpAkNms8skXMxmqnbIdQmpsXWRJUcvBEKxv/12t96llpFsS5bt8yEE1LLU6j7n9POc51j9vIWQMBhoxsR1bOFX9Bf5G6Fn9pO0GPIYk6PCWX9wefXlj/Prv5//qy/sBc26fIt12n5pmWPsjLBrR40qthVLmziaadBTogbnacIuqsqObJuupeCobaK7Q834pNL2CeeiXvtnv1ux27ITXsjPb3veI1n4u6tZmPNQwf2HlnwnG3J0cU3lHg4G4fd0wwO2bP/pjvYP9w/8TuzxbzeRDTJY2ZtNRtxbxQ/HbjT9Hrwh1XIH08gOI++Wnf3WfmuGZ3PkWx1n73adPJx9tnASZcMwHZkaEJ1F76aCrtlOOKdRV0jLravpzid6JXEvOhobEv6jknOwwfr0K3IsF8eOjzSVc1RTTKNn6qZFL2gNb+Wd1h5qiyL50ensIXE3fungqU+iZ0H/jU50bDmJLkQzaI9uTdlSBb/thf3/bcsf/LRbfbLJb6iPrQdNwegs+DTyhxWJ+xIxTPZJrGqO/5x3sm6zRxKGBnaYux0fHRx5R6jtXZum7mgTcrzFDmoOtmT/nmJH6nQksS2Jx9Ixa9U14545mjdvzBo4jqeYui5PbKymxpTcUlMvzWiSvcFPTeQP8nf7MHbgMeid//cT/TsYtaQtiq2jKIQke5c0ItZLw8EGtTHhvao9IEWXbfu3m2hm3o6wrGILOfjReauQU7F1I3y4Md7b5NIf+udXXz/1zn9Fv9jepLx/x46T9nfkch9ik05udqdhXe2Zxp02TDy9H0HvZFd37EwL7aVrO+aYtrwkml72ktcwiSGQ0fXi4LetnBO5MxDOwkHqmumZ4M1GOCNi7j3ZzHSlxLGkJYWHxyZzRGHkjPXkAJqTZHxYyjSme5j7yN7y9TUKecf7IomtiXMczWE+KqQOW7JBemB5z5QMSbH4QZ8mun/s7kkbl5URvtbG2HTp1QxX1/eSPkDC26ms3A8t0zXUeMRInvNV1l2c35x0M3acBcz2IQmUnUPvX2tf2k0Pp3fWwTEJp21pDx226GndnPM6pFU8bpPTOuxqx7vxGUhaUoHloEFueWdaY5nZsDlJdXEou0Oc7dxYfgzmRGyl/XFMbM9vTDfZI/MHbx6paY0IjBqZunpB4Z792ll/yNY9ZjNPjXS2iHPIiThHBQPO4fSAI7aTx6jfP8g6zwtygtGUkENM/g8/EDywgU71j62twRnEl+X0Cf9H7Ee7ewpPcR0zfYppaSQGBIuxMCJ//ySxTtYzvoFVV8FfcnrLooCuZD3UR/a289l0PpMhEVKt3/bS12HeYmdClgfv6DCENjPVJ2joSjx47kSO5clEM4bXXswT89qyz5YZggCesW4ix2SrQc5TpBazzAPkXpxE7mGBi7eTF88NYcTFz0gUuzSJ7dpZPxeoHbPGYDDJUmhgxSG4K3PeNe0Rx/Qnpu3caY/ZZchv+Egsrq/9ZJfvtP4rdY6F+Z9lx6d+lA3VHwQkvj51dxYLtOwxsoPqeA8mfH53wmk0ww8WHHO68t6TeMCJuHearifpwAGhAqLYJT8IuiELktjNrFt39N7ZZdwLOjh+Oe9qbbrESQeZ6/hhe2qkZaCfXNIdGxxYIVtD7BQYbvw48bpEAcGO7Y53NMII8I5GCQhj29h27IFDWI7+bOGJaZHASvDWL9/JHzfCHlnrHM1gYWvgQ6rf/kOa/d9vhJe/OuNvu7t0wFotcTc7a9Fi6BDkQi+iYTt7WhDRP8qKw0ZRzJxC7NBLMXBsw3bwJLWKTDOMcNmzOWMbILmeTkM2uvIGCX2lc4EFLn6zSezSyUlyMlB4QSLuOt2067AzirmOSZ9Q+K2k1wRxqpTjsA8F+RrFtRh+bTw+5SDKeQBqFu7OiU9VrGhjmWGxzNg0D7tOsEX5lWtozkIxbLcOEJvGLRWg2KMZUOwhoFhAsYBiAcUCip0FxVaAX/fI0jEhMQoPFGKx26Sts/8mhLXoHaoOM9eElWeCxBKBPpJE/+13psPjvqso2LbRFRkitGOYxtvO4yMKRtXe3UDALD8MXwfLsq7Jdi+As89Jt7mVLS7YYXnwC2wMHaaztDJtOO9jK5U/1ViAEjMHf7dkVfNS6a3FA7pkjvFVRDfSVBUbfc9HeYPuKSXHSViHh5gxn1Q/iTUMjRP7Oq30xU95GOa0BASN30rl0PPxxHma0v5vbJk5zWTFz2vRjJwWSxuOiAdzZNj0wpGGYTSm5lw0F829pIEztnlaC234oanOKGNaOVg7g2Uyq33AkeQhn60WEY4m9A7Url3ahU62jW9cZMJVbGG2LN7pZiqMeivHl4S7pTGFgvMCCQnLyj33rjTNMsHqhQdGsu2lV/SdEVlVTUJNxoPvrmw4mo53WvuUyOesuwPV9STtwZgEBM3GBGCq9uDWVe6xM+NqLLKl/vYJ7eiYrfkE1bZ2kWmh2XtXQcfmxgt8llQATXhR62N4t8tOSygOOfbmMQWp0aYgrZop+LUxnPg6oyVI0yzhdKGWIDXaEqSNtwRpiiX0ZqIhqUWLPs9Hj3lnkga07QoP/XQT54P9kXbn8D/Jz/ef+bOWIjBhidVzGtTIVqZGKmgj08zRvRmiGQSUSDNU7UFTXXlKJUqsCDJWaeghWPlR4wBgz9R4KedY+QsdnzS79xNInE/lw7cQok0B90/yY5HkWGTFHNsNKliznaON5vBUtjHXaD0wy/2Yh2a5TfxEx+vxLPYMI2oBDXkOTjY01x2f+FbF6EoeT6FtF/ghfLIt3o0aqCH9rS1JyuHRrJrR39TDQ/lAXr8iplMoYuJlC7rl9Z8u6D+g/4D+A/oP6D8L0X8cZUJIloK1B6wObp8cPEWVQUWpVWMYlbBwVSdHybnuXRLW4w0jOqXDCKINVOBDBf5mVeB3p2NX6RiwK2BXwK6AXQG71lGBH4OrG16HT78mjS2ow4c6fKjDhzr8QnX4r2HZLmBZwLKAZQHLApattg6/JIpdYDX+bPh5xWvyfagMNflQk7/GNfndOWvyJQlq8qEmH2rya6/JL70m11uZP2f3oD6/oWYhraZZbHitfuVWIYFVrEXdfkofgLp9qNuHun2o24e6fSh9Klq3/4pelM6ug2AEghEIRiAYgWA0R+G+TQISFO3PVbTfp99XhoL92Ge+RfvVBAP1OzawFVvowtGxiBdw90epYccLMW/Hi8O6drzoXXw6/3yN/vxy9c+LLydn/Q3f8KI9HQEedpq54UWZWVy5/S5Ajn1Njm0tSI494rhORnrNc53OnHJsu1NMjl2A1sqBTrNoqassliLZRj+ptAyi6SJF00Ll/T6n8oUF19Kcp8HE1DXliUT8seu4sj5wdLtgpVQGLXvha/DDJKzDlFXvA5byQ8+2DSjNZGMXnGXYUZ0VFSlSH9hDuVfYQ4mqrVq+g5CG3c/P6f6hl5f97NGo16QdkRjznOw8Pbpz46rdA5X8VMXW+PqivyvM8h2I9kx62px2tJ02pNcZFJ2+LPGaZktolYxp0QRvgZY2VY0taFZNFOQ+GYpJFs9hIMnZhKOiPhsedGKo5LA3DqhH16WSMh13Pd44nS6bnHLkFI1eoJSX/hJ1xSKYwKlTAC2vPi0PeFddZbCFeRe3DnZu4nW0TOJVQY0rFLECH5t5qwhUnJ2hWb/IsjxcPdtWFosdk+U9/Iqzh6Uy0oVazTa40oJIO/jSTL609pz7te/+RVwcCmSXWyCb92KHRdBSgcBBUQB+Dfy66CtRbMXSJkF94MaS725BzVMU5+XejdoXqh56Hv8KKtB3oO9L3ReqgdRWnEkvq3PPqrUatAYRmVRPGY3J7f3LC7rstJabFKh+s67N8k8J/HOt/FMq6Z+n9fhnB/xzRv/sgH+ulX92yvlnrx7/lMA/Z/RPCfxzrfxTKuefZ7X4Z038cxsI6GaM2moz0CnueL5OdHMb+Ca4Y/MJ5xR3/LhO7HIb6CW4Y/P55RR3/H2dyOQ2sElwx+bTySnu+Pd1+q5V+PpDqPPayBchQm0X1HbZUL4VK9/qVlK+1W14+RbUZ0F9VoX1WaVzvN6L3kB5gcqiWSxLAstaectaflFM6dQbmBaUc8xhWRJY1hoErSVXItSJtCArub4Sep24CuxofbXfOkEU2NH6ipZ1QiawI1DbqlHb6Av0QWlritKmYuU2sxsCCG4guIHgVqPgJh5VobgdgeIGihsobkXyQP7r0iDHCJLbolNDYFqguVWVLgLbAtGtogwSmBaoblWpbvPbFqQnQXYDQwLdrTlACgwJhDcwJFDemqO8hXuGgeIGihsobqC4wfZgMcmN+4ry4zkVt26r0u3BYIMv0MPm0MP4G+U6yoTgVgVrD1j1cesqbW41C2pdhy1ym7nr8oKMaXuzrKkmg1nXjZxOqZ2hK9/s0B25EwrLDq97l6gXGhqQn+WSn1PYFnnBvCf7HEB7gPaU2xV5ft7TBt4DvGf1eI9NxjUBU0vwGx6iBZS6vrSmhK1sg7EApVkApekTk0OOCWQGyAyQmdrIzFbqdpFX9nSKzNGffiCKZj80f4s8xlZsAoLeCYqp6/LEzvghF9YLKfjI4Hz7MHYgpWAwFB+EtXDuPWwutkJwLkxkA+tJG08QNrKkOR4MF94Tn0eKLts2WbMo7bo1ZUt9O8IygYTIwY/OW4pKsXUjfLgx3pN4bHzon199/dQ7R39+ufrnxZeTs/77d+w4aX9HLvehmVRsKrE64BCr+ExM1ZMOcu/pfT9LKsIQglA4csYpYmCyzYc5Ha9zGtM9zH3kIjwl9LTUYUs2SA98hpghXYHz0acRICkxd1Ki1QQt9mjOlIRUrRRbwTcbVzljgWQb/aRbX0PmovrMhf96j/I5i9cZZ4ynxk5OfTRBR1XbYXSUd0KKkpJTPUraCSkp71NJZsyrOQzLLBVigsviqrxO+oR1ev/JSYjEoefkY6BmZj4K29pMkm2uuaFX7Q2tsMFVUD2weGtc19RK+oU0Ni2NPYvGKKR36MRQUVhE26OrXcmEC3eV37iMS9pUPDSTOLrApIwJSRmorAU21zSJeW46Jy6TztHmf1N6A/o06NMLZ3mvYO58kLzQatwE/tsmbZ39N01D4nQfumaMVrOGZW2YyFIZcAWWtQ2OWPVwgSdW4Ylrz/77rqJg20ZXxIDRjmEabzuPj2ESxN7NywpA0cVyiy58tOka2uIJskCAqSgA0wemX4zpkyiqWBpT4bOi9Ya/0pb7/dr2vFmAw4a/0baCRAG88BYSCX/Ns6v9tJ2Piu5qv0JUWpxT6yu03X2hMYXhbN77geZLTyz