feat: Istio version bump, optional support for proxyprotocol for ingress, bugfixes
This commit is contained in:
parent
7fcdbfc2cd
commit
274ab74364
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio-ingress
|
name: kubezero-istio-ingress
|
||||||
description: KubeZero Umbrella Chart for Istio based Ingress
|
description: KubeZero Umbrella Chart for Istio based Ingress
|
||||||
type: application
|
type: application
|
||||||
version: 0.5.6
|
version: 0.6.0
|
||||||
appVersion: 1.9.3
|
appVersion: 1.10.2
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,9 +16,9 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-ingress
|
- name: istio-ingress
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
condition: istio-ingress.enabled
|
condition: istio-ingress.enabled
|
||||||
- name: istio-private-ingress
|
- name: istio-private-ingress
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
condition: istio-private-ingress.enabled
|
condition: istio-private-ingress.enabled
|
||||||
kubeVersion: ">= 1.18.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-istio-ingress
|
# kubezero-istio-ingress
|
||||||
|
|
||||||
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
|
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for Istio based Ingress
|
KubeZero Umbrella Chart for Istio based Ingress
|
||||||
|
|
||||||
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | istio-ingress | 1.9.3 |
|
| | istio-ingress | 1.10.2 |
|
||||||
| | istio-private-ingress | 1.9.3 |
|
| | istio-private-ingress | 1.10.2 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0`
|
|||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| global.arch.amd64 | int | `2` | |
|
| global.arch.amd64 | int | `2` | |
|
||||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
|
||||||
| global.logAsJson | bool | `true` | |
|
| global.logAsJson | bool | `true` | |
|
||||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
| istio-ingress.dnsNames | list | `[]` | |
|
| istio-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||||
|
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | |
|
||||||
| istio-ingress.enabled | bool | `false` | |
|
| istio-ingress.enabled | bool | `false` | |
|
||||||
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||||
@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0`
|
|||||||
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||||
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||||
|
| istio-ingress.proxyProtocol | bool | `false` | |
|
||||||
| istio-ingress.telemetry.enabled | bool | `false` | |
|
| istio-ingress.telemetry.enabled | bool | `false` | |
|
||||||
| istio-private-ingress.dnsNames | list | `[]` | |
|
| istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
|
||||||
|
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
|
||||||
| istio-private-ingress.enabled | bool | `false` | |
|
| istio-private-ingress.enabled | bool | `false` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
|
||||||
|
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
|
||||||
@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0`
|
|||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` | |
|
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
|
||||||
@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0`
|
|||||||
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
|
||||||
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
|
||||||
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
|
||||||
|
| istio-private-ingress.proxyProtocol | bool | `false` | |
|
||||||
| istio-private-ingress.telemetry.enabled | bool | `false` | |
|
| istio-private-ingress.telemetry.enabled | bool | `false` | |
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-ingress
|
name: istio-ingress
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
{{- if eq $gateway.injectionTemplate "" }}
|
{{- if eq $gateway.injectionTemplate "" }}
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
@ -45,17 +44,14 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
sidecar.istio.io/inject: "false"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
prometheus.io/path: "/stats/prometheus"
|
prometheus.io/path: "/stats/prometheus"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
sidecar.istio.io/inject: "false"
|
||||||
{{- if ne $gateway.injectionTemplate "" }}
|
|
||||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
|
||||||
{{- end}}
|
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
@ -219,13 +215,13 @@ spec:
|
|||||||
{{- if $.Values.global.meshID }}
|
{{- if $.Values.global.meshID }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.meshID }}"
|
value: "{{ $.Values.global.meshID }}"
|
||||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
{{- else if .Values.meshConfig.trustDomain }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
{{- if .Values.meshConfig.trustDomain }}
|
||||||
- name: TRUST_DOMAIN
|
- name: TRUST_DOMAIN
|
||||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if not $gateway.runAsRoot }}
|
{{- if not $gateway.runAsRoot }}
|
||||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
@ -233,7 +229,7 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- range $key, $val := $gateway.env }}
|
{{- range $key, $val := $gateway.env }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: {{ $val }}
|
value: "{{ $val }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
|
@ -24,17 +24,8 @@ gateways:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
name: https
|
name: https
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- port: 15012
|
|
||||||
targetPort: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
# This is the port where sni routing happens
|
|
||||||
- port: 15443
|
|
||||||
targetPort: 15443
|
|
||||||
name: tls
|
|
||||||
protocol: TCP
|
|
||||||
|
|
||||||
# Scalability tunning
|
# Scalability tuning
|
||||||
# replicaCount: 1
|
# replicaCount: 1
|
||||||
rollingMaxSurge: 100%
|
rollingMaxSurge: 100%
|
||||||
rollingMaxUnavailable: 25%
|
rollingMaxUnavailable: 25%
|
||||||
@ -174,7 +165,7 @@ global:
|
|||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.3
|
tag: 1.10.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -310,11 +301,14 @@ global:
|
|||||||
# Setting this port to a non-zero value enables STS server.
|
# Setting this port to a non-zero value enables STS server.
|
||||||
servicePort: 0
|
servicePort: 0
|
||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
|
||||||
trustDomain: ""
|
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
enablePrometheusMerge: true
|
enablePrometheusMerge: true
|
||||||
|
|
||||||
|
# The trust domain corresponds to the trust root of a system
|
||||||
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
|
trustDomain: "cluster.local"
|
||||||
|
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
proxyMetadata: {}
|
proxyMetadata: {}
|
||||||
tracing:
|
tracing:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-private-ingress
|
name: istio-private-ingress
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio gateways
|
description: Helm chart for deploying Istio gateways
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
|
||||||
{{- if eq $gateway.injectionTemplate "" }}
|
{{- if eq $gateway.injectionTemplate "" }}
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
@ -45,17 +44,14 @@ spec:
|
|||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
operator.istio.io/component: "IngressGateways"
|
operator.istio.io/component: "IngressGateways"
|
||||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
sidecar.istio.io/inject: "false"
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
prometheus.io/port: "15020"
|
prometheus.io/port: "15020"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
prometheus.io/path: "/stats/prometheus"
|
prometheus.io/path: "/stats/prometheus"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
|
sidecar.istio.io/inject: "false"
|
||||||
{{- if ne $gateway.injectionTemplate "" }}
|
|
||||||
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
|
|
||||||
{{- end}}
|
|
||||||
{{- if $gateway.podAnnotations }}
|
{{- if $gateway.podAnnotations }}
|
||||||
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
{{ toYaml $gateway.podAnnotations | indent 8 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
@ -219,13 +215,13 @@ spec:
|
|||||||
{{- if $.Values.global.meshID }}
|
{{- if $.Values.global.meshID }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.meshID }}"
|
value: "{{ $.Values.global.meshID }}"
|
||||||
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
{{- else if .Values.meshConfig.trustDomain }}
|
||||||
- name: ISTIO_META_MESH_ID
|
- name: ISTIO_META_MESH_ID
|
||||||
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}
|
{{- if .Values.meshConfig.trustDomain }}
|
||||||
- name: TRUST_DOMAIN
|
- name: TRUST_DOMAIN
|
||||||
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}"
|
value: "{{ .Values.meshConfig.trustDomain }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if not $gateway.runAsRoot }}
|
{{- if not $gateway.runAsRoot }}
|
||||||
- name: ISTIO_META_UNPRIVILEGED_POD
|
- name: ISTIO_META_UNPRIVILEGED_POD
|
||||||
@ -233,7 +229,7 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- range $key, $val := $gateway.env }}
|
{{- range $key, $val := $gateway.env }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: {{ $val }}
|
value: "{{ $val }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
|
||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
|
@ -24,17 +24,8 @@ gateways:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
name: https
|
name: https
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
- port: 15012
|
|
||||||
targetPort: 15012
|
|
||||||
name: tcp-istiod
|
|
||||||
protocol: TCP
|
|
||||||
# This is the port where sni routing happens
|
|
||||||
- port: 15443
|
|
||||||
targetPort: 15443
|
|
||||||
name: tls
|
|
||||||
protocol: TCP
|
|
||||||
|
|
||||||
# Scalability tunning
|
# Scalability tuning
|
||||||
# replicaCount: 1
|
# replicaCount: 1
|
||||||
rollingMaxSurge: 100%
|
rollingMaxSurge: 100%
|
||||||
rollingMaxUnavailable: 25%
|
rollingMaxUnavailable: 25%
|
||||||
@ -174,7 +165,7 @@ global:
|
|||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
|
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.3
|
tag: 1.10.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -310,11 +301,14 @@ global:
|
|||||||
# Setting this port to a non-zero value enables STS server.
|
# Setting this port to a non-zero value enables STS server.
|
||||||
servicePort: 0
|
servicePort: 0
|
||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
|
||||||
trustDomain: ""
|
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
enablePrometheusMerge: true
|
enablePrometheusMerge: true
|
||||||
|
|
||||||
|
# The trust domain corresponds to the trust root of a system
|
||||||
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
|
trustDomain: "cluster.local"
|
||||||
|
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
proxyMetadata: {}
|
proxyMetadata: {}
|
||||||
tracing:
|
tracing:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
|
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
||||||
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
|
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
|
||||||
# https://github.com/istio/istio/issues/24715
|
# https://github.com/istio/istio/issues/24715
|
||||||
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
|
{{- if index .Values "istio-ingress" "enabled" }}
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
@ -7,6 +7,47 @@ metadata:
|
|||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: LISTENER
|
||||||
|
patch:
|
||||||
|
operation: MERGE
|
||||||
|
value:
|
||||||
|
socket_options:
|
||||||
|
# SOL_SOCKET = 1
|
||||||
|
# SO_KEEPALIVE = 9
|
||||||
|
- level: 1
|
||||||
|
name: 9
|
||||||
|
int_value: 1
|
||||||
|
state: STATE_LISTENING
|
||||||
|
# IPPROTO_TCP = 6
|
||||||
|
# TCP_KEEPIDLE = 4
|
||||||
|
- level: 6
|
||||||
|
name: 4
|
||||||
|
int_value: 120
|
||||||
|
state: STATE_LISTENING
|
||||||
|
# TCP_KEEPINTVL = 5
|
||||||
|
- level: 6
|
||||||
|
name: 5
|
||||||
|
int_value: 60
|
||||||
|
state: STATE_LISTENING
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if index .Values "istio-private-ingress" "enabled" }}
|
||||||
|
---
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: private-ingressgateway-listener-tcp-keepalive
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: private-ingressgateway
|
||||||
configPatches:
|
configPatches:
|
||||||
- applyTo: LISTENER
|
- applyTo: LISTENER
|
||||||
patch:
|
patch:
|
||||||
|
@ -0,0 +1,44 @@
|
|||||||
|
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: ingressgateway-proxy-protocol
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: LISTENER
|
||||||
|
patch:
|
||||||
|
operation: MERGE
|
||||||
|
value:
|
||||||
|
listener_filters:
|
||||||
|
- name: envoy.listener.proxy_protocol
|
||||||
|
- name: envoy.listener.tls_inspector
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
|
||||||
|
---
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: EnvoyFilter
|
||||||
|
metadata:
|
||||||
|
name: private-ingressgateway-proxy-protocol
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
workloadSelector:
|
||||||
|
labels:
|
||||||
|
istio: private-ingressgateway
|
||||||
|
configPatches:
|
||||||
|
- applyTo: LISTENER
|
||||||
|
patch:
|
||||||
|
operation: MERGE
|
||||||
|
value:
|
||||||
|
listener_filters:
|
||||||
|
- name: envoy.listener.proxy_protocol
|
||||||
|
- name: envoy.listener.tls_inspector
|
||||||
|
{{- end }}
|
@ -1,35 +1,39 @@
|
|||||||
{{- if index .Values "istio-ingress" "dnsNames" }}
|
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||||
|
{{- if $cert.dnsNames }}
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: ingress-cert
|
name: {{ $cert.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ $.Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" $ | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
secretName: ingress-cert
|
secretName: {{ $cert.name }}
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: letsencrypt-dns-prod
|
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
dnsNames:
|
dnsNames:
|
||||||
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }}
|
{{ toYaml $cert.dnsNames | indent 4 }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if index .Values "istio-private-ingress" "dnsNames" }}
|
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
---
|
{{- if $cert.dnsNames }}
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingress-cert
|
name: {{ $cert.name }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ $.Release.Namespace }}
|
||||||
labels:
|
labels:
|
||||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
{{ include "kubezero-lib.labels" $ | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
secretName: private-ingress-cert
|
secretName: private-ingress-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: letsencrypt-dns-prod
|
name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
dnsNames:
|
dnsNames:
|
||||||
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }}
|
{{ toYaml $cert.dnsNames | indent 4 }}
|
||||||
|
---
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
|
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
|
||||||
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
|
||||||
|
|
||||||
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
|
|
||||||
apiVersion: networking.istio.io/v1beta1
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
@ -17,23 +17,25 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||||
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
|
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
|
||||||
- port:
|
- port:
|
||||||
number: 443
|
number: 443
|
||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }}
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
credentialName: {{ $cert.name }}
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
{{- end }}
|
||||||
credentialName: ingress-cert
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }}
|
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1beta1
|
apiVersion: networking.istio.io/v1beta1
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
@ -51,53 +53,62 @@ spec:
|
|||||||
name: http
|
name: http
|
||||||
protocol: HTTP2
|
protocol: HTTP2
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
|
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
tls:
|
tls:
|
||||||
httpsRedirect: true
|
httpsRedirect: true
|
||||||
|
# All SSL hosts one entry per ingress-certificate
|
||||||
|
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
- port:
|
- port:
|
||||||
number: 443
|
number: 443
|
||||||
name: https
|
name: https
|
||||||
protocol: HTTPS
|
protocol: HTTPS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
credentialName: {{ $cert.name }}
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
|
||||||
credentialName: private-ingress-cert
|
|
||||||
- port:
|
|
||||||
number: 5672
|
|
||||||
name: amqp
|
|
||||||
protocol: TCP
|
|
||||||
hosts:
|
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
|
||||||
- port:
|
|
||||||
number: 5671
|
|
||||||
name: amqps
|
|
||||||
protocol: TCP
|
|
||||||
hosts:
|
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
|
||||||
- port:
|
- port:
|
||||||
number: 24224
|
number: 24224
|
||||||
name: fluentd-forward
|
name: fluentd-forward
|
||||||
protocol: TLS
|
protocol: TLS
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
{{- toYaml $cert.dnsNames | nindent 4 }}
|
||||||
tls:
|
tls:
|
||||||
mode: SIMPLE
|
mode: SIMPLE
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
credentialName: {{ $cert.name }}
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
{{- end }}
|
||||||
credentialName: private-ingress-cert
|
- port:
|
||||||
|
number: 5672
|
||||||
|
name: amqp
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
|
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
- port:
|
||||||
|
number: 5671
|
||||||
|
name: amqps
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
|
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
- port:
|
- port:
|
||||||
number: 6379
|
number: 6379
|
||||||
name: redis
|
name: redis
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
|
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
- port:
|
- port:
|
||||||
number: 6380
|
number: 6380
|
||||||
name: redis-1
|
name: redis-1
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
|
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
|
||||||
|
{{- toYaml $certs.dnsNames | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,10 +1,9 @@
|
|||||||
# Make sure these values match kuberzero-istio !!!
|
# Make sure these values match kuberzero-istio !!!
|
||||||
global:
|
global:
|
||||||
#hub: docker.io/istio
|
#hub: docker.io/istio
|
||||||
#tag: 1.9.3
|
#tag: 1.10.2
|
||||||
|
|
||||||
logAsJson: true
|
logAsJson: true
|
||||||
jwtPolicy: first-party-jwt
|
|
||||||
|
|
||||||
priorityClassName: "system-cluster-critical"
|
priorityClassName: "system-cluster-critical"
|
||||||
|
|
||||||
@ -69,21 +68,13 @@ istio-ingress:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
nodePort: 30443
|
nodePort: 30443
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
## multi-cluster - disabled on public LBs
|
|
||||||
#- name: tcp-istiod
|
|
||||||
# port: 15012
|
|
||||||
# targetPort: 15012
|
|
||||||
# nodePort: 30012
|
|
||||||
# protocol: TCP
|
|
||||||
## multi-cluster sni east-west
|
|
||||||
#- name: tls
|
|
||||||
# port: 15443
|
|
||||||
# targetPort: 15443
|
|
||||||
# nodePort: 30044
|
|
||||||
# protocol: TCP
|
|
||||||
|
|
||||||
|
certificates:
|
||||||
|
- name: ingress-cert
|
||||||
dnsNames: []
|
dnsNames: []
|
||||||
# - '*.example.com'
|
# - '*.example.com'
|
||||||
|
|
||||||
|
proxyProtocol: false
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
@ -123,8 +114,16 @@ istio-private-ingress:
|
|||||||
values: istio-private-ingressgateway
|
values: istio-private-ingressgateway
|
||||||
type: NodePort
|
type: NodePort
|
||||||
podAnnotations:
|
podAnnotations:
|
||||||
# sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
|
|
||||||
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
|
||||||
|
|
||||||
|
# custom hardened bootstrap config
|
||||||
|
env:
|
||||||
|
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
|
||||||
|
configVolumes:
|
||||||
|
- name: custom-bootstrap-volume
|
||||||
|
mountPath: /etc/istio/custom-bootstrap
|
||||||
|
configMapName: istio-gateway-bootstrap-config
|
||||||
|
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node.kubernetes.io/ingress.private: "31080_31443"
|
node.kubernetes.io/ingress.private: "31080_31443"
|
||||||
#nodeSelector: "31080_31443_31671_31672_31224"
|
#nodeSelector: "31080_31443_31671_31672_31224"
|
||||||
@ -143,18 +142,6 @@ istio-private-ingress:
|
|||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
nodePort: 31443
|
nodePort: 31443
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
# multi-cluster
|
|
||||||
- name: tcp-istiod
|
|
||||||
port: 15012
|
|
||||||
targetPort: 15012
|
|
||||||
nodePort: 31012
|
|
||||||
protocol: TCP
|
|
||||||
# multi-cluster sni east-west
|
|
||||||
- name: tls
|
|
||||||
port: 15443
|
|
||||||
targetPort: 15443
|
|
||||||
nodePort: 31044
|
|
||||||
protocol: TCP
|
|
||||||
#- name: fluentd-forward
|
#- name: fluentd-forward
|
||||||
# port: 24224
|
# port: 24224
|
||||||
# nodePort: 31224
|
# nodePort: 31224
|
||||||
@ -168,8 +155,12 @@ istio-private-ingress:
|
|||||||
# port: 6379
|
# port: 6379
|
||||||
# nodePort: 31379
|
# nodePort: 31379
|
||||||
|
|
||||||
|
certificates:
|
||||||
|
- name: private-ingress-cert
|
||||||
dnsNames: []
|
dnsNames: []
|
||||||
# - '*.example.com'
|
#- '*.example.com'
|
||||||
|
|
||||||
|
proxyProtocol: false
|
||||||
|
|
||||||
meshConfig:
|
meshConfig:
|
||||||
defaultConfig:
|
defaultConfig:
|
||||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.5.6
|
version: 0.6.0
|
||||||
appVersion: 1.9.3
|
appVersion: 1.10.2
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -16,7 +16,7 @@ dependencies:
|
|||||||
version: ">= 0.1.3"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: base
|
- name: base
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
- name: istio-discovery
|
- name: istio-discovery
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
kubeVersion: ">= 1.18.0"
|
kubeVersion: ">= 1.18.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-istio
|
# kubezero-istio
|
||||||
|
|
||||||
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
|
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero Umbrella Chart for Istio
|
KubeZero Umbrella Chart for Istio
|
||||||
|
|
||||||
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
|
|||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | base | 1.9.3 |
|
| | base | 1.10.2 |
|
||||||
| | istio-discovery | 1.9.3 |
|
| | istio-discovery | 1.10.2 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0`
|
|||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
|
||||||
| global.jwtPolicy | string | `"first-party-jwt"` | |
|
|
||||||
| global.logAsJson | bool | `true` | |
|
| global.logAsJson | bool | `true` | |
|
||||||
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
| global.priorityClassName | string | `"system-cluster-critical"` | |
|
||||||
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: base
|
name: base
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for deploying Istio cluster resources and CRDs
|
description: Helm chart for deploying Istio cluster resources and CRDs
|
||||||
keywords:
|
keywords:
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,66 +1,48 @@
|
|||||||
# SYNC WITH manifests/charts/istio-operator/templates
|
# SYNC WITH manifests/charts/istio-operator/templates
|
||||||
apiVersion: apiextensions.k8s.io/v1beta1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
name: istiooperators.install.istio.io
|
name: istiooperators.install.istio.io
|
||||||
labels:
|
labels:
|
||||||
release: istio
|
release: istio
|
||||||
spec:
|
spec:
|
||||||
additionalPrinterColumns:
|
conversion:
|
||||||
- JSONPath: .spec.revision
|
strategy: None
|
||||||
description: Istio control plane revision
|
|
||||||
name: Revision
|
|
||||||
type: string
|
|
||||||
- JSONPath: .status.status
|
|
||||||
description: IOP current state
|
|
||||||
type: string
|
|
||||||
name: Status
|
|
||||||
- JSONPath: .metadata.creationTimestamp
|
|
||||||
description: 'CreationTimestamp is a timestamp representing the server time when
|
|
||||||
this object was created. It is not guaranteed to be set in happens-before order
|
|
||||||
across separate operations. Clients may not set this value. It is represented
|
|
||||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
|
||||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
group: install.istio.io
|
group: install.istio.io
|
||||||
names:
|
names:
|
||||||
kind: IstioOperator
|
kind: IstioOperator
|
||||||
|
listKind: IstioOperatorList
|
||||||
plural: istiooperators
|
plural: istiooperators
|
||||||
singular: istiooperator
|
singular: istiooperator
|
||||||
shortNames:
|
shortNames:
|
||||||
- iop
|
- iop
|
||||||
- io
|
- io
|
||||||
scope: Namespaced
|
scope: Namespaced
|
||||||
|
versions:
|
||||||
|
- additionalPrinterColumns:
|
||||||
|
- description: Istio control plane revision
|
||||||
|
jsonPath: .spec.revision
|
||||||
|
name: Revision
|
||||||
|
type: string
|
||||||
|
- description: IOP current state
|
||||||
|
jsonPath: .status.status
|
||||||
|
name: Status
|
||||||
|
type: string
|
||||||
|
- description: 'CreationTimestamp is a timestamp representing the server time
|
||||||
|
when this object was created. It is not guaranteed to be set in happens-before
|
||||||
|
order across separate operations. Clients may not set this value. It is represented
|
||||||
|
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||||
|
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
|
||||||
|
jsonPath: .metadata.creationTimestamp
|
||||||
|
name: Age
|
||||||
|
type: date
|
||||||
subresources:
|
subresources:
|
||||||
status: {}
|
status: {}
|
||||||
validation:
|
name: v1alpha1
|
||||||
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation
|
|
||||||
of an object. Servers should convert recognized schemas to the latest
|
|
||||||
internal value, and may reject unrecognized values.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this
|
|
||||||
object represents. Servers may infer this from the endpoint the client
|
|
||||||
submits requests to. Cannot be updated. In CamelCase.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
spec:
|
|
||||||
description: 'Specification of the desired state of the istio control plane resource.
|
|
||||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
|
||||||
type: object
|
type: object
|
||||||
status:
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
description: 'Status describes each of istio control plane component status at the current time.
|
|
||||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
|
||||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
|
||||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
|
|
||||||
type: object
|
|
||||||
versions:
|
|
||||||
- name: v1alpha1
|
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: true
|
||||||
---
|
---
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -19,11 +19,11 @@ rules:
|
|||||||
# istio configuration
|
# istio configuration
|
||||||
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
|
||||||
# please proceed with caution
|
# please proceed with caution
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
|
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||||
verbs: ["get", "watch", "list"]
|
verbs: ["get", "watch", "list"]
|
||||||
resources: ["*"]
|
resources: ["*"]
|
||||||
{{- if .Values.global.istiod.enableAnalysis }}
|
{{- if .Values.global.istiod.enableAnalysis }}
|
||||||
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"]
|
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
|
||||||
verbs: ["update"]
|
verbs: ["update"]
|
||||||
# TODO: should be on just */status but wildcard is not supported
|
# TODO: should be on just */status but wildcard is not supported
|
||||||
resources: ["*"]
|
resources: ["*"]
|
||||||
@ -97,12 +97,20 @@ rules:
|
|||||||
- apiGroups: ["networking.x-k8s.io"]
|
- apiGroups: ["networking.x-k8s.io"]
|
||||||
resources: ["*"]
|
resources: ["*"]
|
||||||
verbs: ["get", "watch", "list"]
|
verbs: ["get", "watch", "list"]
|
||||||
|
- apiGroups: ["networking.x-k8s.io"]
|
||||||
|
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
|
||||||
|
verbs: ["update"]
|
||||||
|
|
||||||
# Needed for multicluster secret reading, possibly ingress certs in the future
|
# Needed for multicluster secret reading, possibly ingress certs in the future
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
verbs: ["get", "watch", "list"]
|
verbs: ["get", "watch", "list"]
|
||||||
|
|
||||||
|
# Used for MCS serviceexport management
|
||||||
|
- apiGroups: ["multicluster.x-k8s.io"]
|
||||||
|
resources: ["serviceexports"]
|
||||||
|
verbs: ["get", "watch", "list", "create", "delete"]
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{{- if .Values.global.configValidation }}
|
{{- if .Values.global.configValidation }}
|
||||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
kind: ValidatingWebhookConfiguration
|
kind: ValidatingWebhookConfiguration
|
||||||
metadata:
|
metadata:
|
||||||
name: istiod-{{ .Values.global.istioNamespace }}
|
name: istiod-{{ .Values.global.istioNamespace }}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
name: istio-discovery
|
name: istio-discovery
|
||||||
version: 1.9.3
|
version: 1.10.2
|
||||||
tillerVersion: ">=2.7.2"
|
tillerVersion: ">=2.7.2"
|
||||||
description: Helm chart for istio control plane
|
description: Helm chart for istio control plane
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included.
|
|||||||
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
MCP and injector should optionally be installed in the same namespace. Alternatively remote
|
||||||
address of an MCP server can be set.
|
address of an MCP server can be set.
|
||||||
|
|
||||||
|
|
||||||
|
Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience!
|
||||||
|
https://forms.gle/KjkrDnMPByq7akrYA"
|
||||||
|
|
||||||
|
@ -8,6 +8,7 @@ metadata:
|
|||||||
annotations: {
|
annotations: {
|
||||||
{{- if eq (len $containers) 1 }}
|
{{- if eq (len $containers) 1 }}
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
spec:
|
spec:
|
||||||
|
@ -167,7 +167,6 @@ data:
|
|||||||
"address": ""
|
"address": ""
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"trustDomain": "",
|
|
||||||
"useMCP": false
|
"useMCP": false
|
||||||
},
|
},
|
||||||
"revision": "",
|
"revision": "",
|
||||||
@ -183,7 +182,7 @@ data:
|
|||||||
},
|
},
|
||||||
"rewriteAppHTTPProbe": true,
|
"rewriteAppHTTPProbe": true,
|
||||||
"templates": {},
|
"templates": {},
|
||||||
"useLegacySelectors": true
|
"useLegacySelectors": false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -215,6 +214,7 @@ data:
|
|||||||
annotations: {
|
annotations: {
|
||||||
{{- if eq (len $containers) 1 }}
|
{{- if eq (len $containers) 1 }}
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{- if .Values.istio_cni.enabled }}
|
{{- if .Values.istio_cni.enabled }}
|
||||||
{{- if not .Values.istio_cni.chained }}
|
{{- if not .Values.istio_cni.chained }}
|
||||||
@ -286,7 +286,7 @@ data:
|
|||||||
- "--run-validation"
|
- "--run-validation"
|
||||||
- "--skip-rule-apply"
|
- "--skip-rule-apply"
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
{{- if .ProxyConfig.ProxyMetadata }}
|
{{- if .ProxyConfig.ProxyMetadata }}
|
||||||
env:
|
env:
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
@ -355,7 +355,7 @@ data:
|
|||||||
{{- else }}
|
{{- else }}
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
resources: {}
|
resources: {}
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
@ -417,6 +417,10 @@ data:
|
|||||||
- wait
|
- wait
|
||||||
{{- end }}
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
|
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
||||||
|
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
- name: JWT_POLICY
|
- name: JWT_POLICY
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
- name: PILOT_CERT_PROVIDER
|
- name: PILOT_CERT_PROVIDER
|
||||||
@ -519,7 +523,7 @@ data:
|
|||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: "{{ $value }}"
|
value: "{{ $value }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
@ -706,6 +710,7 @@ data:
|
|||||||
annotations: {
|
annotations: {
|
||||||
{{- if eq (len $containers) 1 }}
|
{{- if eq (len $containers) 1 }}
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
spec:
|
spec:
|
||||||
@ -1063,8 +1068,6 @@ spec:
|
|||||||
value: "false"
|
value: "false"
|
||||||
- name: CLUSTER_ID
|
- name: CLUSTER_ID
|
||||||
value: "Kubernetes"
|
value: "Kubernetes"
|
||||||
- name: EXTERNAL_ISTIOD
|
|
||||||
value: "false"
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 500m
|
cpu: 500m
|
||||||
@ -1077,8 +1080,6 @@ spec:
|
|||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config-volume
|
|
||||||
mountPath: /etc/istio/config
|
|
||||||
- name: istio-token
|
- name: istio-token
|
||||||
mountPath: /var/run/secrets/tokens
|
mountPath: /var/run/secrets/tokens
|
||||||
readOnly: true
|
readOnly: true
|
||||||
@ -1090,9 +1091,6 @@ spec:
|
|||||||
- name: istio-kubeconfig
|
- name: istio-kubeconfig
|
||||||
mountPath: /var/run/secrets/remote
|
mountPath: /var/run/secrets/remote
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: inject
|
|
||||||
mountPath: /var/lib/istio/inject
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
volumes:
|
||||||
# Technically not needed on this pod - but it helps debugging/testing SDS
|
# Technically not needed on this pod - but it helps debugging/testing SDS
|
||||||
# Should be removed after everything works.
|
# Should be removed after everything works.
|
||||||
@ -1115,13 +1113,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: istio-kubeconfig
|
secretName: istio-kubeconfig
|
||||||
optional: true
|
optional: true
|
||||||
# Optional - image should have
|
|
||||||
- name: inject
|
|
||||||
configMap:
|
|
||||||
name: istio-sidecar-injector
|
|
||||||
- name: config-volume
|
|
||||||
configMap:
|
|
||||||
name: istio
|
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/autoscale.yaml
|
# Source: istio-discovery/templates/autoscale.yaml
|
||||||
apiVersion: autoscaling/v2beta1
|
apiVersion: autoscaling/v2beta1
|
||||||
@ -1148,12 +1139,17 @@ spec:
|
|||||||
name: cpu
|
name: cpu
|
||||||
targetAverageUtilization: 80
|
targetAverageUtilization: 80
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
|
# Source: istio-discovery/templates/revision-tags.yaml
|
||||||
|
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
|
||||||
|
# Removed paths for legacy and default selectors since a revision tag
|
||||||
|
# is inherently created from a specific revision
|
||||||
|
---
|
||||||
|
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
|
||||||
# Note: metadata exchange filter is wasm enabled only in sidecars.
|
# Note: metadata exchange filter is wasm enabled only in sidecars.
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: metadata-exchange-1.8
|
name: metadata-exchange-1.10
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
istio.io/rev: default
|
istio.io/rev: default
|
||||||
@ -1165,7 +1161,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1192,7 +1188,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1219,7 +1215,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1243,11 +1239,11 @@ spec:
|
|||||||
local:
|
local:
|
||||||
inline_string: envoy.wasm.metadata_exchange
|
inline_string: envoy.wasm.metadata_exchange
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
|
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-metadata-exchange-1.8
|
name: tcp-metadata-exchange-1.10
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
istio.io/rev: default
|
istio.io/rev: default
|
||||||
@ -1257,7 +1253,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener: {}
|
listener: {}
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
@ -1272,7 +1268,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -1288,7 +1284,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -1301,12 +1297,12 @@ spec:
|
|||||||
value:
|
value:
|
||||||
protocol: istio-peer-exchange
|
protocol: istio-peer-exchange
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
|
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
|
||||||
# Note: http stats filter is wasm enabled only in sidecars.
|
# Note: http stats filter is wasm enabled only in sidecars.
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stats-filter-1.8
|
name: stats-filter-1.10
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
istio.io/rev: default
|
istio.io/rev: default
|
||||||
@ -1316,7 +1312,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1337,6 +1333,8 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio"
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
vm_id: stats_outbound
|
vm_id: stats_outbound
|
||||||
@ -1348,7 +1346,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1369,6 +1367,16 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"source_cluster": "downstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
vm_id: stats_inbound
|
vm_id: stats_inbound
|
||||||
@ -1380,7 +1388,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1401,6 +1409,8 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
"disable_host_header_fallback": true
|
"disable_host_header_fallback": true
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
@ -1410,12 +1420,12 @@ spec:
|
|||||||
local:
|
local:
|
||||||
inline_string: envoy.wasm.stats
|
inline_string: envoy.wasm.stats
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/telemetryv2_1.8.yaml
|
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
|
||||||
# Note: tcp stats filter is wasm enabled only in sidecars.
|
# Note: tcp stats filter is wasm enabled only in sidecars.
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-stats-filter-1.8
|
name: tcp-stats-filter-1.10
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
labels:
|
labels:
|
||||||
istio.io/rev: default
|
istio.io/rev: default
|
||||||
@ -1425,7 +1435,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1444,6 +1454,16 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio",
|
||||||
|
"metrics": [
|
||||||
|
{
|
||||||
|
"dimensions": {
|
||||||
|
"destination_cluster": "node.metadata['CLUSTER_ID']",
|
||||||
|
"source_cluster": "downstream_peer.cluster_id"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
vm_id: tcp_stats_inbound
|
vm_id: tcp_stats_inbound
|
||||||
@ -1455,7 +1475,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1474,6 +1494,8 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio"
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
vm_id: tcp_stats_outbound
|
vm_id: tcp_stats_outbound
|
||||||
@ -1485,7 +1507,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.8.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -1504,6 +1526,8 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{
|
{
|
||||||
|
"debug": "false",
|
||||||
|
"stat_prefix": "istio"
|
||||||
}
|
}
|
||||||
vm_config:
|
vm_config:
|
||||||
vm_id: tcp_stats_outbound
|
vm_id: tcp_stats_outbound
|
||||||
@ -1937,7 +1961,7 @@ spec:
|
|||||||
inline_string: "envoy.wasm.stats"
|
inline_string: "envoy.wasm.stats"
|
||||||
---
|
---
|
||||||
# Source: istio-discovery/templates/mutatingwebhook.yaml
|
# Source: istio-discovery/templates/mutatingwebhook.yaml
|
||||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
kind: MutatingWebhookConfiguration
|
kind: MutatingWebhookConfiguration
|
||||||
metadata:
|
metadata:
|
||||||
name: istio-sidecar-injector
|
name: istio-sidecar-injector
|
||||||
@ -1948,12 +1972,13 @@ metadata:
|
|||||||
app: sidecar-injector
|
app: sidecar-injector
|
||||||
release: istio
|
release: istio
|
||||||
webhooks:
|
webhooks:
|
||||||
- name: sidecar-injector.istio.io
|
- name: rev.namespace.sidecar-injector.istio.io
|
||||||
clientConfig:
|
clientConfig:
|
||||||
service:
|
service:
|
||||||
name: istiod
|
name: istiod
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
path: "/inject"
|
path: "/inject"
|
||||||
|
port: 443
|
||||||
caBundle: ""
|
caBundle: ""
|
||||||
sideEffects: None
|
sideEffects: None
|
||||||
rules:
|
rules:
|
||||||
@ -1964,11 +1989,106 @@ webhooks:
|
|||||||
failurePolicy: Fail
|
failurePolicy: Fail
|
||||||
admissionReviewVersions: ["v1beta1", "v1"]
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
matchLabels:
|
matchExpressions:
|
||||||
istio-injection: enabled
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "default"
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
objectSelector:
|
objectSelector:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
- key: "sidecar.istio.io/inject"
|
- key: sidecar.istio.io/inject
|
||||||
operator: NotIn
|
operator: NotIn
|
||||||
values:
|
values:
|
||||||
- "false"
|
- "false"
|
||||||
|
- name: rev.object.sidecar-injector.istio.io
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: istiod
|
||||||
|
namespace: istio-system
|
||||||
|
path: "/inject"
|
||||||
|
port: 443
|
||||||
|
caBundle: ""
|
||||||
|
sideEffects: None
|
||||||
|
rules:
|
||||||
|
- operations: [ "CREATE" ]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["v1"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "default"
|
||||||
|
- name: namespace.sidecar-injector.istio.io
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: istiod
|
||||||
|
namespace: istio-system
|
||||||
|
path: "/inject"
|
||||||
|
port: 443
|
||||||
|
caBundle: ""
|
||||||
|
sideEffects: None
|
||||||
|
rules:
|
||||||
|
- operations: [ "CREATE" ]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["v1"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- enabled
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
- name: object.sidecar-injector.istio.io
|
||||||
|
clientConfig:
|
||||||
|
service:
|
||||||
|
name: istiod
|
||||||
|
namespace: istio-system
|
||||||
|
path: "/inject"
|
||||||
|
port: 443
|
||||||
|
caBundle: ""
|
||||||
|
sideEffects: None
|
||||||
|
rules:
|
||||||
|
- operations: [ "CREATE" ]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["v1"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "true"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
@ -9,6 +9,7 @@ metadata:
|
|||||||
annotations: {
|
annotations: {
|
||||||
{{- if eq (len $containers) 1 }}
|
{{- if eq (len $containers) 1 }}
|
||||||
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
|
||||||
|
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{- if .Values.istio_cni.enabled }}
|
{{- if .Values.istio_cni.enabled }}
|
||||||
{{- if not .Values.istio_cni.chained }}
|
{{- if not .Values.istio_cni.chained }}
|
||||||
@ -80,7 +81,7 @@ spec:
|
|||||||
- "--run-validation"
|
- "--run-validation"
|
||||||
- "--skip-rule-apply"
|
- "--skip-rule-apply"
|
||||||
{{ end -}}
|
{{ end -}}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
{{- if .ProxyConfig.ProxyMetadata }}
|
{{- if .ProxyConfig.ProxyMetadata }}
|
||||||
env:
|
env:
|
||||||
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
|
||||||
@ -149,7 +150,7 @@ spec:
|
|||||||
{{- else }}
|
{{- else }}
|
||||||
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
resources: {}
|
resources: {}
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: true
|
allowPrivilegeEscalation: true
|
||||||
@ -211,6 +212,10 @@ spec:
|
|||||||
- wait
|
- wait
|
||||||
{{- end }}
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
|
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
|
||||||
|
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
|
||||||
|
value: "true"
|
||||||
|
{{- end }}
|
||||||
- name: JWT_POLICY
|
- name: JWT_POLICY
|
||||||
value: {{ .Values.global.jwtPolicy }}
|
value: {{ .Values.global.jwtPolicy }}
|
||||||
- name: PILOT_CERT_PROVIDER
|
- name: PILOT_CERT_PROVIDER
|
||||||
@ -313,7 +318,7 @@ spec:
|
|||||||
- name: {{ $key }}
|
- name: {{ $key }}
|
||||||
value: "{{ $value }}"
|
value: "{{ $value }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
|
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
|
||||||
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
|
@ -1,8 +1,7 @@
|
|||||||
|
|
||||||
{{- define "mesh" }}
|
{{- define "mesh" }}
|
||||||
# The trust domain corresponds to the trust root of a system.
|
# The trust domain corresponds to the trust root of a system.
|
||||||
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }}
|
trustDomain: "cluster.local"
|
||||||
|
|
||||||
# The namespace to treat as the administrative root namespace for Istio configuration.
|
# The namespace to treat as the administrative root namespace for Istio configuration.
|
||||||
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
# When processing a leaf namespace Istio will search for declarations in that namespace first
|
||||||
@ -13,8 +12,6 @@
|
|||||||
defaultConfig:
|
defaultConfig:
|
||||||
{{- if .Values.global.meshID }}
|
{{- if .Values.global.meshID }}
|
||||||
meshId: {{ .Values.global.meshID }}
|
meshId: {{ .Values.global.meshID }}
|
||||||
{{- else if .Values.global.trustDomain }}
|
|
||||||
meshId: {{ .Values.global.trustDomain }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
tracing:
|
tracing:
|
||||||
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
{{- if eq .Values.global.proxy.tracer "lightstep" }}
|
||||||
@ -50,8 +47,8 @@
|
|||||||
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
|
||||||
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}}
|
{{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
|
||||||
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }}
|
{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.global.remotePilotAddress }}
|
{{- if .Values.global.remotePilotAddress }}
|
||||||
{{- if .Values.pilot.enabled }}
|
{{- if .Values.pilot.enabled }}
|
||||||
|
@ -25,7 +25,7 @@ spec:
|
|||||||
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
{{- if ne .Values.revision ""}}
|
{{- if ne .Values.revision "" }}
|
||||||
app: istiod
|
app: istiod
|
||||||
istio.io/rev: {{ .Values.revision | default "default" }}
|
istio.io/rev: {{ .Values.revision | default "default" }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -39,10 +39,10 @@ spec:
|
|||||||
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
|
||||||
sidecar.istio.io/inject: "false"
|
sidecar.istio.io/inject: "false"
|
||||||
operator.istio.io/component: "Pilot"
|
operator.istio.io/component: "Pilot"
|
||||||
{{- if eq .Values.revision ""}}
|
{{- if ne .Values.revision "" }}
|
||||||
istio: pilot
|
|
||||||
{{- else }}
|
|
||||||
istio: istiod
|
istio: istiod
|
||||||
|
{{- else }}
|
||||||
|
istio: pilot
|
||||||
{{- end }}
|
{{- end }}
|
||||||
annotations:
|
annotations:
|
||||||
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
{{- if .Values.meshConfig.enablePrometheusMerge }}
|
||||||
@ -153,8 +153,6 @@ spec:
|
|||||||
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
value: "{{ .Values.global.istiod.enableAnalysis }}"
|
||||||
- name: CLUSTER_ID
|
- name: CLUSTER_ID
|
||||||
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
|
||||||
- name: EXTERNAL_ISTIOD
|
|
||||||
value: "{{ $.Values.global.externalIstiod | default "false" }}"
|
|
||||||
{{- if not .Values.telemetry.v2.enabled }}
|
{{- if not .Values.telemetry.v2.enabled }}
|
||||||
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
- name: PILOT_ENDPOINT_TELEMETRY_LABEL
|
||||||
value: "false"
|
value: "false"
|
||||||
@ -173,8 +171,6 @@ spec:
|
|||||||
drop:
|
drop:
|
||||||
- ALL
|
- ALL
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config-volume
|
|
||||||
mountPath: /etc/istio/config
|
|
||||||
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
|
||||||
- name: istio-token
|
- name: istio-token
|
||||||
mountPath: /var/run/secrets/tokens
|
mountPath: /var/run/secrets/tokens
|
||||||
@ -188,9 +184,6 @@ spec:
|
|||||||
- name: istio-kubeconfig
|
- name: istio-kubeconfig
|
||||||
mountPath: /var/run/secrets/remote
|
mountPath: /var/run/secrets/remote
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: inject
|
|
||||||
mountPath: /var/lib/istio/inject
|
|
||||||
readOnly: true
|
|
||||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||||
- name: extracacerts
|
- name: extracacerts
|
||||||
mountPath: /cacerts
|
mountPath: /cacerts
|
||||||
@ -219,13 +212,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: istio-kubeconfig
|
secretName: istio-kubeconfig
|
||||||
optional: true
|
optional: true
|
||||||
# Optional - image should have
|
|
||||||
- name: inject
|
|
||||||
configMap:
|
|
||||||
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
- name: config-volume
|
|
||||||
configMap:
|
|
||||||
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
|
||||||
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
{{- if .Values.pilot.jwksResolverExtraRootCA }}
|
||||||
- name: extracacerts
|
- name: extracacerts
|
||||||
configMap:
|
configMap:
|
||||||
|
@ -11,6 +11,7 @@ a unique prefix to each. */}}
|
|||||||
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
path: "/inject"
|
path: "/inject"
|
||||||
|
port: 443
|
||||||
{{- end }}
|
{{- end }}
|
||||||
caBundle: ""
|
caBundle: ""
|
||||||
sideEffects: None
|
sideEffects: None
|
||||||
@ -24,7 +25,7 @@ a unique prefix to each. */}}
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
|
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
|
||||||
{{- if not .Values.global.operatorManageWebhooks }}
|
{{- if not .Values.global.operatorManageWebhooks }}
|
||||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
kind: MutatingWebhookConfiguration
|
kind: MutatingWebhookConfiguration
|
||||||
metadata:
|
metadata:
|
||||||
{{- if eq .Release.Namespace "istio-system"}}
|
{{- if eq .Release.Namespace "istio-system"}}
|
||||||
@ -41,7 +42,7 @@ metadata:
|
|||||||
webhooks:
|
webhooks:
|
||||||
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
|
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
|
||||||
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
|
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }}
|
{{- include "core" . }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
@ -92,18 +93,21 @@ webhooks:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
|
||||||
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
|
||||||
{{- if .Values.revision }}
|
|
||||||
|
|
||||||
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
|
{{- /* Case 1: namespace selector matches, and object doesn't disable */}}
|
||||||
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
|
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
- key: istio.io/rev
|
- key: istio.io/rev
|
||||||
operator: In
|
operator: In
|
||||||
values:
|
values:
|
||||||
|
{{- if (eq .Values.revision "") }}
|
||||||
|
- "default"
|
||||||
|
{{- else }}
|
||||||
- "{{ .Values.revision }}"
|
- "{{ .Values.revision }}"
|
||||||
|
{{- end }}
|
||||||
- key: istio-injection
|
- key: istio-injection
|
||||||
operator: DoesNotExist
|
operator: DoesNotExist
|
||||||
objectSelector:
|
objectSelector:
|
||||||
@ -114,7 +118,7 @@ webhooks:
|
|||||||
- "false"
|
- "false"
|
||||||
|
|
||||||
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
|
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }}
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
matchExpressions:
|
matchExpressions:
|
||||||
- key: istio.io/rev
|
- key: istio.io/rev
|
||||||
@ -130,10 +134,15 @@ webhooks:
|
|||||||
- key: istio.io/rev
|
- key: istio.io/rev
|
||||||
operator: In
|
operator: In
|
||||||
values:
|
values:
|
||||||
|
{{- if (eq .Values.revision "") }}
|
||||||
|
- "default"
|
||||||
|
{{- else }}
|
||||||
- "{{ .Values.revision }}"
|
- "{{ .Values.revision }}"
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- else }}
|
|
||||||
{{- /* "default" revision */}}
|
{{- /* Webhooks for default revision */}}
|
||||||
|
{{- if (eq .Values.revision "") }}
|
||||||
|
|
||||||
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
||||||
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}
|
||||||
|
@ -16,7 +16,7 @@ spec:
|
|||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: istiod
|
app: istiod
|
||||||
{{- if ne .Values.revision ""}}
|
{{- if ne .Values.revision "" }}
|
||||||
istio.io/rev: {{ .Values.revision }}
|
istio.io/rev: {{ .Values.revision }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
istio: pilot
|
istio: pilot
|
||||||
|
@ -0,0 +1,113 @@
|
|||||||
|
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
|
||||||
|
# Removed paths for legacy and default selectors since a revision tag
|
||||||
|
# is inherently created from a specific revision
|
||||||
|
{{- define "core" }}
|
||||||
|
- name: {{.Prefix}}sidecar-injector.istio.io
|
||||||
|
clientConfig:
|
||||||
|
{{- if .Values.istiodRemote.injectionURL }}
|
||||||
|
url: {{ .Values.istiodRemote.injectionURL }}
|
||||||
|
{{- else }}
|
||||||
|
service:
|
||||||
|
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
path: "/inject"
|
||||||
|
{{- end }}
|
||||||
|
caBundle: ""
|
||||||
|
sideEffects: None
|
||||||
|
rules:
|
||||||
|
- operations: [ "CREATE" ]
|
||||||
|
apiGroups: [""]
|
||||||
|
apiVersions: ["v1"]
|
||||||
|
resources: ["pods"]
|
||||||
|
failurePolicy: Fail
|
||||||
|
admissionReviewVersions: ["v1beta1", "v1"]
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- range $tagName := $.Values.revisionTags }}
|
||||||
|
apiVersion: admissionregistration.k8s.io/v1
|
||||||
|
kind: MutatingWebhookConfiguration
|
||||||
|
metadata:
|
||||||
|
{{- if eq $.Release.Namespace "istio-system"}}
|
||||||
|
name: istio-revision-tag-{{ $tagName }}
|
||||||
|
{{- else }}
|
||||||
|
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
istio.io/tag: {{ $tagName }}
|
||||||
|
istio.io/rev: {{ $.Values.revision | default "default" }}
|
||||||
|
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
|
||||||
|
operator.istio.io/component: "Pilot"
|
||||||
|
app: sidecar-injector
|
||||||
|
release: {{ $.Release.Name }}
|
||||||
|
webhooks:
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "{{ $tagName }}"
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "{{ $tagName }}"
|
||||||
|
|
||||||
|
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
|
||||||
|
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
|
||||||
|
{{- if (eq $tagName "default") }}
|
||||||
|
|
||||||
|
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- enabled
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
|
||||||
|
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
|
||||||
|
namespaceSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: istio-injection
|
||||||
|
operator: DoesNotExist
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
objectSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: sidecar.istio.io/inject
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- "true"
|
||||||
|
- key: istio.io/rev
|
||||||
|
operator: DoesNotExist
|
||||||
|
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -27,7 +27,7 @@ spec:
|
|||||||
protocol: TCP
|
protocol: TCP
|
||||||
selector:
|
selector:
|
||||||
app: istiod
|
app: istiod
|
||||||
{{- if ne .Values.revision ""}}
|
{{- if ne .Values.revision "" }}
|
||||||
istio.io/rev: {{ .Values.revision }}
|
istio.io/rev: {{ .Values.revision }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
# Label used by the 'default' service. For versioned deployments we match with app and version.
|
# Label used by the 'default' service. For versioned deployments we match with app and version.
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -19,7 +19,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -54,7 +54,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -89,7 +89,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -124,7 +124,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -138,7 +138,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener: {}
|
listener: {}
|
||||||
patch:
|
patch:
|
||||||
operation: INSERT_BEFORE
|
operation: INSERT_BEFORE
|
||||||
@ -153,7 +153,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -169,7 +169,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
cluster: {}
|
cluster: {}
|
||||||
patch:
|
patch:
|
||||||
operation: MERGE
|
operation: MERGE
|
||||||
@ -187,7 +187,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -201,7 +201,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -224,15 +224,7 @@ spec:
|
|||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
{
|
{
|
||||||
"debug": "false",
|
"debug": "false",
|
||||||
"stat_prefix": "istio",
|
"stat_prefix": "istio"
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"destination_cluster": "upstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
@ -255,7 +247,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -309,7 +301,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -333,15 +325,7 @@ spec:
|
|||||||
{
|
{
|
||||||
"debug": "false",
|
"debug": "false",
|
||||||
"stat_prefix": "istio",
|
"stat_prefix": "istio",
|
||||||
"disable_host_header_fallback": true,
|
"disable_host_header_fallback": true
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"destination_cluster": "upstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
@ -365,7 +349,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -379,7 +363,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -431,7 +415,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -452,15 +436,7 @@ spec:
|
|||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
|
||||||
{
|
{
|
||||||
"debug": "false",
|
"debug": "false",
|
||||||
"stat_prefix": "istio",
|
"stat_prefix": "istio"
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"destination_cluster": "upstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
|
||||||
@ -483,7 +459,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -504,15 +480,7 @@ spec:
|
|||||||
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
|
||||||
{
|
{
|
||||||
"debug": "false",
|
"debug": "false",
|
||||||
"stat_prefix": "istio",
|
"stat_prefix": "istio"
|
||||||
"metrics": [
|
|
||||||
{
|
|
||||||
"dimensions": {
|
|
||||||
"source_cluster": "node.metadata['CLUSTER_ID']",
|
|
||||||
"destination_cluster": "upstream_peer.cluster_id"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
|
||||||
@ -537,7 +505,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -552,7 +520,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -573,7 +541,7 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"}
|
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -587,7 +555,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -608,7 +576,7 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
{"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -621,7 +589,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -642,7 +610,7 @@ spec:
|
|||||||
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
"@type": "type.googleapis.com/google.protobuf.StringValue"
|
||||||
value: |
|
value: |
|
||||||
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
{{- if not .Values.telemetry.v2.stackdriver.configOverride }}
|
||||||
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true}
|
{"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -655,7 +623,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -670,7 +638,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_OUTBOUND
|
context: SIDECAR_OUTBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -703,7 +671,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -735,7 +703,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: GATEWAY
|
context: GATEWAY
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '^1\.9.*'
|
proxyVersion: '^1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
||||||
@ -768,7 +736,7 @@ spec:
|
|||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: EnvoyFilter
|
kind: EnvoyFilter
|
||||||
metadata:
|
metadata:
|
||||||
name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
|
||||||
{{- if .Values.meshConfig.rootNamespace }}
|
{{- if .Values.meshConfig.rootNamespace }}
|
||||||
namespace: {{ .Values.meshConfig.rootNamespace }}
|
namespace: {{ .Values.meshConfig.rootNamespace }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
@ -782,7 +750,7 @@ spec:
|
|||||||
match:
|
match:
|
||||||
context: SIDECAR_INBOUND
|
context: SIDECAR_INBOUND
|
||||||
proxy:
|
proxy:
|
||||||
proxyVersion: '1\.9.*'
|
proxyVersion: '1\.10.*'
|
||||||
listener:
|
listener:
|
||||||
filterChain:
|
filterChain:
|
||||||
filter:
|
filter:
|
@ -68,7 +68,7 @@ sidecarInjectorWebhook:
|
|||||||
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
|
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
|
||||||
# requests in Istiod, rather than at the webhook selection level.
|
# requests in Istiod, rather than at the webhook selection level.
|
||||||
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
|
# This is option is intended for migration purposes only and will be removed in Istio 1.10.
|
||||||
useLegacySelectors: true
|
useLegacySelectors: false
|
||||||
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
|
||||||
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
# always skip the injection on pods that match that label selector, regardless of the global policy.
|
||||||
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
|
||||||
@ -157,15 +157,13 @@ telemetry:
|
|||||||
enabled: false
|
enabled: false
|
||||||
logging: false
|
logging: false
|
||||||
monitoring: false
|
monitoring: false
|
||||||
topology: false
|
topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
|
||||||
disableOutbound: false
|
disableOutbound: false
|
||||||
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
|
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
|
||||||
|
|
||||||
configOverride: {}
|
configOverride: {}
|
||||||
# e.g.
|
# e.g.
|
||||||
# enable_mesh_edges_reporting: true
|
|
||||||
# disable_server_access_logging: false
|
# disable_server_access_logging: false
|
||||||
# meshEdgesReportingDuration: 500s
|
|
||||||
# disable_host_header_fallback: true
|
# disable_host_header_fallback: true
|
||||||
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
|
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
|
||||||
accessLogPolicy:
|
accessLogPolicy:
|
||||||
@ -176,6 +174,9 @@ telemetry:
|
|||||||
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
|
||||||
revision: ""
|
revision: ""
|
||||||
|
|
||||||
|
# Revision tags are aliases to Istio control plane revisions
|
||||||
|
revisionTags: []
|
||||||
|
|
||||||
# For Helm compatibility.
|
# For Helm compatibility.
|
||||||
ownerName: ""
|
ownerName: ""
|
||||||
|
|
||||||
@ -197,6 +198,10 @@ meshConfig:
|
|||||||
|
|
||||||
rootNamespace:
|
rootNamespace:
|
||||||
|
|
||||||
|
# The trust domain corresponds to the trust root of a system
|
||||||
|
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
|
||||||
|
trustDomain: "cluster.local"
|
||||||
|
|
||||||
# TODO: the intent is to eventually have this enabled by default when security is used.
|
# TODO: the intent is to eventually have this enabled by default when security is used.
|
||||||
# It is not clear if user should normally need to configure - the metadata is typically
|
# It is not clear if user should normally need to configure - the metadata is typically
|
||||||
# used as an escape and to control testing and rollout, but it is not intended as a long-term
|
# used as an escape and to control testing and rollout, but it is not intended as a long-term
|
||||||
@ -232,7 +237,7 @@ global:
|
|||||||
# Dev builds from prow are on gcr.io
|
# Dev builds from prow are on gcr.io
|
||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
# Default tag for Istio images.
|
# Default tag for Istio images.
|
||||||
tag: 1.9.3
|
tag: 1.10.2
|
||||||
|
|
||||||
# Specify image pull policy if default behavior isn't desired.
|
# Specify image pull policy if default behavior isn't desired.
|
||||||
# Default behavior: latest images will be Always else IfNotPresent.
|
# Default behavior: latest images will be Always else IfNotPresent.
|
||||||
@ -505,8 +510,6 @@ global:
|
|||||||
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
|
||||||
useMCP: false
|
useMCP: false
|
||||||
|
|
||||||
# Deprecated, use meshConfig.trustDomain
|
|
||||||
trustDomain: ""
|
|
||||||
base:
|
base:
|
||||||
# For istioctl usage to disable istio config crds in base
|
# For istioctl usage to disable istio config crds in base
|
||||||
enableIstioConfigCRDs: true
|
enableIstioConfigCRDs: true
|
||||||
|
File diff suppressed because one or more lines are too long
@ -4,14 +4,14 @@ set -ex
|
|||||||
### TODO
|
### TODO
|
||||||
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
|
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
|
||||||
|
|
||||||
export ISTIO_VERSION=1.9.3
|
export ISTIO_VERSION=1.10.2
|
||||||
|
|
||||||
rm -rf istio
|
rm -rf istio
|
||||||
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
|
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
|
||||||
mv istio-${ISTIO_VERSION} istio
|
mv istio-${ISTIO_VERSION} istio
|
||||||
|
|
||||||
# remove unused old telemetry filters
|
# remove unused old telemetry filters
|
||||||
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml
|
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
|
||||||
|
|
||||||
# Patch
|
# Patch
|
||||||
patch -p0 -i zdt.patch --no-backup-if-mismatch
|
patch -p0 -i zdt.patch --no-backup-if-mismatch
|
||||||
|
@ -1,9 +1,8 @@
|
|||||||
global:
|
global:
|
||||||
# hub: docker.io/istio
|
# hub: docker.io/istio
|
||||||
# tag: 1.9.3
|
# tag: 1.10.2
|
||||||
|
|
||||||
logAsJson: true
|
logAsJson: true
|
||||||
jwtPolicy: first-party-jwt
|
|
||||||
|
|
||||||
defaultPodDisruptionBudget:
|
defaultPodDisruptionBudget:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
Loading…
Reference in New Issue
Block a user