feat: Istio version bump, optional support for proxyprotocol for ingress, bugfixes

This commit is contained in:
Stefan Reimer 2021-07-01 16:42:24 +02:00
parent 7fcdbfc2cd
commit 274ab74364
38 changed files with 11926 additions and 6624 deletions

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress description: KubeZero Umbrella Chart for Istio based Ingress
type: application type: application
version: 0.5.6 version: 0.6.0
appVersion: 1.9.3 appVersion: 1.10.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,9 +16,9 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress - name: istio-ingress
version: 1.9.3 version: 1.10.2
condition: istio-ingress.enabled condition: istio-ingress.enabled
- name: istio-private-ingress - name: istio-private-ingress
version: 1.9.3 version: 1.10.2
condition: istio-private-ingress.enabled condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
# kubezero-istio-ingress # kubezero-istio-ingress
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) ![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
KubeZero Umbrella Chart for Istio based Ingress KubeZero Umbrella Chart for Istio based Ingress
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | istio-ingress | 1.9.3 | | | istio-ingress | 1.10.2 |
| | istio-private-ingress | 1.9.3 | | | istio-private-ingress | 1.10.2 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values ## Values
@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0`
|-----|------|---------|-------------| |-----|------|---------|-------------|
| global.arch.amd64 | int | `2` | | | global.arch.amd64 | int | `2` | |
| global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | | | global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | | | global.priorityClassName | string | `"system-cluster-critical"` | |
| istio-ingress.dnsNames | list | `[]` | | | istio-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-ingress.certificates[0].name | string | `"ingress-cert"` | |
| istio-ingress.enabled | bool | `false` | | | istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | | istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0`
| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-ingress.proxyProtocol | bool | `false` | |
| istio-ingress.telemetry.enabled | bool | `false` | | | istio-ingress.telemetry.enabled | bool | `false` | |
| istio-private-ingress.dnsNames | list | `[]` | | | istio-private-ingress.certificates[0].dnsNames | list | `[]` | |
| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | |
| istio-private-ingress.enabled | bool | `false` | | | istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | | istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | |
| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | |
| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | |
| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | | istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | |
| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | |
@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` | |
| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` | |
| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | |
| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | |
@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0`
| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | |
| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | |
| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | |
| istio-private-ingress.proxyProtocol | bool | `false` | |
| istio-private-ingress.telemetry.enabled | bool | `false` | | | istio-private-ingress.telemetry.enabled | bool | `false` | |
## Resources ## Resources

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-ingress name: istio-ingress
version: 1.9.3 version: 1.10.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

View File

@ -1,4 +1,3 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }} {{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1 apiVersion: apps/v1
@ -45,17 +44,14 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }} istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways" operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" sidecar.istio.io/inject: "false"
annotations: annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }} {{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020" prometheus.io/port: "15020"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus" prometheus.io/path: "/stats/prometheus"
{{- end }} {{- end }}
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" sidecar.istio.io/inject: "false"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }} {{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }} {{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }} {{ end }}
@ -219,13 +215,13 @@ spec:
{{- if $.Values.global.meshID }} {{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}" value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} {{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }} {{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} {{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN - name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }} {{- end }}
{{- if not $gateway.runAsRoot }} {{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD - name: ISTIO_META_UNPRIVILEGED_POD
@ -233,7 +229,7 @@ spec:
{{- end }} {{- end }}
{{- range $key, $val := $gateway.env }} {{- range $key, $val := $gateway.env }}
- name: {{ $key }} - name: {{ $key }}
value: {{ $val }} value: "{{ $val }}"
{{- end }} {{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }} - name: {{ $key }}

View File

@ -24,17 +24,8 @@ gateways:
targetPort: 8443 targetPort: 8443
name: https name: https
protocol: TCP protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning # Scalability tuning
# replicaCount: 1 # replicaCount: 1
rollingMaxSurge: 100% rollingMaxSurge: 100%
rollingMaxUnavailable: 25% rollingMaxUnavailable: 25%
@ -174,7 +165,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.3 tag: 1.10.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.
@ -310,11 +301,14 @@ global:
# Setting this port to a non-zero value enables STS server. # Setting this port to a non-zero value enables STS server.
servicePort: 0 servicePort: 0
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
meshConfig: meshConfig:
enablePrometheusMerge: true enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig: defaultConfig:
proxyMetadata: {} proxyMetadata: {}
tracing: tracing:

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-private-ingress name: istio-private-ingress
version: 1.9.3 version: 1.10.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

View File

@ -1,4 +1,3 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }} {{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1 apiVersion: apps/v1
@ -45,17 +44,14 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }} istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways" operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" sidecar.istio.io/inject: "false"
annotations: annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }} {{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020" prometheus.io/port: "15020"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus" prometheus.io/path: "/stats/prometheus"
{{- end }} {{- end }}
sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" sidecar.istio.io/inject: "false"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }} {{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }} {{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }} {{ end }}
@ -219,13 +215,13 @@ spec:
{{- if $.Values.global.meshID }} {{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}" value: "{{ $.Values.global.meshID }}"
{{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} {{- else if .Values.meshConfig.trustDomain }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }} {{- end }}
{{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} {{- if .Values.meshConfig.trustDomain }}
- name: TRUST_DOMAIN - name: TRUST_DOMAIN
value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" value: "{{ .Values.meshConfig.trustDomain }}"
{{- end }} {{- end }}
{{- if not $gateway.runAsRoot }} {{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD - name: ISTIO_META_UNPRIVILEGED_POD
@ -233,7 +229,7 @@ spec:
{{- end }} {{- end }}
{{- range $key, $val := $gateway.env }} {{- range $key, $val := $gateway.env }}
- name: {{ $key }} - name: {{ $key }}
value: {{ $val }} value: "{{ $val }}"
{{- end }} {{- end }}
{{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }}
- name: {{ $key }} - name: {{ $key }}

View File

@ -24,17 +24,8 @@ gateways:
targetPort: 8443 targetPort: 8443
name: https name: https
protocol: TCP protocol: TCP
- port: 15012
targetPort: 15012
name: tcp-istiod
protocol: TCP
# This is the port where sni routing happens
- port: 15443
targetPort: 15443
name: tls
protocol: TCP
# Scalability tunning # Scalability tuning
# replicaCount: 1 # replicaCount: 1
rollingMaxSurge: 100% rollingMaxSurge: 100%
rollingMaxUnavailable: 25% rollingMaxUnavailable: 25%
@ -174,7 +165,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.3 tag: 1.10.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.
@ -310,11 +301,14 @@ global:
# Setting this port to a non-zero value enables STS server. # Setting this port to a non-zero value enables STS server.
servicePort: 0 servicePort: 0
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
meshConfig: meshConfig:
enablePrometheusMerge: true enablePrometheusMerge: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
defaultConfig: defaultConfig:
proxyMetadata: {} proxyMetadata: {}
tracing: tracing:

View File

@ -1,6 +1,6 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
# https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy
# https://github.com/istio/istio/issues/24715 # https://github.com/istio/istio/issues/24715
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} {{- if index .Values "istio-ingress" "enabled" }}
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
@ -7,6 +7,47 @@ metadata:
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" . | indent 4 }}
spec: spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
socket_options:
# SOL_SOCKET = 1
# SO_KEEPALIVE = 9
- level: 1
name: 9
int_value: 1
state: STATE_LISTENING
# IPPROTO_TCP = 6
# TCP_KEEPIDLE = 4
- level: 6
name: 4
int_value: 120
state: STATE_LISTENING
# TCP_KEEPINTVL = 5
- level: 6
name: 5
int_value: 60
state: STATE_LISTENING
{{- end }}
{{- if index .Values "istio-private-ingress" "enabled" }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-listener-tcp-keepalive
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches: configPatches:
- applyTo: LISTENER - applyTo: LISTENER
patch: patch:

View File

@ -0,0 +1,44 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }}
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: private-ingressgateway-proxy-protocol
namespace: {{ .Release.Namespace }}
labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
spec:
workloadSelector:
labels:
istio: private-ingressgateway
configPatches:
- applyTo: LISTENER
patch:
operation: MERGE
value:
listener_filters:
- name: envoy.listener.proxy_protocol
- name: envoy.listener.tls_inspector
{{- end }}

View File

@ -1,35 +1,39 @@
{{- if index .Values "istio-ingress" "dnsNames" }} {{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: ingress-cert name: {{ $cert.name }}
namespace: {{ .Release.Namespace }} namespace: {{ $.Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" $ | indent 4 }}
spec: spec:
secretName: ingress-cert secretName: {{ $cert.name }}
issuerRef: issuerRef:
name: letsencrypt-dns-prod name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer kind: ClusterIssuer
dnsNames: dnsNames:
{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} {{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }} {{- end }}
{{- if index .Values "istio-private-ingress" "dnsNames" }} {{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
--- {{- if $cert.dnsNames }}
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: private-ingress-cert name: {{ $cert.name }}
namespace: {{ .Release.Namespace }} namespace: {{ $.Release.Namespace }}
labels: labels:
{{ include "kubezero-lib.labels" . | indent 4 }} {{ include "kubezero-lib.labels" $ | indent 4 }}
spec: spec:
secretName: private-ingress-cert secretName: private-ingress-cert
issuerRef: issuerRef:
name: letsencrypt-dns-prod name: {{ default "letsencrypt-dns-prod" $cert.issuer }}
kind: ClusterIssuer kind: ClusterIssuer
dnsNames: dnsNames:
{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }} {{ toYaml $cert.dnsNames | indent 4 }}
---
{{- end }}
{{- end }} {{- end }}

View File

@ -1,6 +1,6 @@
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }}
# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts
{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }}
apiVersion: networking.istio.io/v1beta1 apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
metadata: metadata:
@ -17,23 +17,25 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} {{- range $cert := (index .Values "istio-ingress" "certificates") }}
{{- toYaml $cert.dnsNames | nindent 4 }}
{{- end }}
tls: tls:
httpsRedirect: true httpsRedirect: true
{{- range $cert := (index .Values "istio-ingress" "certificates") }}
- port: - port:
number: 443 number: 443
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} {{- toYaml $cert.dnsNames | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key credentialName: {{ $cert.name }}
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt {{- end }}
credentialName: ingress-cert
{{- end }} {{- end }}
{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }}
--- ---
apiVersion: networking.istio.io/v1beta1 apiVersion: networking.istio.io/v1beta1
kind: Gateway kind: Gateway
@ -51,53 +53,62 @@ spec:
name: http name: http
protocol: HTTP2 protocol: HTTP2
hosts: hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
tls: tls:
httpsRedirect: true httpsRedirect: true
# All SSL hosts one entry per ingress-certificate
{{- range $cert := (index .Values "istio-private-ingress" "certificates") }}
- port: - port:
number: 443 number: 443
name: https name: https
protocol: HTTPS protocol: HTTPS
hosts: hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- toYaml $cert.dnsNames | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key credentialName: {{ $cert.name }}
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
credentialName: private-ingress-cert
- port:
number: 5672
name: amqp
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }}
- port: - port:
number: 24224 number: 24224
name: fluentd-forward name: fluentd-forward
protocol: TLS protocol: TLS
hosts: hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- toYaml $cert.dnsNames | nindent 4 }}
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key credentialName: {{ $cert.name }}
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt {{- end }}
credentialName: private-ingress-cert - port:
number: 5672
name: amqp
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port:
number: 5671
name: amqps
protocol: TCP
hosts:
{{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port: - port:
number: 6379 number: 6379
name: redis name: redis
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
- port: - port:
number: 6380 number: 6380
name: redis-1 name: redis-1
protocol: TCP protocol: TCP
hosts: hosts:
{{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- range $certs := (index .Values "istio-private-ingress" "certificates") }}
{{- toYaml $certs.dnsNames | nindent 4 }}
{{- end }}
{{- end }} {{- end }}

View File

@ -1,10 +1,9 @@
# Make sure these values match kuberzero-istio !!! # Make sure these values match kuberzero-istio !!!
global: global:
#hub: docker.io/istio #hub: docker.io/istio
#tag: 1.9.3 #tag: 1.10.2
logAsJson: true logAsJson: true
jwtPolicy: first-party-jwt
priorityClassName: "system-cluster-critical" priorityClassName: "system-cluster-critical"
@ -69,21 +68,13 @@ istio-ingress:
targetPort: 8443 targetPort: 8443
nodePort: 30443 nodePort: 30443
protocol: TCP protocol: TCP
## multi-cluster - disabled on public LBs
#- name: tcp-istiod
# port: 15012
# targetPort: 15012
# nodePort: 30012
# protocol: TCP
## multi-cluster sni east-west
#- name: tls
# port: 15443
# targetPort: 15443
# nodePort: 30044
# protocol: TCP
certificates:
- name: ingress-cert
dnsNames: [] dnsNames: []
# - '*.example.com' # - '*.example.com'
proxyProtocol: false
meshConfig: meshConfig:
defaultConfig: defaultConfig:
@ -123,8 +114,16 @@ istio-private-ingress:
values: istio-private-ingressgateway values: istio-private-ingressgateway
type: NodePort type: NodePort
podAnnotations: podAnnotations:
# sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config
proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }'
# custom hardened bootstrap config
env:
ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json
configVolumes:
- name: custom-bootstrap-volume
mountPath: /etc/istio/custom-bootstrap
configMapName: istio-gateway-bootstrap-config
nodeSelector: nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443" node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224" #nodeSelector: "31080_31443_31671_31672_31224"
@ -143,18 +142,6 @@ istio-private-ingress:
targetPort: 8443 targetPort: 8443
nodePort: 31443 nodePort: 31443
protocol: TCP protocol: TCP
# multi-cluster
- name: tcp-istiod
port: 15012
targetPort: 15012
nodePort: 31012
protocol: TCP
# multi-cluster sni east-west
- name: tls
port: 15443
targetPort: 15443
nodePort: 31044
protocol: TCP
#- name: fluentd-forward #- name: fluentd-forward
# port: 24224 # port: 24224
# nodePort: 31224 # nodePort: 31224
@ -168,8 +155,12 @@ istio-private-ingress:
# port: 6379 # port: 6379
# nodePort: 31379 # nodePort: 31379
certificates:
- name: private-ingress-cert
dnsNames: [] dnsNames: []
# - '*.example.com' #- '*.example.com'
proxyProtocol: false
meshConfig: meshConfig:
defaultConfig: defaultConfig:

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.5.6 version: 0.6.0
appVersion: 1.9.3 appVersion: 1.10.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: base - name: base
version: 1.9.3 version: 1.10.2
- name: istio-discovery - name: istio-discovery
version: 1.9.3 version: 1.10.2
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
# kubezero-istio # kubezero-istio
![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) ![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square)
KubeZero Umbrella Chart for Istio KubeZero Umbrella Chart for Istio
@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0`
| Repository | Name | Version | | Repository | Name | Version |
|------------|------|---------| |------------|------|---------|
| | base | 1.9.3 | | | base | 1.10.2 |
| | istio-discovery | 1.9.3 | | | istio-discovery | 1.10.2 |
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
## Values ## Values
@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0`
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.jwtPolicy | string | `"first-party-jwt"` | |
| global.logAsJson | bool | `true` | | | global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | | | global.priorityClassName | string | `"system-cluster-critical"` | |
| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | |

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: base name: base
version: 1.9.3 version: 1.10.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs description: Helm chart for deploying Istio cluster resources and CRDs
keywords: keywords:

File diff suppressed because it is too large Load Diff

View File

@ -1,66 +1,48 @@
# SYNC WITH manifests/charts/istio-operator/templates # SYNC WITH manifests/charts/istio-operator/templates
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: istiooperators.install.istio.io name: istiooperators.install.istio.io
labels: labels:
release: istio release: istio
spec: spec:
additionalPrinterColumns: conversion:
- JSONPath: .spec.revision strategy: None
description: Istio control plane revision
name: Revision
type: string
- JSONPath: .status.status
description: IOP current state
type: string
name: Status
- JSONPath: .metadata.creationTimestamp
description: 'CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before order
across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
name: Age
type: date
group: install.istio.io group: install.istio.io
names: names:
kind: IstioOperator kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators plural: istiooperators
singular: istiooperator singular: istiooperator
shortNames: shortNames:
- iop - iop
- io - io
scope: Namespaced scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources: subresources:
status: {} status: {}
validation: name: v1alpha1
schema:
openAPIV3Schema: openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object type: object
status: x-kubernetes-preserve-unknown-fields: true
description: 'Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
served: true served: true
storage: true storage: true
--- ---

File diff suppressed because it is too large Load Diff

View File

@ -19,11 +19,11 @@ rules:
# istio configuration # istio configuration
# removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
# please proceed with caution # please proceed with caution
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["get", "watch", "list"] verbs: ["get", "watch", "list"]
resources: ["*"] resources: ["*"]
{{- if .Values.global.istiod.enableAnalysis }} {{- if .Values.global.istiod.enableAnalysis }}
- apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"]
verbs: ["update"] verbs: ["update"]
# TODO: should be on just */status but wildcard is not supported # TODO: should be on just */status but wildcard is not supported
resources: ["*"] resources: ["*"]
@ -97,12 +97,20 @@ rules:
- apiGroups: ["networking.x-k8s.io"] - apiGroups: ["networking.x-k8s.io"]
resources: ["*"] resources: ["*"]
verbs: ["get", "watch", "list"] verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io"]
resources: ["*"] # TODO: should be on just */status but wildcard is not supported
verbs: ["update"]
# Needed for multicluster secret reading, possibly ingress certs in the future # Needed for multicluster secret reading, possibly ingress certs in the future
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "watch", "list"] verbs: ["get", "watch", "list"]
# Used for MCS serviceexport management
- apiGroups: ["multicluster.x-k8s.io"]
resources: ["serviceexports"]
verbs: ["get", "watch", "list", "create", "delete"]
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole

View File

@ -1,5 +1,5 @@
{{- if .Values.global.configValidation }} {{- if .Values.global.configValidation }}
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
metadata: metadata:
name: istiod-{{ .Values.global.istioNamespace }} name: istiod-{{ .Values.global.istioNamespace }}

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-discovery name: istio-discovery
version: 1.9.3 version: 1.10.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane description: Helm chart for istio control plane
keywords: keywords:

View File

@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included.
MCP and injector should optionally be installed in the same namespace. Alternatively remote MCP and injector should optionally be installed in the same namespace. Alternatively remote
address of an MCP server can be set. address of an MCP server can be set.
Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience!
https://forms.gle/KjkrDnMPByq7akrYA"

View File

@ -8,6 +8,7 @@ metadata:
annotations: { annotations: {
{{- if eq (len $containers) 1 }} {{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }} {{ end }}
} }
spec: spec:

View File

@ -167,7 +167,6 @@ data:
"address": "" "address": ""
} }
}, },
"trustDomain": "",
"useMCP": false "useMCP": false
}, },
"revision": "", "revision": "",
@ -183,7 +182,7 @@ data:
}, },
"rewriteAppHTTPProbe": true, "rewriteAppHTTPProbe": true,
"templates": {}, "templates": {},
"useLegacySelectors": true "useLegacySelectors": false
} }
} }
@ -215,6 +214,7 @@ data:
annotations: { annotations: {
{{- if eq (len $containers) 1 }} {{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }} {{ end }}
{{- if .Values.istio_cni.enabled }} {{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }} {{- if not .Values.istio_cni.chained }}
@ -286,7 +286,7 @@ data:
- "--run-validation" - "--run-validation"
- "--skip-rule-apply" - "--skip-rule-apply"
{{ end -}} {{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }} {{- if .ProxyConfig.ProxyMetadata }}
env: env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@ -355,7 +355,7 @@ data:
{{- else }} {{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }} {{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
@ -417,6 +417,10 @@ data:
- wait - wait
{{- end }} {{- end }}
env: env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY - name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }} value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER - name: PILOT_CERT_PROVIDER
@ -519,7 +523,7 @@ data:
- name: {{ $key }} - name: {{ $key }}
value: "{{ $value }}" value: "{{ $value }}"
{{- end }} {{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe: readinessProbe:
httpGet: httpGet:
@ -706,6 +710,7 @@ data:
annotations: { annotations: {
{{- if eq (len $containers) 1 }} {{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }} {{ end }}
} }
spec: spec:
@ -1063,8 +1068,6 @@ spec:
value: "false" value: "false"
- name: CLUSTER_ID - name: CLUSTER_ID
value: "Kubernetes" value: "Kubernetes"
- name: EXTERNAL_ISTIOD
value: "false"
resources: resources:
requests: requests:
cpu: 500m cpu: 500m
@ -1077,8 +1080,6 @@ spec:
drop: drop:
- ALL - ALL
volumeMounts: volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-token - name: istio-token
mountPath: /var/run/secrets/tokens mountPath: /var/run/secrets/tokens
readOnly: true readOnly: true
@ -1090,9 +1091,6 @@ spec:
- name: istio-kubeconfig - name: istio-kubeconfig
mountPath: /var/run/secrets/remote mountPath: /var/run/secrets/remote
readOnly: true readOnly: true
- name: inject
mountPath: /var/lib/istio/inject
readOnly: true
volumes: volumes:
# Technically not needed on this pod - but it helps debugging/testing SDS # Technically not needed on this pod - but it helps debugging/testing SDS
# Should be removed after everything works. # Should be removed after everything works.
@ -1115,13 +1113,6 @@ spec:
secret: secret:
secretName: istio-kubeconfig secretName: istio-kubeconfig
optional: true optional: true
# Optional - image should have
- name: inject
configMap:
name: istio-sidecar-injector
- name: config-volume
configMap:
name: istio
--- ---
# Source: istio-discovery/templates/autoscale.yaml # Source: istio-discovery/templates/autoscale.yaml
apiVersion: autoscaling/v2beta1 apiVersion: autoscaling/v2beta1
@ -1148,12 +1139,17 @@ spec:
name: cpu name: cpu
targetAverageUtilization: 80 targetAverageUtilization: 80
--- ---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml # Source: istio-discovery/templates/revision-tags.yaml
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
---
# Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: metadata exchange filter is wasm enabled only in sidecars. # Note: metadata exchange filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: metadata-exchange-1.8 name: metadata-exchange-1.10
namespace: istio-system namespace: istio-system
labels: labels:
istio.io/rev: default istio.io/rev: default
@ -1165,7 +1161,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1192,7 +1188,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1219,7 +1215,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1243,11 +1239,11 @@ spec:
local: local:
inline_string: envoy.wasm.metadata_exchange inline_string: envoy.wasm.metadata_exchange
--- ---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml # Source: istio-discovery/templates/telemetryv2_1.10.yaml
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: tcp-metadata-exchange-1.8 name: tcp-metadata-exchange-1.10
namespace: istio-system namespace: istio-system
labels: labels:
istio.io/rev: default istio.io/rev: default
@ -1257,7 +1253,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: {} listener: {}
patch: patch:
operation: INSERT_BEFORE operation: INSERT_BEFORE
@ -1272,7 +1268,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
cluster: {} cluster: {}
patch: patch:
operation: MERGE operation: MERGE
@ -1288,7 +1284,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
cluster: {} cluster: {}
patch: patch:
operation: MERGE operation: MERGE
@ -1301,12 +1297,12 @@ spec:
value: value:
protocol: istio-peer-exchange protocol: istio-peer-exchange
--- ---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml # Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: http stats filter is wasm enabled only in sidecars. # Note: http stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: stats-filter-1.8 name: stats-filter-1.10
namespace: istio-system namespace: istio-system
labels: labels:
istio.io/rev: default istio.io/rev: default
@ -1316,7 +1312,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1337,6 +1333,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio"
} }
vm_config: vm_config:
vm_id: stats_outbound vm_id: stats_outbound
@ -1348,7 +1346,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1369,6 +1367,16 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
} }
vm_config: vm_config:
vm_id: stats_inbound vm_id: stats_inbound
@ -1380,7 +1388,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1401,6 +1409,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio",
"disable_host_header_fallback": true "disable_host_header_fallback": true
} }
vm_config: vm_config:
@ -1410,12 +1420,12 @@ spec:
local: local:
inline_string: envoy.wasm.stats inline_string: envoy.wasm.stats
--- ---
# Source: istio-discovery/templates/telemetryv2_1.8.yaml # Source: istio-discovery/templates/telemetryv2_1.10.yaml
# Note: tcp stats filter is wasm enabled only in sidecars. # Note: tcp stats filter is wasm enabled only in sidecars.
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: tcp-stats-filter-1.8 name: tcp-stats-filter-1.10
namespace: istio-system namespace: istio-system
labels: labels:
istio.io/rev: default istio.io/rev: default
@ -1425,7 +1435,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1444,6 +1454,16 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio",
"metrics": [
{
"dimensions": {
"destination_cluster": "node.metadata['CLUSTER_ID']",
"source_cluster": "downstream_peer.cluster_id"
}
}
]
} }
vm_config: vm_config:
vm_id: tcp_stats_inbound vm_id: tcp_stats_inbound
@ -1455,7 +1475,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1474,6 +1494,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio"
} }
vm_config: vm_config:
vm_id: tcp_stats_outbound vm_id: tcp_stats_outbound
@ -1485,7 +1507,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.8.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -1504,6 +1526,8 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{ {
"debug": "false",
"stat_prefix": "istio"
} }
vm_config: vm_config:
vm_id: tcp_stats_outbound vm_id: tcp_stats_outbound
@ -1937,7 +1961,7 @@ spec:
inline_string: "envoy.wasm.stats" inline_string: "envoy.wasm.stats"
--- ---
# Source: istio-discovery/templates/mutatingwebhook.yaml # Source: istio-discovery/templates/mutatingwebhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
name: istio-sidecar-injector name: istio-sidecar-injector
@ -1948,12 +1972,13 @@ metadata:
app: sidecar-injector app: sidecar-injector
release: istio release: istio
webhooks: webhooks:
- name: sidecar-injector.istio.io - name: rev.namespace.sidecar-injector.istio.io
clientConfig: clientConfig:
service: service:
name: istiod name: istiod
namespace: istio-system namespace: istio-system
path: "/inject" path: "/inject"
port: 443
caBundle: "" caBundle: ""
sideEffects: None sideEffects: None
rules: rules:
@ -1964,11 +1989,106 @@ webhooks:
failurePolicy: Fail failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"] admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector: namespaceSelector:
matchLabels: matchExpressions:
istio-injection: enabled - key: istio.io/rev
operator: In
values:
- "default"
- key: istio-injection
operator: DoesNotExist
objectSelector: objectSelector:
matchExpressions: matchExpressions:
- key: "sidecar.istio.io/inject" - key: sidecar.istio.io/inject
operator: NotIn operator: NotIn
values: values:
- "false" - "false"
- name: rev.object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "default"
- name: namespace.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- name: object.sidecar-injector.istio.io
clientConfig:
service:
name: istiod
namespace: istio-system
path: "/inject"
port: 443
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist

View File

@ -9,6 +9,7 @@ metadata:
annotations: { annotations: {
{{- if eq (len $containers) 1 }} {{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{ end }} {{ end }}
{{- if .Values.istio_cni.enabled }} {{- if .Values.istio_cni.enabled }}
{{- if not .Values.istio_cni.chained }} {{- if not .Values.istio_cni.chained }}
@ -80,7 +81,7 @@ spec:
- "--run-validation" - "--run-validation"
- "--skip-rule-apply" - "--skip-rule-apply"
{{ end -}} {{ end -}}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }} {{- if .ProxyConfig.ProxyMetadata }}
env: env:
{{- range $key, $value := .ProxyConfig.ProxyMetadata }} {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
@ -149,7 +150,7 @@ spec:
{{- else }} {{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }} {{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: true allowPrivilegeEscalation: true
@ -211,6 +212,10 @@ spec:
- wait - wait
{{- end }} {{- end }}
env: env:
{{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }}
- name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
value: "true"
{{- end }}
- name: JWT_POLICY - name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }} value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER - name: PILOT_CERT_PROVIDER
@ -313,7 +318,7 @@ spec:
- name: {{ $key }} - name: {{ $key }}
value: "{{ $value }}" value: "{{ $value }}"
{{- end }} {{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe: readinessProbe:
httpGet: httpGet:

View File

@ -1,8 +1,7 @@
{{- define "mesh" }} {{- define "mesh" }}
# The trust domain corresponds to the trust root of a system. # The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} trustDomain: "cluster.local"
# The namespace to treat as the administrative root namespace for Istio configuration. # The namespace to treat as the administrative root namespace for Istio configuration.
# When processing a leaf namespace Istio will search for declarations in that namespace first # When processing a leaf namespace Istio will search for declarations in that namespace first
@ -13,8 +12,6 @@
defaultConfig: defaultConfig:
{{- if .Values.global.meshID }} {{- if .Values.global.meshID }}
meshId: {{ .Values.global.meshID }} meshId: {{ .Values.global.meshID }}
{{- else if .Values.global.trustDomain }}
meshId: {{ .Values.global.trustDomain }}
{{- end }} {{- end }}
tracing: tracing:
{{- if eq .Values.global.proxy.tracer "lightstep" }} {{- if eq .Values.global.proxy.tracer "lightstep" }}
@ -50,8 +47,8 @@
maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }}
{{- end }} {{- end }}
{{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }}
{{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}}
{{ toYaml $.Values.meshConfig.defaultConfig.tracing }} {{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }}
{{- end }} {{- end }}
{{- if .Values.global.remotePilotAddress }} {{- if .Values.global.remotePilotAddress }}
{{- if .Values.pilot.enabled }} {{- if .Values.pilot.enabled }}

View File

@ -25,7 +25,7 @@ spec:
maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }}
selector: selector:
matchLabels: matchLabels:
{{- if ne .Values.revision ""}} {{- if ne .Values.revision "" }}
app: istiod app: istiod
istio.io/rev: {{ .Values.revision | default "default" }} istio.io/rev: {{ .Values.revision | default "default" }}
{{- else }} {{- else }}
@ -39,10 +39,10 @@ spec:
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "false"
operator.istio.io/component: "Pilot" operator.istio.io/component: "Pilot"
{{- if eq .Values.revision ""}} {{- if ne .Values.revision "" }}
istio: pilot
{{- else }}
istio: istiod istio: istiod
{{- else }}
istio: pilot
{{- end }} {{- end }}
annotations: annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }} {{- if .Values.meshConfig.enablePrometheusMerge }}
@ -153,8 +153,6 @@ spec:
value: "{{ .Values.global.istiod.enableAnalysis }}" value: "{{ .Values.global.istiod.enableAnalysis }}"
- name: CLUSTER_ID - name: CLUSTER_ID
value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}"
- name: EXTERNAL_ISTIOD
value: "{{ $.Values.global.externalIstiod | default "false" }}"
{{- if not .Values.telemetry.v2.enabled }} {{- if not .Values.telemetry.v2.enabled }}
- name: PILOT_ENDPOINT_TELEMETRY_LABEL - name: PILOT_ENDPOINT_TELEMETRY_LABEL
value: "false" value: "false"
@ -173,8 +171,6 @@ spec:
drop: drop:
- ALL - ALL
volumeMounts: volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} {{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token - name: istio-token
mountPath: /var/run/secrets/tokens mountPath: /var/run/secrets/tokens
@ -188,9 +184,6 @@ spec:
- name: istio-kubeconfig - name: istio-kubeconfig
mountPath: /var/run/secrets/remote mountPath: /var/run/secrets/remote
readOnly: true readOnly: true
- name: inject
mountPath: /var/lib/istio/inject
readOnly: true
{{- if .Values.pilot.jwksResolverExtraRootCA }} {{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts - name: extracacerts
mountPath: /cacerts mountPath: /cacerts
@ -219,13 +212,6 @@ spec:
secret: secret:
secretName: istio-kubeconfig secretName: istio-kubeconfig
optional: true optional: true
# Optional - image should have
- name: inject
configMap:
name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
- name: config-volume
configMap:
name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.pilot.jwksResolverExtraRootCA }} {{- if .Values.pilot.jwksResolverExtraRootCA }}
- name: extracacerts - name: extracacerts
configMap: configMap:

View File

@ -11,6 +11,7 @@ a unique prefix to each. */}}
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
path: "/inject" path: "/inject"
port: 443
{{- end }} {{- end }}
caBundle: "" caBundle: ""
sideEffects: None sideEffects: None
@ -24,7 +25,7 @@ a unique prefix to each. */}}
{{- end }} {{- end }}
{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} {{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}}
{{- if not .Values.global.operatorManageWebhooks }} {{- if not .Values.global.operatorManageWebhooks }}
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:
{{- if eq .Release.Namespace "istio-system"}} {{- if eq .Release.Namespace "istio-system"}}
@ -41,7 +42,7 @@ metadata:
webhooks: webhooks:
{{- if .Values.sidecarInjectorWebhook.useLegacySelectors}} {{- if .Values.sidecarInjectorWebhook.useLegacySelectors}}
{{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}} {{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }} {{- include "core" . }}
namespaceSelector: namespaceSelector:
{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }}
matchExpressions: matchExpressions:
@ -92,18 +93,21 @@ webhooks:
{{- end }} {{- end }}
{{- else }} {{- else }}
{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}}
{{- if .Values.revision }}
{{- /* Case 1: namespace selector matches, and object doesn't disable */}} {{- /* Case 1: namespace selector matches, and object doesn't disable */}}
{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector: namespaceSelector:
matchExpressions: matchExpressions:
- key: istio.io/rev - key: istio.io/rev
operator: In operator: In
values: values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}" - "{{ .Values.revision }}"
{{- end }}
- key: istio-injection - key: istio-injection
operator: DoesNotExist operator: DoesNotExist
objectSelector: objectSelector:
@ -114,7 +118,7 @@ webhooks:
- "false" - "false"
{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} {{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }}
namespaceSelector: namespaceSelector:
matchExpressions: matchExpressions:
- key: istio.io/rev - key: istio.io/rev
@ -130,10 +134,15 @@ webhooks:
- key: istio.io/rev - key: istio.io/rev
operator: In operator: In
values: values:
{{- if (eq .Values.revision "") }}
- "default"
{{- else }}
- "{{ .Values.revision }}" - "{{ .Values.revision }}"
{{- end }}
{{- else }}
{{- /* "default" revision */}} {{- /* Webhooks for default revision */}}
{{- if (eq .Values.revision "") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} {{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }}

View File

@ -16,7 +16,7 @@ spec:
selector: selector:
matchLabels: matchLabels:
app: istiod app: istiod
{{- if ne .Values.revision ""}} {{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }} istio.io/rev: {{ .Values.revision }}
{{- else }} {{- else }}
istio: pilot istio: pilot

View File

@ -0,0 +1,113 @@
# Adapted from istio-discovery/templates/mutatingwebhook.yaml
# Removed paths for legacy and default selectors since a revision tag
# is inherently created from a specific revision
{{- define "core" }}
- name: {{.Prefix}}sidecar-injector.istio.io
clientConfig:
{{- if .Values.istiodRemote.injectionURL }}
url: {{ .Values.istiodRemote.injectionURL }}
{{- else }}
service:
name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
namespace: {{ .Release.Namespace }}
path: "/inject"
{{- end }}
caBundle: ""
sideEffects: None
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1beta1", "v1"]
{{- end }}
{{- range $tagName := $.Values.revisionTags }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq $.Release.Namespace "istio-system"}}
name: istio-revision-tag-{{ $tagName }}
{{- else }}
name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }}
{{- end }}
labels:
istio.io/tag: {{ $tagName }}
istio.io/rev: {{ $.Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }}
operator.istio.io/component: "Pilot"
app: sidecar-injector
release: {{ $.Release.Name }}
webhooks:
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio.io/rev
operator: DoesNotExist
- key: istio-injection
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
- key: istio.io/rev
operator: In
values:
- "{{ $tagName }}"
{{- /* When the tag is "default" we want to create webhooks for the default revision */}}
{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}}
{{- if (eq $tagName "default") }}
{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: In
values:
- enabled
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: NotIn
values:
- "false"
{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}}
{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }}
namespaceSelector:
matchExpressions:
- key: istio-injection
operator: DoesNotExist
- key: istio.io/rev
operator: DoesNotExist
objectSelector:
matchExpressions:
- key: sidecar.istio.io/inject
operator: In
values:
- "true"
- key: istio.io/rev
operator: DoesNotExist
{{- end }}
{{- end }}

View File

@ -27,7 +27,7 @@ spec:
protocol: TCP protocol: TCP
selector: selector:
app: istiod app: istiod
{{- if ne .Values.revision ""}} {{- if ne .Values.revision "" }}
istio.io/rev: {{ .Values.revision }} istio.io/rev: {{ .Values.revision }}
{{- else }} {{- else }}
# Label used by the 'default' service. For versioned deployments we match with app and version. # Label used by the 'default' service. For versioned deployments we match with app and version.

View File

@ -3,7 +3,7 @@
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -19,7 +19,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -54,7 +54,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -89,7 +89,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -124,7 +124,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -138,7 +138,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: {} listener: {}
patch: patch:
operation: INSERT_BEFORE operation: INSERT_BEFORE
@ -153,7 +153,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
cluster: {} cluster: {}
patch: patch:
operation: MERGE operation: MERGE
@ -169,7 +169,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
cluster: {} cluster: {}
patch: patch:
operation: MERGE operation: MERGE
@ -187,7 +187,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -201,7 +201,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -224,15 +224,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{ {
"debug": "false", "debug": "false",
"stat_prefix": "istio", "stat_prefix": "istio"
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
} }
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@ -255,7 +247,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -309,7 +301,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -333,15 +325,7 @@ spec:
{ {
"debug": "false", "debug": "false",
"stat_prefix": "istio", "stat_prefix": "istio",
"disable_host_header_fallback": true, "disable_host_header_fallback": true
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
} }
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@ -365,7 +349,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -379,7 +363,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -431,7 +415,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -452,15 +436,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }}
{ {
"debug": "false", "debug": "false",
"stat_prefix": "istio", "stat_prefix": "istio"
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
} }
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }}
@ -483,7 +459,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -504,15 +480,7 @@ spec:
{{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }}
{ {
"debug": "false", "debug": "false",
"stat_prefix": "istio", "stat_prefix": "istio"
"metrics": [
{
"dimensions": {
"source_cluster": "node.metadata['CLUSTER_ID']",
"destination_cluster": "upstream_peer.cluster_id"
}
}
]
} }
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }}
@ -537,7 +505,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -552,7 +520,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -573,7 +541,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }} {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"} {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"}
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }} {{- end }}
@ -587,7 +555,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -608,7 +576,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }} {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }} {{- end }}
@ -621,7 +589,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -642,7 +610,7 @@ spec:
"@type": "type.googleapis.com/google.protobuf.StringValue" "@type": "type.googleapis.com/google.protobuf.StringValue"
value: | value: |
{{- if not .Values.telemetry.v2.stackdriver.configOverride }} {{- if not .Values.telemetry.v2.stackdriver.configOverride }}
{"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true}
{{- else }} {{- else }}
{{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }}
{{- end }} {{- end }}
@ -655,7 +623,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -670,7 +638,7 @@ spec:
match: match:
context: SIDECAR_OUTBOUND context: SIDECAR_OUTBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -703,7 +671,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -735,7 +703,7 @@ spec:
match: match:
context: GATEWAY context: GATEWAY
proxy: proxy:
proxyVersion: '^1\.9.*' proxyVersion: '^1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:
@ -768,7 +736,7 @@ spec:
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter kind: EnvoyFilter
metadata: metadata:
name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
{{- if .Values.meshConfig.rootNamespace }} {{- if .Values.meshConfig.rootNamespace }}
namespace: {{ .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }}
{{- else }} {{- else }}
@ -782,7 +750,7 @@ spec:
match: match:
context: SIDECAR_INBOUND context: SIDECAR_INBOUND
proxy: proxy:
proxyVersion: '1\.9.*' proxyVersion: '1\.10.*'
listener: listener:
filterChain: filterChain:
filter: filter:

View File

@ -68,7 +68,7 @@ sidecarInjectorWebhook:
# If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
# requests in Istiod, rather than at the webhook selection level. # requests in Istiod, rather than at the webhook selection level.
# This is option is intended for migration purposes only and will be removed in Istio 1.10. # This is option is intended for migration purposes only and will be removed in Istio 1.10.
useLegacySelectors: true useLegacySelectors: false
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy. # always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
@ -157,15 +157,13 @@ telemetry:
enabled: false enabled: false
logging: false logging: false
monitoring: false monitoring: false
topology: false topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported.
disableOutbound: false disableOutbound: false
# configOverride parts give you the ability to override the low level configuration params passed to envoy filter. # configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
configOverride: {} configOverride: {}
# e.g. # e.g.
# enable_mesh_edges_reporting: true
# disable_server_access_logging: false # disable_server_access_logging: false
# meshEdgesReportingDuration: 500s
# disable_host_header_fallback: true # disable_host_header_fallback: true
# Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
accessLogPolicy: accessLogPolicy:
@ -176,6 +174,9 @@ telemetry:
# Revision is set as 'version' label and part of the resource names when installing multiple control planes. # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: "" revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility. # For Helm compatibility.
ownerName: "" ownerName: ""
@ -197,6 +198,10 @@ meshConfig:
rootNamespace: rootNamespace:
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# TODO: the intent is to eventually have this enabled by default when security is used. # TODO: the intent is to eventually have this enabled by default when security is used.
# It is not clear if user should normally need to configure - the metadata is typically # It is not clear if user should normally need to configure - the metadata is typically
# used as an escape and to control testing and rollout, but it is not intended as a long-term # used as an escape and to control testing and rollout, but it is not intended as a long-term
@ -232,7 +237,7 @@ global:
# Dev builds from prow are on gcr.io # Dev builds from prow are on gcr.io
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.3 tag: 1.10.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.
@ -505,8 +510,6 @@ global:
# Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source.
useMCP: false useMCP: false
# Deprecated, use meshConfig.trustDomain
trustDomain: ""
base: base:
# For istioctl usage to disable istio config crds in base # For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true enableIstioConfigCRDs: true

File diff suppressed because one or more lines are too long

View File

@ -4,14 +4,14 @@ set -ex
### TODO ### TODO
# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/ # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
export ISTIO_VERSION=1.9.3 export ISTIO_VERSION=1.10.2
rm -rf istio rm -rf istio
curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz
mv istio-${ISTIO_VERSION} istio mv istio-${ISTIO_VERSION} istio
# remove unused old telemetry filters # remove unused old telemetry filters
rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml
# Patch # Patch
patch -p0 -i zdt.patch --no-backup-if-mismatch patch -p0 -i zdt.patch --no-backup-if-mismatch

View File

@ -1,9 +1,8 @@
global: global:
# hub: docker.io/istio # hub: docker.io/istio
# tag: 1.9.3 # tag: 1.10.2
logAsJson: true logAsJson: true
jwtPolicy: first-party-jwt
defaultPodDisruptionBudget: defaultPodDisruptionBudget:
enabled: false enabled: false