9vcM7pfekAg+fzcMl8PCN9PBlv/15p/RuYeDhM3p4Bzx8Iz18yS/h3im9jxt4+IweLoGHb6SHL/lV6A3g4dtAxBfq4tvg401j4jW+kr4BtHsbeDc49HoT7xq3BmgAy94Gmg0Ovd48u8YtGhpAqreBVYNDrzet3phN6s98O2bbZnjWBRWADakAhO/3QdUffL9vaYV93UoK+zqwVT1U7sFW9YVz23kbzIFmBZVlVe+6Cha4jha4UhvfgwlCaU4FpTml811ggWsXBJdcO1I/EoQ86yaXNtSP+8DeNll5rx/kgb1tsjBcP6QDewPdclm6ZV/7iUGzbJ5mqWKFxRWQLkG6BOlyWdKleFSJdnkE2iVol6BdFshY+S82hKwpiJfLSmKBCYJ6uWz1EmwQ5Msly5dggqBfLlu/XJQNQsIVBMxasR8YHCiYtQI9MDiQMGuFdWBwoGHWpGGGOyyCdgnaJWiXoF2CdsndVpG7oUJ3Xu2yXem2irAxIiiLcyiL/C3JHWVCkK6CtQes+kh3lbf+mw/nrtdm5MveAbAGg9sGi6vdqNZ1M7tTaovoyjdNdEfuhMKS0OveJeqFZggkarkk6hS2pV8wf8o+B9AnoE/ldqWfnz8dAH8C/rR6/Mkm45qAsiUYUj7qBSQ7J5Jt+AbpC7GnbTCoBhnUelOjPjFL5JhAioAUASmqjRRtpW4XeWVa2o2mP7R/izzHVnAZdgkakWgcoa0HLe8jgq2M8FiOwF/7yDvsPHl3UmXr3juT4MfIKIVPdMkSwks7eDzRSXg0IlJEAKvtxKw4Gp8YWH9O4kGdxBNuhCA3ePRFVMawko7NnCreyiOWQYI2FmJIQFF0V8UnOgfO51geWXNJdOOc7keDOI2MtZpsd/N0GBa+u9iiBEqY8Oim1/w1eLp4SzSXYuLoED+mT7Xvtcm/LL3/ZCicbgf2Euv2VmrsYjMn63rQndSwxOY0PugFSDWdNc3QOLu/zzxlgYMIJebNzn7ktUljtxt4IX2Hg7F2K5mx7FJJfZNNi/0/QdeEZGvmGegx/sm+PXgPGWtwbXztXShObWc2kvKOHw5vrvNHZ3ADwJJs8cqH5TxjTD5uaIvfCZSf2RADGlCp9bVX2/rqM4vUDIdW0dNpki5cwdHngEyUMBPbUgy7jJ2wX2h5I7muxz/jr2zhyHG/UEvMY5BxAvnisT1vHHmUjm6DEd2Ry3WL3vc/pW5cxg3e7b+JCO2NsPPX/94I397s7r95Bw6yZAcp5xY/9OW5RSqxkmuZ3onUhfOsuDKnma9XJT0qzCbN51AH4FDzOVSaNM605LAMX6W+VSB1yYn/ryQUyzlS2expsT7AQrQeflPOW+ZYidCC3KVApj8nj59v1xV71KJ6udFLFfufpplfvBydxozSz87deZqBYJg/3opBolxwTP+YkPjYRFPumYrrf9gfyUEgs8Sz1UJnHGUjxfgfB614S5ScF9qx30XVI+/fgh5RmSfmNq/eJX7ho/iF43dpH8b/iFxaOFbj/Q36khiMn6YRpeNi7xCkjhB+6eZMtke3pmx5lxNcVuUgXPxj4P7j5GHsp1QfwrSruPXy/5MKGTNasQEA + H4sIAAAAAAAC/+1da1PbSBb9zq9oa2a3IEWIZTBYU5lUgSGz2WESFjOZqhmyLiE1thZZcvQgEIr57dvdekstI78k2b4fQkAtS63ue2+fc8+1+mkLIaHf14yx69jCT+gv8jdCT+wnaTHkESZHhdNe/+Ly029nV/86+70n7AbNunyDddp+YZkj7Ayxa0eNKrYVSxs7mmnQU6IG53HMLqrKjmybrqXgqG2suwPN+KDS9jHnol77R79bsduyE57Jzy+73iNZ+KurWZjzUMH9B5Z8KxtydHFN5R4OBuGXdMM9tmz/6Q73Dvb2/U7s8m83lg0yWNmbjYfcW8UPx240+R68IdVyB9PIDiPvlu295l5zhmdz5BsdZ+92lTycfbZwEmXDMB2ZGhCdRe+mgq7ZTjinUVdIy42r6c4HeiVxNzoaGxL+o5JzsMH69BNyLBfHjg81lXNUU0yja+qmRS9oDW7k7eYuaoki+dFu7yJxJ37p4KmPo2dB/0THOracRBeiGbSHN6ZsqYLf9sz+/7LlD37arT7Y5DfUw9a9pmB0Gnwa+cOKxD1RJLPHPopVzfEf9FbWbfZMwsDADvO3o8P9Q+8INb4r09QdbUyON9lBzcGW7N9UbEvttiS2JPFIOmKtumbcMU/zJo6ZA8fzFFPX5bGN1dSgkltq6oUZzbI3+qmZ/Eb+bh3EDjwEvfP/fqR/B8OWNEaxeRjFkGTvklbEemk42KBGJrxVtXuk6LJt/3wdTc3rIZZVbCEHPzivFXIqtq6Fd9fGW5tc+l3v7PLzh+7ZT+hH25uVt2/YcdL+hlzuXWzWyc1uNayrXdO41QaJp/dD6K3s6o6daaG9dG3HHNGW50TT827yGiaxBDK6XiD8spVzIncGwlnYT10zPRO82QhnRMy9J5uZjpQ4lrSk8PDIZJ4oDJ2RnhxAc5wMEJVMY7qHuY/srV+fo5h3tBe4ZxQKNIf5qJA6bMkG6YHlPVMyJsUCCH2a6P6xuydtXFaG+EobYdOlVzNcXd9N+gCJbyeycjewTNdQ4xEjec5nWXdxfnPSzdhxFjFbByRStg+8f809aSc9nN5Z+0cknrakXXTQpKd1cs5rk1bxqEVOa7OrHe3EZyBpSQXWgxq55a1pjWRmw+Y41cWB7A5wtnMj+SGYE7GZ9scRsT2/Md1kD81vvHmkpjUkOGpo6uo5xXv2S2f9Jlt3mM08NdLZIs4BJ+IcFgw4B5MDjthKHqN+fy/rPC/ICUYTQg4x+d/8QHDPBjrVP7a2BmcQX5bTJ/yP2I92+xie4jpm+hTT0kgMCBZjYUj+/k5inaxnfAOrroI/5fSWRQFdyXqoD+1t56PpfCRDIqRav+ymr8O8xc6ELA/f0WEIbWaiT9DQlXjw3IkcyeOxZgyuvJgn5rVlny0zBAE+Y91EjslWg5ynSC1mmQfIvTiJ3IMCF28lL54bwoiLn5IodmES27Wzfi5QO2aNwWCSpdDAikNwV+a8K9ojjumPTdu51R6yy5Df8J5YXE/7zi7fbv4jdY6F+Z9lxyd+lA3VbwQkvjx1txYLtOwxsoPqeA8mfHxzzGk0ww8WHHO68t6ReMCJuLearif5wD7hAqLYIT8IuiELktjJrFu39N7ZZdwLOjh+Oe9qLbrESfuZ6/hhe2KkZaCfXNIdGRxYIVsD7BQYbvww9rpEAcG27Y62NcII8LZGGQij29h27L5DaI7+ZOGxaZHA+vPf18KPX8lf18IuWewczWBxq+9jKtbs/34tPP/VHn3Z2aEj1myKO9lpi1ZDh0AXehEN29nTgpD+XlYcNoxi5hRiiF6SgWMctoPHqWVkkmWE657NGdwAynV1GrPRpTdK6DOdDCxwAZxNgpdOTpKTkcKLEnHf6aR9h51RzHdM+oTCz1O6TRCopvIc9qEgY6O4FgOwtQeoHEg5D0LN4t05AaqKFW0kMzCWGZv6gdcxtijBcg3NWSiI7ZSBYtPAZQkw9nAGGHsAMBZgLMBYgLEAY2eBscsAsLtk7RiTIIX7CjHZBmlr770KcS16g5aImktCyzOBYomAH0mi//bakwFyz1UUbNvokowR2jZM43X74QEFw2rvbCBklu8HL8NlWddkuxsA2qek49zIFhfusFT4OTYGDpNampk2nPexlUqhaixEiZmDv1iyqnnZ9ObiIV0yzfgiphtqqoqNnuejvEH3xJKjJLDDA8y4T6qfxBoGxrF9lRb74qfcD3JaAorGb6WS6Nlo7DxOaP8TW2ZOM1nz81o0I6fF0gZD4sEcKTa9dKSBGA2qORfNxXPPaeiMbZ7cQhu+aaozzJhWDtrOoJnMeh+wJHnA56tFtKMxvQO1a5d2oZ1t4xsXmXAVW5gtjLe6mQqj3srxKeFuaVSh4LxAQsKycse9K020jLF67sGRbPvUa/r2kCyrJiEno/5XVzYcTcfbzT1K5XMW3r7qeqp2f0QCgmZjAjFVu3/jKnfYmXU5Ftlif/OItnXMVn0CbJs7yLTQ7N1bRs/mRgx8plQAT3hx6314t4t2UygOOnbnMQap3sYgrZwx+DUynBg7oy1Ik2zhZKG2INXbFiSwBWmCLXRnIiOppYs+z3uPgWeSB7TtEg/8tBPng72hduvwP8nP+5/605aiMWGt1VMa2shWplgqaCPzzBHAGa7pB8RIM1TtXlNdeUJJSqwcMlZz6OFY+UHjwGDP1nip51gdDB2fNMv3E0mcT+WDuBCoTYD4j/JDkSRZZMUc2w1qWbOdo43m4ES2MddoPUjL/ZiHablN/ITHyxEt9gxDagE1eQ5OVjTXHR/5VsVISx5boW3n+D58si3ejWqoJf3QkiTl4HBW7egH9eBA3pfXr5rpBKqZeDmDzvQ6UAd0INCBQAcCHQh0oIXoQI4yJixLwdo9Vvs3jw6eJM6gotyqNpRKWLi4kyPoXHUvCO3xxhGd0HEE7QZq8aEWf7Nq8TuTwat0BOAVwCuAVwCvAF6XX4t/LcTg6oYX5NNvTGMLCvKhIB8K8qEgv1BB/ktYtgNYFrAsYFnAsoBll1mQPzWKXVhV/qz4ecVL832oDKX5UJq/xqX5nTlL8yUJSvOhNB9K80suzZ9hTS6zPn/u7kGRfk3NQlpNs9jocv0SrEICq1iLwv2UPgCF+1C4D4X7ULgPhftQ+lS0cP8FvSidXQfBCAQjEIxAMALBaI7KfZsEJKjan69qv0e/sQwV+7HPfIn2rgkG6hdsYCu20oWjYxE34O6VUsLmF2Le5hcHZW1+0T3/cPbxCv3x6fLX80/Hp70N3/uiNRkCHrTruffFNLO4cltfgB77kh7bXJAee8hxnYz2muc67Tn12Fa7mB67ALGVg51mEVNXWS1Fso2+U20ZVNNFqqaF6vt9UuUrC66lOY/9salryiOJ+CPXcWW97+h2wVKpLFz24lf/m0l4hymr3ics5ZuebetToskGLzjLsKNKKypTpD6wi3KvsIsSdVulfAshjbufntL9Q8/Pe9mjUa9JOyJB5inZeXp0+9pVO/sq+amKzdHVeW9HmOVbEK2ZFLU5DamRtqSXKRSdPg71mmRMaJWsadEUb4GmNlGQLWhXddTkPhiKSZbPQaDK2YSloh4bHnRsqOSwNw6oS1emKZU67oq8cVJdNj/lyCkivUA1L/096iXrYAKnVAHkvPLkPGBeZVXCFmZe3FLYuanXYZXUawllrlDHCoxs9m0jUHGChmb