diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index e66651e..15b3889 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.1.1 -appVersion: 1.8.1 +version: 0.1.2 +appVersion: 1.8.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index b989ba7..4603747 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -1,7 +1,7 @@ # Make sure these values match kuberzero-istio !!! global: hub: docker.io/istio - tag: 1.8.1 + tag: 1.8.2 logAsJson: true jwtPolicy: first-party-jwt diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 903bd5a..a349c7c 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.4.1 -appVersion: 1.8.1 +version: 0.4.2 +appVersion: 1.8.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index deea651..35b4db8 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -3048,7 +3048,6 @@ spec: - CUSTOM type: string provider: - description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index 0a30433..ac70215 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -3050,7 +3050,6 @@ spec: - CUSTOM type: string provider: - description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. @@ -3537,7 +3536,9 @@ rules: verbs: ["get", "list", "watch", "update"] # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] - apiGroups: ["networking.istio.io"] @@ -3621,6 +3622,7 @@ rules: - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" + - "rbac.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml index 521c24b..f53b830 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -17,11 +17,13 @@ rules: verbs: ["get", "list", "watch", "update"] # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] verbs: ["update"] # TODO: should be on just */status but wildcard is not supported resources: ["*"] @@ -115,6 +117,7 @@ rules: - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" + - "rbac.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml index f878321..6985a68 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml @@ -108,10 +108,18 @@ spec: value: | {} vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.metadata_exchange + {{- end }} --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -339,10 +347,18 @@ spec: {{- end }} vm_config: vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} runtime: envoy.wasm.runtime.null code: local: inline_string: envoy.wasm.stats + {{- end }} --- # Note: tcp stats filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 @@ -502,14 +518,20 @@ spec: {{- end }} vm_config: vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} runtime: envoy.wasm.runtime.null code: local: inline_string: "envoy.wasm.stats" + {{- end }} --- - {{- end }} - {{- if .Values.telemetry.v2.stackdriver.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter @@ -629,7 +651,6 @@ spec: code: local: { inline_string: envoy.wasm.null.stackdriver } --- - apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 3993833..5d6a364 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.8.1 +export ISTIO_VERSION=1.8.2 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 2b58c92..a855e1a 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,6 +1,6 @@ global: hub: docker.io/istio - tag: 1.8.0 + tag: 1.8.2 logAsJson: true jwtPolicy: first-party-jwt