9Mkt1wHrGbS0WOyjVPf2K84dKSelizaYBzrQo5g7eNJM3rT3vfukrgBEfhzrZautk897vsAhqKhBIKArAsYFjF30ziq1Y2jgoE9xYAt4pqHyK4rz8u1a7RJVD0ePfRAUKDxS+2l2iashuxZlEs1J3sFqrUasRlUn1lBGZ3N4/P6OLdrPaxEAJW3dtlodK4KHr5aHSlB56Uo6HtsFDZ/XQNnjoenloezoP7ZbjoRJ46KweKoGHrpeHStN56GkpHloWD20AEd2QYVttJjrBIc/WinY2gHeCQ64A8ZzgkO/XimU2gGaCQ64Az5zgkL+sFalsAKsEh1wBWjnBIf+1Tt+/Ct+KCHVfG/l+RKj1glovG8q5YuVcnaWUc3VqXs4F9VpQr7XEeq2pU73e+99AgoFCo5lMSwLTWn3Tqr5EZur8G9gW1HbMY1oSmNY6hK2KqxJKRVuQmlxfNb1UbAWGtL4qcKlACgxpfdXLUmETGBKobstR3ejr9UFxq4vipmLlJrNXAghvILyB8Fai8CYeLkN5OwTlDZQ3UN6K5IL896hBohGkt4Wnh8C2QHtbWsoIjAvEt2VlkcC2QH1bmvq2AOOCHCXIb2BJoL/VCUyBJYEAB5YEClyNFLhwXzFQ3kB5A+UNlDfYQiwmvXFfYX40p/LWaS51CzHYBAx0sTl0Mf5uuo4yJsBVwdo9Vn3gulL7X80CW9dhH9167s28KGtqbJY5lWQx67rV0wk1NHTp2x26JXdCYQHiVfcCdUNDA/pTLf05gc2TF8x8ss8BxAeIz3R7J8/PfFrAfID5rB7zscm4JnDqFASHC2kBpq4vsZnCWBpgLUBqFkFqesTmkGMCnQE6A3SmNDqzlbpd5JVdnWJz9IcfiKLZD83fIo+xFZuAoHeCYuq6PLYzfsgF9kIKQDJA3zqIHUipGAzHB2EtnHsPnYvNEJ4LY9nAetLGE5SNrGmOB8SFt8TnkaLLtk1WM0q8bkzZUl8PsUxAIXLwg/Oa4lJsXQvvro23JB4b73pnl58/dM/QH58ufz3/dHzae/uGHSftb8jl3tWTjE2kVvscahWfiYma0n7uPb3vaklFOEIQCofOKEUNTLZBMafjZU5juoe5j1yEqYSeljpsyQbpgc8RM7QrcD76NAKkJeZOSzTroMcezpmUkJYrxy7hW46rnLNAso2+0+2xIXex/NyF/66P6bMWLzPOkKiSxSI6OfXRBB1VbYfRUd4JKUpKTvUoaTukpLxPJZkxr+4wrLVUiAlWxVV5nfQJ6+T+k5MQiUNPycdA9Ux9FLa1mUTbXHNDL9obWmGDW0IBweKtcV1TK+mX09i0PPY0GqOQ3qFjQ0VhIW2XrnZTJly4q/zGZVzSpuKhmcTRBSZlTEjKQHUtsLm6icxz0zmxSjpHm/+k9AYUalCoF87yXsDc+SB5oQW5CfzXIG3tvVd1Q+J0c7p6jFa9hmVtmEilDHgJltUAR1z2cIEnLsMT157991xFwbaNLokBo23DNF63Hx7CJIi9k5cVgKKLaosufLTpGtriCbJAgKkoANMHpl+M6ZMoqlgaU+GzovWGv96W+x3b1rxZgIOav912CYkCePktJBL+mmev+0k7IRXb636lqLQ4p9ZHX2pD2I3YbDZ3kGmh2ccUhrN+7wiaLz1R+SuIt6feogo8fDYPl8DDN9LDq34P9PbUe4eBh8/o4W3w8I308Irfxr099aZu4OEzergEHr6RHl7xK9FrwMMbQMQX6uIN8PG6MfES30xfA9rdAN4NDr3exLvEDQJqwLIbQLPBodebZ5e4T0MNSHUDWDU49HrT6o3ZsP7Ut2O2dYZnXVABWJMKQPh+H1T9wff7Kivs6yylsK8N29ZD5R5sW184t83fZQ40K6gsW/7mq2CB62iB1Zc+TZ0+BBOE0pyqdnsFC1zTIFhx7Uj5SBDyrJtc2lA+7gN722TlvXyQB/a2ycJw+ZAO7A10y6p0y572HYNmWT/NUsUKiysgXYJ0CdJlVdKleLgU7fIQtEvQLkG7LJCx8l9sCFlTEC+rSmKBCYJ6WbV6CTYI8mXF8iWYIOiXVeuXi7JBSLiCgFkq9gODAwWzVKAHBgcSZqmwDgwONMySNMxwh0XQLkG7BO0StEvQLrnbKnI3VOjMq122lrqtImyMCMriHMoif0tyRxkTpKtg7R6rPtJd5a3/5sO567UZedU7AJZgcA2wuNKNal03szuhtogufdNEt+ROKCwJvepeoG5ohkCiqiVRJ7At/YL5U/Y5gD4BfZpuV/r5+dM+8CfgT6vHn2wyrgkoOwVDyke9gGTnRLI13yB9IfbUAIOqkUGtNzXqEbNEjgmkCEgRkKLSSNFW6naRV6al3Wj6Q/u3yHNsBZdhl6ARicYR2rrf9D4i2MoQj+QI/LUOvcPOo3cnVbbuvDMJfoyMUvhAlywhvLSDR2OdhEcjIkUEsNpOzIqj8YmB9ackHtRJPOFGCHKDB19EZQwr6djMqeKtPGIZJGhjIYYEFEV3VXysc+B8juWRNZdEN87pfjSI08hYq8l2N0+HYeGriy1KoIQxj256zZ+Dp4u3RHMpJo4O8EP6VPtOG/9u6b1HQ+F0O7CXWLe3UmMXmzlZ14PupIYlNqfxQS9AqumsaYbG2f195ikLHESYYt7s7EdemjR2u74X0rc5GGtnKTOWXSqpb7Jpsf8TdE1ItmaegR7jn+zbg/eQsQbXxlfeheLUdmYjmd7xw+HNdf7oDG4AqMgWL31YzjPG5OOGtviVQPmZDTGgAUu1vtZqW195ZpGa4dAqujpN0oUrOPoYkIkpzMS2FMOexk7YL7S8kVzX45/xV7Zk5DhK6agp5lHIOIN89uieN5A8Tkf3wYhuySW7hW/891R3nsYR3uy9iijttbD913+vhS+vdvZevQEXqdhFpnOMb3qFjpHKreSapnci9eI8M16e28zXrSl9KswozedS++BS87lUmjjOtOywLN8SvatQ+pKzAryQVJzGk6bPoBbrAyxF6+E303nLHGsRWpC7FMj25+Ty8+16yR61qF5u9FLF/qep5mcvT6cxo/QzdLeebiAY5rfXYpAsFxzTPyYkPjbWlDum5Pof9keyH0gt8Yy10B5FGUkx/sd+M94SJeiFVux3UfUI/JegR1TqibnNi3eJX/gwfuH4XVoH8T8ilxaO1Hh/g74kBuO7aUQpudh7BKkjhF+8OZXt4Y0pW97lBJdVOgjn/+67/z6+H/lp1fsw9SpuPf8f+1Wz9pSxAQA= istio-workload.json.gz: - H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnilT44tjx+H77AeA7CcqkXkhK2g91IwIEQWB38Ty7S+BxByFhMFD1qWNbws/oL/IboUf2l5To0gSTq8JZf3Bxef77u6vf3n3uC/t+sSbdYI2WX5jGBNtj7FhhoYIt2VSntmrotEpYYD9MWaOKZEuW4ZgyDsummjNS9Q8KLZ9yGnXLP3ndijyWVXgif7/uu69k4m+OamLOS/nPH5nSUNKlsHFV4V72B+HXZMEdNi3v7Q4POgdtrxP7/MdNJZ0MVvph0zH3UdHLkQfNfgZvSNXMwdTTw8h7ZPegedCc491s6UbD6addxS+n3y2YREnXDVuiAkRn0X2ooKmWHcxp2BVScuOomv2BtiTuh1cjQ8J/VVIH66xPPyPbdHDk+lhVOFdV2dBPDc0waYPm6EZqNPdRSxTJn253H4l70ab9t34bvgv6B3qrYdOOdSGcQWt8Y0imInhlT+z/X3e8wU+q1QeL/Av9YZi3miEp6My/HXnjisSDHpFMditWVNt70aGkWeydhJGObaZvR4ftpnuFCt+VYWi2OiXX3YuqjU3Je6jYbYvtTrdzKHYOu6xUU/VbpmnuxDFx4GiebGiaNLWwkhhU8khVuTDCWXZHPzGT38nvVidy4d7vnff7gf72hy0ujL1uaELinYsLEeukbmOdypjwWlHvkKxJlvXLdTgzL8dYUrCJbHxvv5RJVWxeC2+u9dcWafrNH+eX//p4/vbsZ/TTd29WDn6iUkBKZfz6FatEKr8ibb+JSAB58lDFmnJq6EN1FBsJz5wOJUezrVQJ7bJj2caEljzFip72420YRCjISLtG8etORkXubAQz0k60mZwV3swEsyNmPpPN0nEvdi0uVcHlicG0UhjbEy0+gMY0biyqn9NkdzPf313YvoTG8OhAJFY3VsdWbaa8QuKyKemkB6b7gnFjFbEs9NXC50eeHpd+SR7jK3WCDYe2pjuath/XDmL4TiT5dmQajq5ETUm8zhdJc3B2cVwB2XVmSlsdYkK7Hfe/5kFvLzmcbq32ETG0rd4+6jRpteOMel1SKh61SLUua+1oLzoDcbHKsVDUSEeHhjmRmEAb00QXR5IzwunOTaR7f07EZlI5J0T2vMJkkTU2vvPmkYrWmACssaEpHykQtJ6r9btk3mI281RI5zM/HY75Oc5pfTqzrY/Yil+jRuBO0nhakGGZZtgfIvK/e4bgjg10on9s0fVrEF2WkhX+S+RHHT4EVRzbSFYxTJXYAH+VFsbk9w9i+CQtpRtYcWR8ntFbZgU0Oa2hHua37E+G/YkMiZAo/bqfbIdpi5UyWS7wo8MQyMxMnaCmK/bimRM5kaZTVR9duTZPzCpLv1tqCHzgxrqJbIMtDRlvkVjZUi+Q2Tix3KMcjbfijWeaMKLiZ8SKXRhEdq20ngtUjlmhP5hkXdSxbBNAlqp3RXvEEf2pYdlD9T69DHkF74nE9dUfrPlu8++JOibm38uuz7yVDdXvBD0+P3VDkxla9hrpQbXdFxM+vXrLKTSCG3OOOV15b4k94FjcoappcaLQJiRBFI/JHwJ1yIIkHqfWrSF9dnoZd40OjjbnttaiS1yvnWrHM9szLS1jA6RJZ6JzYIVkjrCdY7jx/dTtEgUEDcuZNFRCFXBDpdSE8XBs2dbAJvxHezTx1DCJYSXg66dv5Me1sE/WOlvVmdka+PBqEKCrX/5Haga/MqqzSv6Pa+Hpr+7k694eHeFmU9xLT3O4etoE6gwsTCynla7mLwHvJdlmwy6mqhDBdb0VHGGybDxNLDuzJClYJy3OZPjQ74MuG2SxHqFLd1zRFzp9WOBCPotU1EglKW5bXLsS1bbjpLaxGvm0zaDvKPxSUNF801ZI19hNvvNHdkwGeWsPaTkgdBFMm0bIC0JaBcvqRGLwLTU29YO7U2xSfuboqr1U2HtcBu5NQp0VAN/jOYBvB4AvAF8AvgB8AfjOA3zrAHn3yVozJUYND2Qi4ruksHvwIkDC6BWqES4vCY/PBbt7BFz1evS/g+5zELzvyDK2LHRJRhU1dEN/2b2/R/5EWHtbCMqlu9HzgFzSVMk69SHzY1w1bySTC6iYr/4j1kc2iws1U2U467a1cuuqzAiKqYu/mpKiuh7+5vJBo3hYCDWOVUXBet/VUt6gu9Gcozh0xCPM2FWin0QaRvpb6yoZmYxWuRtllPgkkF9K47fvJlP7YUb5n9g0MooJqsgqUfWMElMdjYkGc+LGycUpCfWoGc5oNBMxPiXBObZ4ISBa8F1V7HFKtDLwfAovpRCFz8OkEZ8R54lnTekTqFw7tAvddBlfuMiEK9jEbOkdakbCjLprx3lM3ZK4RcZZhoSYZfmW+1TqzJli5aMLeNLlhVFDY0wWYoPQn8ngmyPptqrhRvOAOgsyluqB4rgh+MGEGATVwgTEKtbgxpFvsZ13AU/CBlRslX/6S2R44uYBNTTMgAXB2s09ZJho/vepxassjEr4bC8HZnEt4/vgaRfdppAf2OwvIm69DRO33uaLm5eUxFkn5pS23ixpO1mqtPU2TNp6IG2Fpa03Q9pO5yJtiQWevs971xOScuLQsks88tx/nBv7Y3Vo8+/06J8feDnzJjjB8oK8ucck8pPMVOKbX0YkgpOzwGDfwOeNqq6od6riSDOyiCKprZH8URfmS/cqhyW4Usnz/UdSl+jAJN0sniePc1c2xg1w7AwG9CDd5/FShuLLEVo/LzndOVpojE4kC3Ol1UX83NtcyM8t4nucnjeWkXcYUwmoyXtw3NKZevjAlyrG6bLIHC37iO+CN9vhPaiGwby/tXo9uXM4b/Dub0qnI7WlzUtAO9n6BLR45tiMDLTjZ/JfIRAHgTgIxEEgDgJxSwnE2fKUEBvdHtw82HhGpKsgueLXT8W6XAb2T8TrlYllrN5hpcKe1YYSCksP4mUE7q5OL1Cf9A6b6MqUhkNVhggdoGxA2euMslMX88DsLsBsgNkAswFmA8wuFWa7624uHJuouhpwvez+bCekPtXoagSQOn7P13C/E3+wfsU6NiOLdDA6JtFg7v4aJWyYIGZsmNAua8OED59Ozj9/OkP+R/b9bd8joT0bvXa69dwkodA8rt2+CJCz+lzOanNJOauHiwRYxMMFk1Zb3XxJq0vISOUgv3kyTtc5pRRJFvpBE3AhtXSZqaW5vsT2KKGXouSYqv0wmBqaKj8Qmz9xbEfSBrZmrcgJvY9yAHJ2j2XK37Xn0TqpplvhBy808Slxw4wW9lHs85lSvhxPYvbHx2T/0NPTQfpq2GtSjohleox3nl5tXDvKcVshfxWxObn62N8T5vlyvTVX7t+C0rcL4rew+C2bTy5RNmfmmuYUxDqmBSY3ZrDQyQPqs+FBb3WFXHbHAZ3S9a9gziB33d+6pMG0D8+WEox9iXmFyX21VpyRJ3CysCGxsLzEQiB4ZX2UeLhQbG9xhndYJcNbwSeH8E0hEL+5dyJAFdNA/rYF1UHx+bZKqHoUqxuuNacolRLlpcrZLqjr+gwj6Ot8+rrxzoPntpQJnQrw2WG1nx1m7UO4DH4tEFgrCuAoAEdB3h08+UftbJsXIe9G8K3Woj6EWm1tVI6bIbqzEbghwA1R6dZGixLuBbfXWA6AF+cKFZa57dKWD3ONyFKip4wqZfb+6QlddJvVOjdWv98U2IBS9sICG7C2NqBX0AaclGMDumADSrMBXbABW24DusVswGk5NqAHNqA0G9ADG7DlNqBXzAaclWIDSvIH7IIRKMUhsAtWoO4egRkq/26T6D+ofDn8H1S+9g6AGSr/fpPYPqh8OXQfVL72fH+Gyv+6SeQeVL4cdg8qX3t6P0Plf9ukjyqDQxcgD3Irj1+A3EfIfbQgvTGS3ni8kvTG45qnN0L+IuQvrjB/sbAH3d1oEmJnkEe39Dy6wq5dkMVNlcXqE7oKOx1BGCGxaEWJRYW9YSCLG2wYK85wKRMxgj8WEi2qwYcgeRDvrwYMguRB2Lka6AeSB9HPukQ/6SEpEPmsS+RTwTKzKxAAhQAoBECrCoCKh6uIgB5CBBQioBABzePP8jaEBO8qhECrD4GCMEIMtD4xUJBGCILWJggKwghR0PpEQReXRnDMQhi0IowIogdx0IoAIYgeBEIrgn8gehAJrSgSGhyeCRFQiIBCBBQioHBOZiQEyj3i4njBCOhxc6XHZMJBlxCfXCA+yT9j3panBOnKWL3Diod0N/vIxnlw7iacLl/1yY0rFb9dkL/Z8leSiG3qYYMnVDLRpSeoaEiehIJU06vTC3QaiCYQrGoJ1skUuNVyuVX6PYBaAbXKpFapi8vhVi3gVsCt1o9bWWRcY8C2AIfiYWDAtUCd5pKuXRAvoE2V0KY+EVJkG0CYgDABYSqNMO0kHhf9RvaGLijoD88ShdMfyL9J3mMnMgN+9wTZ0DRpaqUUkcsdhARGZZyh1YlcSIRiXKqwk5h8lwD0goaEqaRjLS7jMVJIFkHbhfrCa6LzSNYkyyKrHKV2N4ZkKi/HWCKwE9n43n5JkS82r4U31/prYo/1N+efr07OP386Q/13l18+nL7rv37FrpPyV6S5N/WkezPJW5tD3qITMTMuJnYyH+p++NfLQ0N8Wzi2Jwn2YUxtb5FJ9LzMeUz2MPOV85ChQNUSl01JJz3waGiK2fnKR99GAM/Hwp6PZh2CyuLRgo6Po9UGlVfwzew6+0WQZKEf2DTAP1KCf8TbamYOz8hs0vhsbmSUnEZYsFs1SWvJIN+pXssK6e2dTPloN+CjnLq0VS95VCbCVRUP5fSMcFFEbMdjvIOonh6O3PKxu/UCsoL8giLSs6kOjHPHHhmR7YQsmkh7Fg4Mekt4VJBpe0oXkoLeDO4CunXujKSEuEAhdnWJHg8DPB6QfgtMqW4x4sWpklglVaLFf1LqABFmiDAvnUE9g425ILUSQhWDhruksHvwYgmImZ7quDZjsPDLrgEPqJQvLlcSdkEdVsyhN18fNp4B9x1ZxpaFLonAoYZu6C+79/eBI8DaSzBjiOpXG9X3AJejq8sniQLBZqIAbBfYbj62SyymbKosypsOim75XrzcD1HbixLhVs234l0BV4adeoFL5+TSjcJHTyneGeqDCTEIKkHOhq7wtoRZBu98Ln02bzouH2eLs8NSdD8XQi3EZrO5hwwTzT9SGz5Ia8DQK9+EuFH4oC3Qs8IjBXpWuZ5Vvb1yo/CxYqBnhUcK9Kx6Pat45+hG4UPUQM8KjxToWfV6VvGe2NXys10gaBsxSuvB0Erc77taOrYLfAzUqjRCVuJe5tWyr12gX6BWpfGvEvdpr5Zs7QLbArUqjW5t6h70yc9n0Jknd5AsVKtkIfgcBhKE4HOYynKAjleSA9SG47ghyQeO487tGM065gnCDluSrlLY5wcSs+WJF4XdWSAxW55CUNhTAxKz5cHwUnEMOPTWLqpbKmoB+Vi78GSpGAXkY+3ibKUiEpAPCBgVChj5hxdDsAhOMIaYEcSMIGbk76B2uJKgUQeCRhA0gqBRDmeLt60T+OcgapTX/wIiA2Gjgi4ZEBmIGxX00oDI1EJk1ipytASZAdfeJoeOQEAgdrRqoAICssnBIxAQiB6tOHoUHMQDUSOIGkHUCKJGcPBOMmzE3W64t2jU6HCl5+7AyTkQ01kgpsM/W9KWpwQV6X46U+ETSLnQtdQTM2bC0ZodOVrDw0ULCsAuSAAcj5KmHCdUeFCfyBEydBSkr12dXqDTQJaAe1TLPU7gvM8l0470ewDrANZR7LjPxWnHMdAOoB3rRztMLGP1Disx5LlWh1cC9divgxDsghQA/SD049KTJTQkTwISAiQESEhpJGQn8bjYt2w31PyjvmuGwukP5N8k77HjN8OaoHaJWhNa2m66twiWPMYTKQRbrUP3sv3gPkmRzFu3JsFroVAKH+hqIwRN23gy1Yhl1EMSQgCiZUekOByfCDh+jOMvjdgTroUgD7j3Yn2M0cQVmylVtJRH5Pw4eMTEEIMia46C32oc+JwheWRVJNaNU92zBlHaFik12BGVSWMsfHOw+cDOVOXRO7f4i/920ZJwLsXY1RG+T1a1btXpZ1PrP+gyp9u+vES6vZMYu8jMSZrmdycxLJE5jQ56DhJLZ03VVc4RnnNPmfDJhyNCgZnTeTc9N3HsHzQHhTTuojHOgdlpKJOGUWy33bABng85VzN7BcTk1cGLCI67Fhp//eda+Ppi7+DFq/wSlF66qa1gYmL92x8mIV6aGk96jV/Zk093wCMFjoWv3Iai1HadhfYPbzKLyOx3zj2FRDZTZh9ny1kS9T9lC2dCshOPyc0rvCck6u+x1huzFWdl78J92MJvVFCFA561mAKL663AxZFERgJXBE2ENbiIoiI7celReZ6diL9uYCa+EfpfxESwZw1cstLwXQd7KwEgnvS1YPnIJxaJGQ6k4oPuUgJ/FUEzMVCGnFimrFtLhz9R59NPVBSTTqCIBct0FM1rTgshrLr0tOAKsCwMB0q4ZCUspnrftXVVvefcw8yuZAKe2ujlYq9RDWxrg84uprORTH7fn1ZAbd2YxUr1NjMFbP5vUp6ygyvFlLHcvhXUMF6caTFl69RD2dj/aQDhyfW+qkwWPb/r0I0JCbrx/aXoh0AE2/CuCbHbpqp8y+Lh3s3eoA78CFk0DiF0J6GfWYz+aDejJWHYRWhF/i0qLov66veIRugiyvLsU6INH0Ybjj6l1Yn+CBdg4UiJ9tfvS2wwfhh66GgNve3M1x3i6jPJGt8Ykum2JzgsYUT4fGP1/7w6Uz1v+V3gURd3nv4Ps0DK0NeNAQA= + H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnimT44tjx+H77AeA7CcqiXkhK2g91IwIEQWB38Ty7S+BxByFhMFB103Vs4Wf0F/mN0CP7S0p0aYLJVeGsP7i4PP/93dVv7z73hf2gWJNusEbLLyxjgp0xdu2oUMG2bKmmoxo6rRIVOA8ma1SRHMk2XEvGUZmpuSNV/6DQcpPTqFf+ye9W7LGswhP5+3XfeyULf3NVC3NeKnj+yJKGki5FjasK93IwCL+mC+6wZftvd3jQOWj7ndjnP86UdDJY2YeZY+6j4pdjD5r+DN6QqrmDqWeHkffI7kHzoDnHuznSjYazT7tKXs6+WziJkq4bjkQFiM6i91BBU20nnNOoK6TkxlU15wNtSdyPrsaGhP+qpA7WWZ9+Ro7l4tj1sapwrqqyoZ8ammHRBq3RjdRo7qOWKJI/3e4+EvfiTQdv/TZ6F/QP9FbDlpPoQjSD9vjGkCxF8Mue2P+/7viDn1arDzb5F/rDsG41Q1LQWXA78scViQeiSKaP3YsV1fHfdChpNnspYaRjhync0WG76V2h0ndlGJqjmuS6d1F1sCX5TxW7bbHd6XYOxc5hl5Vqqn7LVM2bOSYPHNWTDU2TTBsrqVElj1SVCyOaZm/4U1P5nfxudWIX7oPe+b8f6O9g3JLS2OtGNiTZuaQUsU7qDtapkAmvFfUOyZpk279cR1PzcowlBVvIwffOS5lUxda18OZaf22Tpt/8cX75r4/nb89+Rj9996fl4CcqBqRUxq9fsUqk8ivS9puYCJAnD1WsKaeGPlRHiZHw7elQcjXHzpTQLru2Y0xoyVOi6Gk/2YZBpIKMtGcVv+7kVOTORjgj7VSb6VnhzUw4O2LuM9ksHfcS15JSFV6eGEwthbEz0ZIDaJhJa1H9nKa7m/v+3sr2JbKGRweB3kZGQnWY8gqpy5akkx5Y3gsmrVXMtNBXi54fe3pS+iV5jK/UCTZc2pruatp+UjuI5TuR5NuRZbi6EjclyTpfJM3F+cVJBWTXmS1tdYgN7Xa8/5oHvb30cHq12kfE0rZ6+6jTpNWOc+p1Sal41CLVuqy1o734DCTFaoaVokY6OjSsicQE2jBTXRxJ7ghnOzeR7oM5EZtp5ZwQ2fML00X22PjOm0cqWmOCsMaGpnykSNB+rtbvknWL2cxTIZ3P/HQ45ud4RuvTmW59xFbyGjUCd5LG04IcyzTF/hCR/903BHdsoFP9Y4tuUIPospSu8F8iP+rwIaziOka6imGpxAYEq7QwJr9/EMMnaRndwIor4/Oc3jIroMlZDfVBv+18MpxPZEiEVOnX/XQ7TFvsjMnykB8dhlBmpuoENV2JF8+dyIlkmqo+uvJsnphXln23zBAEyI11EzkGWxpy3iK1smVeILdxYrlHMzTeSjaea8KIip8RK3ZhENm1s3ouUDlmhcFgknVRx7JDAFmm3hXtEUf0TcN2hup9dhnyC94TieurP1jz3ebfU3UszL+XXZ96Kxuq3wl6fH7qhhYztOw1soPqeC8mfHr1llNohDfOOOZ05b0l9oBjcYeqpiWZQpuwBFE8Jn8I1CELknicWbeG9NnZZdwzOjjenNdaiy5xvXamHd9sT7W0jA2QJt2JzoEVkjXCzgzDje9Nr0sUEDRsd9JQCVXADZVyE0bEse3YA4cQIO3RwqZhEcP6y/+uhZ++kV/Xwj5Z7BxVZ3ZrEOCrQQivWM3wV051Vin4cS08/dWdfN3bo0PcbIp72XmOlk+HYJ2BjYnptLPVgjXgvSQ7bNzFTBUiuZ6/giNNtoPN1LozTZTChdLmzEaA/T7oskFW6xG69AYWfaHzhwUu5rNJRY1UkpLGxTMscXU7TqsbqzGbuhn0HYVfCmpaYNsKKRu7KXD/yK7FMG/tMS0HhS4CarMQeUFMq2BZnUgMv2XGpn5418QWJWiurjpLxb3HZQDfNNZZAfI9ngP5dgD5AvIF5AvIF5DvPMi3Fph3nyw2JrFqeCATGd8lhd2DFyEURq9QnZB5SYh8LuDdI/Cq16P/HXSfA+F9V5axbaNLMqyooRv6y+79PQpmwt7bQlgu3Y2eh+SSpkr2aQCaH5PKeSNZXEjF3PUfsT5yWGiomSnDebetlWdXZWZQzFz81ZIU1XPyN5cPG8XDQrhxrCoK1vuelvIG3QvoHCXBIx5hxq9S/STSMNLf2lfp4GS8yt0opySggfxSGsN9NzGdhynlf2LLyCkmuCKvRNVzSix1NCYazIkdp5enNNijdjin0VzM+JSG59jmRYFowXdVccYZ0cpB9BnElMEUAROTRnxOPEtIy6RPoHLt0i50s2V84SITrmALs8V3qBkpM+qtHecJdUsjFxnnGRJiluVb7lOpO8fEykcP8mTLC+OGxpisxAYhQJPBN1fSHVXDjeYBdRfkrNUDxfWi8IMJMQiqjQmMVezBjSvfYmfmFTwNHFCxZf7pL5EhipsH1NAwgxYEbjf3kGGh+V+oHu+yMC7hM74ZUItnG9+HT7voNoXZoc3+IgLX2zSB622BwPnJSZy1Yk55602Tt5Olyltv0+StB/JWXN56U+TtdC7qllrm6fu89zwiGWcOLbvEI98NyLmxP1aHDv9OnwQGAZgzf4ZTXC9MoHtM4z/JymTABWVEJDjJCwz8DQL2qOqKeqcqrjQlnSiW5BrLJPXAvnSvcriCJ5a8GEAsh4kOTNrd4nv0OHflI90QzU7hQQ/S/Szeykh8OUIbZChnO0cLjdGJZGOutHq4n3ubB/y5RXzP0/PmMvYOYyoBNXkPjns6Vw8f+FLFmF0epaNlH/Fd+GY7vAfVMKj3t1avJ3cO5w3i/U3pdKS2tHmZaCdbn4mWTCGbkop2/EwiLATkICAHATkIyEFAbikBOUc2CbHRncHNg4OnBbwKsit+/UzIy6Ng/0S8bllYxuodVqrsWm1IobD0YF5OAO/q9AL1Se+wha4saThUZYjUAc4GnL3OODtzcRag3QWgDUAbgDYAbQDa5QJtb+GdCcimqq4IXi+7Q9sJqk81uh4BqE7e8zXa/SQYrF+xjq3YMh2OjkV0mLvbRgm7J4g5uye0y9o94cOnk/PPn85Q8MV9f9s3TGhPx6+dbj13TCg0j2u3SQJkrz6XvdpcUvbq4SJBFvFwwfTVVne29NUl5KZysN88uafrnFyKJBv9oKm4kGS6zCTTmT7L9kmhn6fkWqrzMDANTZUfiM2fuI4raQNHs1fkht5HsyByVmZb8nftebhOqul29PELzX5K3TClhX2U+JSmlM/I06D98THdP/T0dJC9GvWalCNimh6TnadXG9euctxWyF9FbE6uPvb3hHk+Y2/NlQK4oPjtgvwtLn/LZpRLFM6pOaczSmIdkwPT2zTY6OQB9dnwoLe6Qi5744BO6QpYMHOQu/JvXepg1o/nSCnOvsTswvQ2WyvOyxM42diQXlheeiFQvLI+UDxcKL63OMc7rJLjreDzQ/i+EKjf/PsSoIqZIH8Tg+qw+JwbJ1Q9jNWN15qTlEq58nIFbRcUdo3GETR2Po3deAfCc1vMRI4F+ACx2g8Q83YmXAbHFgi0FQVwFoCzYNY9PfnH72ybJ2HWveFbrUX9CLXa6qgcV0N8pyNwRYArotqtjhbl3AvutLEcBC/OFS8sdRumLR/nGtGlVE8ZWcrt/dMTuug2q3VwlLD/FFiBcvbGAiuwtlagV9AKnJRjBbpgBcqzAl2wAttuBbrFrMBpOVagB1agPCvQAyuw7VagV8wKnJViBcryC+yCGSjHMbALdqDunoEpSv9uo9wAoPQl+QFA6WvvCJii9O83ivWD0pdE+0Hpa8/7pyj9rxtF8kHpS2L5oPS1p/lTlP63TfrQMjyOAfIit/JgBsiFhFxIG9IdY+mOxytJdzyueboj5DNCPuMK8xkLO9K9/SchiAZpdctPqyvs4AVh3FhhrD69q7DnEaQRsoxWlWVU2CMGwrjJprHibJdSUSM4ZSHnoiKMCKIHkf+KACGIHsSfK4J/IHoQBa1LFJQeoQIR0LpEQBUsM8MCgVAIhEIgtKpAqHi4ikjoIURCIRIKkdBZfFr+TpHgYoVQaA1CoSCNEAutUSwUxBGCofUJhoI0QjS0RtHQJYgjeGchHFoVTgTZg3hoVaAQZA8ColVBQJA9iIhWFBEND9iESChEQiESCpFQOEszFgrlHoFxvGAk9Li50qM04TBMiFMuEKfkH0TvyCaBujJW77DiQ90NP9VxHqC7CUfQV32442rlbxcEcLoAliRjm3oc4QkVTXTpSyoakiehMOn06vQCnYaiCRSrWop1YgK7Wi67yr4HkCsgV7nkKnNxOeyqBewK2NX6sSubjGsC2RYgUVwQDMAWyNNc4rUL8gXEqRri1CdSihwDKBNQJqBMpVGmndTj4t/L3tAVBf3hW6Jo+kP5t8h77MRmIOieIBuaJpl2RhG57EFIoVTGGlqd2IVUOMYjCzupyfcoQC9sSDAlHWtJGU/QQrIKOh7YF14TnUeyJtk2Wf8oubsxJEt5OcYSAZ7IwffOS4p9sXUtvLnWXxN7rL85/3x1cv750xnqv7v88uH0Xf/1K3adlL8izb2pJ+GbSt/aHPoWn4ipsTGxk/tQ7yPA3ixEJLCFY2eS4h+G6fiLTKrnZc5juoe5rzwLHQpVLXXZknTSA5+IZrhdoHz0bQTwfSzs+2jWIbAsHi3o+jhabWB5Bd/PrrNnBEk2+oEtAzwkJXhI/H1nAvIa55KmpeqyakoaZYG2qQ6H+ODF83Tx2czIOC0NCTB5AquaJrRkeO9Uv2WF9PNOpky0GzJRTl3aqp87KhOxqoqBcnpGWCgiVuMx2UFUT+fGLJKxu+WSsYKsgiJis6k+i3PXGRmx3YRsmj97Fg0MekuoU5hge0rXjoIODO6auXUejLSEeNggcXWJTg4DnByQdQvkqG6B4cXZkVglO6LFf1K2AGFlCCsvnTQ9A4q5ILVAfHl5eDkBDSks73qIfEHETE93XJsxWPhl14AHVEoUlysJu6AOqx2ELdCHjWfAfVeWsW2jSyJwqKEb+svu/X3oCLD3UswYAvnVBvJ9wOXq6vJJokCwmSgA2wW2OxvbJRZTtlQW2M3GQbd8K17u96ftRYlwq+Y78a6AK8NGvcClZ+TSjcKnTyn+UeqDCTEIKkHOhq5kt4JZDu98LmN21gxcPs4Wp4el6DYuhFqIzWZzDxkWmn+kNnyQ1oChV74FcaPwUVugZ4VHCvSscj2rem/lRuFzxUDPCo8U6Fn1elbxrtGNwoeogZ4VHinQs+r1rOLtsKvlZ7tA0DZilNaDoZW403e1dGwX+BioVWmErMRNzKtlX7tAv0CtSuNfJe7PXi3Z2gW2BWpVGt3a1K3n05/PoDNf7iBZqFbJQvA5DCQIwecwleUAHa8kB6gNp3FDkg+cxj2zY5R/vBOEHbYmXaWwzw8kZssTLwq7s0BitjyFoLCnBiRmy4PhpeIYcOitXVS3VNQC8rF24clSMQrIx9rF2UpFJCAfEDAqFDAKziyGYBEcXAwxI4gZQcwo2EHtcCVBow4EjSBoBEGjGZwt/rZO4J+DqNGs/hcQGQgbFXTJgMhA3KiglwZEphYis1aRoyXIDLj2Njl0BAICsaNVAxUQkE0OHoGAQPRoxdGj8CAeiBpB1AiiRhA1goN30mEj7nbDvUWjRocrPXcHTs6BmM4CMR3+oZKObBJQKmP1Dis+KPWOzSjgFePC11JPzZgKSWt23mgNTxadQwh2QQrgmJQs9TihwoP6xFAjQ0dhGtvV6QU6DWUJOEi1HOQEzv1cMv3IvgewD2AfxY79XJx+HAP9APqxfvTDJuOaQJ1rdYAlUI/9qgVgFyQAaAehHZc+hUVD8iQgH0A+gHyURj52Uo9LfMt2Q00/6ntmKJr+UP4t8h47QTOsCWqXqDWhpe2md4tgy2M8kSKQ1Tr0LjsP3pMUybr1ahKcFgml8IGuNELYtIMnpkYsox6RDwIMbScmxdH4xEDxYxJ3acSecC0EecC9H+tjTCap2Eyp4qU8AhfEwWMmhhgUWXMV/FbjwOYcySOrIrFunOq+NYjTtVipwY6oTBtj4ZuLrQd2piqP1nnFX4K3i5dEcykmro7wfbqqfauany2t/6DLnG4H8hLr9k5q7GIzJ2la0J3UsMTmND7oM5BXOmuqrnKO8Jx7yoRPARwRCsyczrvpuYlj/6A5KKRxD4lxDszOQpksjGK77UYN8EDcTM3sFRCTVwcvYjjuWmj89Z9r4euLvYMXr2aXoOzSTW0FExP738EwCcnSzHjSa/zKvnx6Ax4rcG185TUUp7TrLLR/+JNZRGa/c+4pJLK5Mvs4Xc7SqP8pXzhTkp16zMy8wn9Cqv4ea70xXXFW9i7chy38RgVVOORZiymwuN4KXBxJ5CRwxdBEVIOLKCqyE5c+lefZieTrhmbiG6H/RUwEe9bAIyuNwHWwtxIA4ktfC5aP2cQiNcOhVHzQPUoQrCJoKgbKkRPbknV76fAncj5RA0hlMe0FipmwXE/RvPa0EMSqTVcLrgHLQnGghktWw2LK911bW+V7zkPMTEsu5qmPZi72HtVAtzZo7WJaG8vmD3xqBRTXi1usUHOnpH/N/13KU36ApYg2lt23ghrGizUtpmydeigb+z8NIjx5HliVyaLvex16cSFBN76/FIMwiOAY/jUhcZupyrcsFu7f7A/qIIiSxWMRQncS+ZrF+I92M14ShV6EVuzfouIxqa9Bj2iULqYszz4l3vBhvOH4U1qd+I9oCRaOlHh/g74kBuOHoUfO1sjjzvzdEbY+k+zxjSFZXnuCy5JFhM83dv/PqzPV95jfhV51cefp//LI6F4GjgEA {{- end }} diff --git a/charts/kubezero-istio/templates/kiali/istio-service.yaml b/charts/kubezero-istio/templates/kiali/istio-service.yaml new file mode 100644 index 0000000..ed5ab2d --- /dev/null +++ b/charts/kubezero-istio/templates/kiali/istio-service.yaml @@ -0,0 +1,18 @@ +{{- if (index .Values "kiali-server" "istio" "enabled") }} +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-kiali + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + hosts: + - {{ index .Values "kiali-server" "istio" "url" }} + gateways: + - {{ index .Values "kiali-server" "istio" "gateway" }} + http: + - route: + - destination: + host: kiali +{{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml b/charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml new file mode 100644 index 0000000..0791707 --- /dev/null +++ b/charts/kubezero-istio/templates/ratelimit/config-statds-exporter.yaml @@ -0,0 +1,106 @@ +{{- if .Values.rateLimiting.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ratelimit-statsd-exporter-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +data: + config.yaml: | + defaults: + ttl: 1m # Resets the metrics every minute + mappings: + - match: + "ratelimit.service.rate_limit.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: + "ratelimit.service.rate_limit.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: + "ratelimit.service.rate_limit.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: + "ratelimit.service.rate_limit.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + - match: + "ratelimit.service.rate_limit.*.*.*.near_limit" + name: "ratelimit_service_rate_limit_near_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: + "ratelimit.service.rate_limit.*.*.*.over_limit" + name: "ratelimit_service_rate_limit_over_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: + "ratelimit.service.rate_limit.*.*.*.total_hits" + name: "ratelimit_service_rate_limit_total_hits" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: + "ratelimit.service.rate_limit.*.*.*.within_limit" + name: "ratelimit_service_rate_limit_within_limit" + timer_type: "histogram" + labels: + domain: "$1" + key1: "$2" + key2: "$3" + - match: + "ratelimit.service.call.should_rate_limit.*" + name: "ratelimit_service_should_rate_limit_error" + match_metric_type: counter + labels: + err_type: "$1" + - match: + "ratelimit_server.*.total_requests" + name: "ratelimit_service_total_requests" + match_metric_type: counter + labels: + grpc_method: "$1" + - match: + "ratelimit_server.*.response_time" + name: "ratelimit_service_response_time_seconds" + timer_type: histogram + labels: + grpc_method: "$1" + - match: + "ratelimit.service.config_load_success" + name: "ratelimit_service_config_load_success" + match_metric_type: counter + ttl: 3m + - match: + "ratelimit.service.config_load_error" + name: "ratelimit_service_config_load_error" + match_metric_type: counter + ttl: 3m + - match: "." + match_type: "regex" + action: "drop" + name: "dropped" +{{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/config.yaml b/charts/kubezero-istio/templates/ratelimit/config.yaml new file mode 100644 index 0000000..e8eff17 --- /dev/null +++ b/charts/kubezero-istio/templates/ratelimit/config.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rateLimiting.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ratelimit-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +data: + ingress.yaml: | + domain: ingress + descriptors: + {{- toYaml .Values.rateLimiting.descriptors.ingress | nindent 4 }} + + private-ingress.yaml: | + domain: private-ingress + descriptors: + {{- toYaml .Values.rateLimiting.descriptors.privateIngress | nindent 4 }} +{{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml b/charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml new file mode 100644 index 0000000..3f74dfc --- /dev/null +++ b/charts/kubezero-istio/templates/ratelimit/envoyfilter-cluster.yaml @@ -0,0 +1,116 @@ +{{- if .Values.rateLimiting.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-ratelimit + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.ratelimit + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + domain: ingress + failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }} + timeout: 0.5s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate_limit_cluster + transport_api_version: V3 + - applyTo: CLUSTER + match: + cluster: + service: ratelimit.default.svc.cluster.local + patch: + operation: ADD + value: + name: rate_limit_cluster + type: STRICT_DNS + connect_timeout: 0.5s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate_limit_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.istio-system + port_value: 8081 + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: private-ingressgateway-ratelimit + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + istio: private-ingressgateway + configPatches: + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.filters.http.ratelimit + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + domain: private-ingress + failure_mode_deny: {{ .Values.rateLimiting.failureModeDeny }} + timeout: 0.5s + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate_limit_cluster + transport_api_version: V3 + - applyTo: CLUSTER + match: + cluster: + service: ratelimit.default.svc.cluster.local + patch: + operation: ADD + value: + name: rate_limit_cluster + type: STRICT_DNS + connect_timeout: 0.5s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate_limit_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.istio-system + port_value: 8081 +{{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml b/charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml new file mode 100644 index 0000000..1c3cc29 --- /dev/null +++ b/charts/kubezero-istio/templates/ratelimit/rate-limit-service.yaml @@ -0,0 +1,154 @@ +{{- if .Values.rateLimiting.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: ratelimit-redis + namespace: {{ .Release.Namespace }} + labels: + app: ratelimit-redis +spec: + ports: + - name: redis + port: 6379 + selector: + app: ratelimit-redis +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratelimit-redis + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: ratelimit-redis + template: + metadata: + labels: + app: ratelimit-redis + spec: + containers: + - image: redis:6-alpine + imagePullPolicy: IfNotPresent + name: redis + ports: + - name: redis + containerPort: 6379 + restartPolicy: Always + serviceAccountName: "" +--- +apiVersion: v1 +kind: Service +metadata: + name: ratelimit + namespace: {{ .Release.Namespace }} + labels: + app: ratelimit +spec: + ports: + #- name: http-port + # port: 8080 + # targetPort: 8080 + # protocol: TCP + - name: grpc-port + port: 8081 + targetPort: 8081 + protocol: TCP + #- name: http-debug + # port: 6070 + # targetPort: 6070 + # protocol: TCP + - name: http-monitoring + port: 9102 + targetPort: 9102 + protocol: TCP + selector: + app: ratelimit +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratelimit + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: ratelimit + strategy: + type: Recreate + template: + metadata: + labels: + app: ratelimit + spec: + containers: + - image: envoyproxy/ratelimit:b42701cb # 2021/08/12 + imagePullPolicy: IfNotPresent + name: ratelimit + command: ["/bin/ratelimit"] + env: + - name: LOG_LEVEL + value: {{ default "WARN" .Values.rateLimiting.log.level }} + - name: LOG_FORMAT + value: {{ default "text" .Values.rateLimiting.log.format }} + - name: REDIS_SOCKET_TYPE + value: tcp + - name: REDIS_URL + value: ratelimit-redis:6379 + - name: USE_STATSD + value: "true" + - name: STATSD_HOST + value: "localhost" + - name: STATSD_PORT + value: "9125" + - name: RUNTIME_ROOT + value: /data + - name: RUNTIME_SUBDIRECTORY + value: ratelimit + - name: RUNTIME_WATCH_ROOT + value: "false" + - name: RUNTIME_IGNOREDOTFILES + value: "true" + - name: LOCAL_CACHE_SIZE_IN_BYTES + value: "{{ default 0 .Values.rateLimiting.localCacheSize | int }}" + ports: + #- containerPort: 8080 + - containerPort: 8081 + #- containerPort: 6070 + volumeMounts: + - name: ratelimit-config + mountPath: /data/ratelimit/config + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 1 + memory: 256Mi + - name: statsd-exporter + image: docker.io/prom/statsd-exporter:v0.21.0 + imagePullPolicy: Always + args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"] + ports: + - containerPort: 9125 + # - containerPort: 9102 + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 200m + memory: 64Mi + volumeMounts: + - name: statsd-exporter-config + mountPath: /etc/statsd-exporter + volumes: + - name: ratelimit-config + configMap: + name: ratelimit-config + - name: statsd-exporter-config + configMap: + name: ratelimit-statsd-exporter-config +{{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml b/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml new file mode 100644 index 0000000..d38922b --- /dev/null +++ b/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml @@ -0,0 +1,17 @@ +{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-rate-limiting + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: app, operator: In, values: [ratelimit]} + endpoints: + - port: http-monitoring +{{- end }} diff --git a/charts/kubezero-istio/templates/servicemonitor.yaml b/charts/kubezero-istio/templates/servicemonitor.yaml index b168a1d..54a7ac2 100644 --- a/charts/kubezero-istio/templates/servicemonitor.yaml +++ b/charts/kubezero-istio/templates/servicemonitor.yaml @@ -5,7 +5,7 @@ metadata: name: istio-component-monitor namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: jobLabel: istio targetLabels: [app] diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 2af9b65..58e7b06 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -4,7 +4,8 @@ set -ex ### TODO # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/ -export ISTIO_VERSION=1.10.3 +export ISTIO_VERSION=1.11.1 +export KIALI_VERSION=1.38.1 rm -rf istio curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz @@ -12,8 +13,11 @@ mv istio-${ISTIO_VERSION} istio # remove unused old telemetry filters rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml +rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml # Patch +#exit 0 +#diff -tubr istio istio.zdt/ patch -p0 -i zdt.patch --no-backup-if-mismatch ### Create kubezero istio charts @@ -38,3 +42,7 @@ sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio # Fetch dashboards from Grafana.com and update ZDT CM ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml + +# Kiali +rm -rf charts/kiali-server +curl -sL https://github.com/kiali/helm-charts/blob/master/docs/kiali-server-${KIALI_VERSION}.tgz?raw=true | tar xz -C charts diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index e248fd9..3857919 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,6 +1,6 @@ global: # hub: docker.io/istio - # tag: 1.10.2 + # tag: 1.11.0 logAsJson: true @@ -39,3 +39,56 @@ istio-discovery: tcpKeepalive: interval: 60s time: 120s + +kiali-server: + enabled: false + + auth: + strategy: anonymous + + deployment: + ingress_enabled: false + view_only_mode: true + + server: + metrics_enabled: false + + external_services: + custom_dashboards: + enabled: false + + prometheus: + url: "http://metrics-kube-prometheus-st-prometheus.monitoring:9090" + + istio: + enabled: false + gateway: istio-ingress/private-ingressgateway + #url: "kiali.example.com" + + +rateLimiting: + enabled: true + + log: + level: warn + format: json + + # 1MB local cache for already reached limits to reduce calls to Redis + localCacheSize: 1048576 + + # Wether to block requests if ratelimiting is down + failureModeDeny: false + + # rate limit descriptors for each domain, examples 10 req/s per sourceIP + descriptors: + ingress: + - key: remote_address + rate_limit: + unit: second + requests_per_unit: 10 + + privateIngress: + - key: remote_address + rate_limit: + unit: second + requests_per_unit: 10 diff --git a/charts/kubezero-istio/zdt.patch b/charts/kubezero-istio/zdt.patch index 0a15bb9..c7dda64 100644 --- a/charts/kubezero-istio/zdt.patch +++ b/charts/kubezero-istio/zdt.patch @@ -1,7 +1,27 @@ -diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml ---- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200 -+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-04-20 12:20:04.401862116 +0200 -@@ -17,6 +17,8 @@ +diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl +--- istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-07-15 07:32:30.000000000 +0200 ++++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-08-10 15:49:57.298616463 +0200 +@@ -21,11 +21,16 @@ + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} ++ {{- if eq $val "Exists" }} ++ - key: {{ $key }} ++ operator: Exists ++ {{- else }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} ++ {{- end }} + {{- end }} + + {{- define "nodeAffinityPreferredDuringScheduling" }} +diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml +--- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200 ++++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200 +@@ -16,6 +16,8 @@ {{- if $gateway.replicaCount }} replicas: {{ $gateway.replicaCount }} {{- end }} @@ -10,7 +30,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya {{- end }} selector: matchLabels: -@@ -69,6 +71,7 @@ +@@ -65,6 +67,7 @@ {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" {{- end }} @@ -18,7 +38,7 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya {{- if .Values.global.proxy.enableCoreDump }} initContainers: - name: enable-core-dump -@@ -140,6 +143,11 @@ +@@ -136,6 +139,11 @@ privileged: false readOnlyRootFilesystem: true {{- end }} @@ -30,9 +50,24 @@ diff -turN istio/manifests/charts/gateways/istio-ingress/templates/deployment.ya readinessProbe: failureThreshold: 30 httpGet: -diff -turN istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml ---- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-11 01:57:29.000000000 +0200 -+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-04-19 21:55:45.461749267 +0200 +diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/service.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml +--- istio/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-07-15 07:32:30.000000000 +0200 ++++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-08-10 19:58:01.037876557 +0200 +@@ -34,9 +34,11 @@ + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} ++ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} ++ {{- end }} + + {{ range $app := $gateway.ingressPorts }} + - +diff -tubr istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml +--- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200 ++++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200 @@ -60,6 +60,11 @@ {{- end }} securityContext: