diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index e738d6e..27ff228 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.2.4 -appVersion: 1.6.7 +version: 0.3.0 +appVersion: 1.7.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,5 +16,5 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-operator - version: ">= 1.6" + version: ">= 1.7" kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 23cbeac..b3ac36e 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio Installs Istio Operator and KubeZero Istio profile -Current chart version is `0.2.4` +Current chart version is `0.3.0` Source code can be found [here](https://kubezero.com) @@ -13,7 +13,7 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| -| | istio-operator | >= 1.6 | +| | istio-operator | >= 1.7 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -30,10 +30,12 @@ Source code can be found [here](https://kubezero.com) | ingress.replicaCount | int | `2` | | | ingress.type | string | `"NodePort"` | | | istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.6.7"` | | +| istio-operator.tag | string | `"1.7.1"` | | | istiod.autoscaleEnabled | bool | `false` | | | istiod.replicaCount | int | `1` | | ## Resources +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml - https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio/README.md.gotmpl b/charts/kubezero-istio/README.md.gotmpl index a0447aa..2a38ba6 100644 --- a/charts/kubezero-istio/README.md.gotmpl +++ b/charts/kubezero-istio/README.md.gotmpl @@ -17,4 +17,6 @@ Installs Istio Operator and KubeZero Istio profile ## Resources +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml - https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio/charts/istio-operator/Chart.yaml b/charts/kubezero-istio/charts/istio-operator/Chart.yaml index 4f4977f..807caae 100644 --- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-operator/Chart.yaml @@ -1,12 +1,12 @@ apiVersion: v1 name: istio-operator -version: 1.6.0 +version: 1.7.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio operator keywords: - istio - operator sources: - - http://github.com/istio/istio/operator + - https://github.com/istio/istio/tree/master/operator engine: gotpl -icon: https://istio.io/favicons/android-192x192.png +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 0000000..05fb86a --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,74 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + type: string + name: Status + - jsonPath: .metadata.creationTimestamp + description: + "CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: + "Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: + "Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index 53be806..bdbd5bd 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} rules: # istio groups - apiGroups: @@ -29,12 +29,6 @@ rules: - '*' verbs: - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - security.istio.io resources: @@ -81,6 +75,7 @@ rules: verbs: - get - create + - update - apiGroups: - policy resources: diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml index 39e2663..9b9df7d 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml @@ -1,13 +1,13 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} subjects: - kind: ServiceAccount - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{.Values.operatorNamespace}} roleRef: kind: ClusterRole - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} apiGroup: rbac.authorization.k8s.io --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml deleted file mode 100644 index 6b85c37..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml new file mode 100644 index 0000000..a370365 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml index 8350dd5..73b5d66 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: replicas: 1 selector: @@ -13,7 +13,7 @@ spec: labels: name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -26,23 +26,32 @@ spec: command: - operator - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true imagePullPolicy: IfNotPresent resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi +{{ toYaml .Values.operator.resources | trim | indent 12 }} env: - name: WATCH_NAMESPACE - value: {{.Values.istioNamespace}} + value: {{.Values.watchedNamespaces | quote}} - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml index 93e2638..e7967a7 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml @@ -4,7 +4,7 @@ metadata: namespace: {{.Values.operatorNamespace}} labels: name: istio-operator - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: ports: - name: http-metrics diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml index 32307f3..cb708ee 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} --- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml index 6a653f5..45c5c96 100644 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ b/charts/kubezero-istio/charts/istio-operator/values.yaml @@ -1,4 +1,25 @@ hub: gcr.io/istio-testing -tag: 1.6-dev +tag: latest + operatorNamespace: istio-operator -istioNamespace: istio-system + +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# Operator resource defaults +operator: + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + diff --git a/charts/kubezero-istio/delete_istio_14.sh b/charts/kubezero-istio/delete_istio_14.sh deleted file mode 100755 index 3078179..0000000 --- a/charts/kubezero-istio/delete_istio_14.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# First delete old 1.4 -kubectl delete -f ingress-gateway.yaml -kubectl delete -f istio.yaml -kubectl delete -f istio-init.yaml -kubectl delete -f namespace.yaml diff --git a/charts/kubezero-istio/istio-operator.patch b/charts/kubezero-istio/istio-operator.patch index 7043f50..bf36436 100644 --- a/charts/kubezero-istio/istio-operator.patch +++ b/charts/kubezero-istio/istio-operator.patch @@ -1,11 +1,9 @@ -diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -index 5ef7848..8350dd5 100644 ---- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -@@ -14,6 +14,12 @@ spec: +--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100 ++++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100 +@@ -14,6 +14,12 @@ name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/master: "" diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index fdfc577..4324e5c 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5220,6 +5220,7 @@ spec: storage: true --- + # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index bcb998c..5f9ea4f 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -30,15 +30,15 @@ spec: name: istio-private-ingressgateway {{- end }} env: - # https://github.com/istio/istio/issues/26524 + # https://github.com/istio/istio/issues/26524, not in 1.7 either #- name: TERMINATION_DRAIN_DURATION_SECONDS # value: "60" - name: ISTIO_META_HTTP10 value: '"1"' - name: ISTIO_META_ROUTER_MODE value: standard - - name: ISTIO_META_IDLE_TIMEOUT - value: "3600s" + #- name: ISTIO_META_IDLE_TIMEOUT + # value: "3600s" {{- if eq .Values.ingress.type "NodePort" }} nodeSelector: node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}" @@ -64,6 +64,10 @@ spec: - path: spec.template.spec.terminationGracePeriodSeconds value: 90 + meshConfig: + accessLogFile: /dev/stdout + accessLogEncoding: 'JSON' + values: gateways: istio-ingressgateway: @@ -87,11 +91,13 @@ spec: {{- end }} - name: http2 port: 80 + targetPort: 8080 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31080 {{- end }} - name: https port: 443 + targetPort: 8443 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31443 {{- end }} @@ -110,24 +116,11 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31672 {{- end }} - sds: - enabled: true - image: node-agent-k8s - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - secretVolumes: - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs global: jwtPolicy: first-party-jwt + logAsJson: true + defaultPodDisruptionBudget: + enabled: false + {{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 50831ae..0e4a554 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -7,14 +7,7 @@ metadata: {{ include "kubezero-lib.labels" . | indent 4 }} spec: profile: empty - addonComponents: - prometheus: - enabled: false components: - citadel: - enabled: false - galley: - enabled: false ingressGateways: - enabled: true k8s: @@ -34,22 +27,22 @@ spec: name: istio-ingressgateway {{- end }} env: - # https://github.com/istio/istio/issues/26524 + # https://github.com/istio/istio/issues/26524, not in 1.7 ! #- name: TERMINATION_DRAIN_DURATION_SECONDS # value: "60" - name: ISTIO_META_HTTP10 value: '"1"' - name: ISTIO_META_ROUTER_MODE value: standard - - name: ISTIO_META_IDLE_TIMEOUT - value: "3600s" + #- name: ISTIO_META_IDLE_TIMEOUT + # value: "3600s" {{- if eq .Values.ingress.type "NodePort" }} nodeSelector: node.kubernetes.io/ingress.public: "30080_30443" {{- end }} resources: limits: - # cpu: 2000m + #cpu: 2000m memory: 1024Mi requests: cpu: 100m @@ -92,10 +85,11 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/master - sidecarInjector: - enabled: false telemetry: enabled: false + meshConfig: + accessLogFile: /dev/stdout + accessLogEncoding: 'JSON' values: gateways: istio-ingressgateway: @@ -119,45 +113,22 @@ spec: {{- end }} - name: http2 port: 80 + targetPort: 8080 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30080 {{- end }} - name: https port: 443 + targetPort: 8443 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} - sds: - enabled: true - image: node-agent-k8s - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - secretVolumes: - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - meshConfig: - accessLogFile: /dev/stdout - disablePolicyChecks: false global: jwtPolicy: first-party-jwt - omitSidecarInjectorConfigMap: true - proxy: - accessLogEncoding: JSON - autoInject: disabled - envoyStatsd: - enabled: false - useMCP: false + logAsJson: true + defaultPodDisruptionBudget: + enabled: false pilot: - sidecar: false autoscaleEnabled: false mixer: policy: diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 199a678..ed50e1d 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -ISTIO_VERSION=1.6.7 +ISTIO_VERSION=1.7.1 NAME="istio-$ISTIO_VERSION" URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" @@ -15,7 +15,7 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts rm -rf istio-${ISTIO_VERSION} # Apply our patch -patch -i istio-operator.patch -p3 +patch -i istio-operator.patch -p0 # Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index c179f3d..24c778c 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -14,4 +14,4 @@ ingress: istio-operator: hub: docker.io/istio - tag: 1.6.7 + tag: 1.7.1 diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index 30afad9..812628f 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.2.9 +version: 0.2.10 appVersion: 3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -18,4 +18,5 @@ dependencies: - name: kiam version: 5.8.1 repository: https://uswitch.github.io/kiam-helm-charts/charts/ + condition: kiam.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index d973e8b..efc81e3 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -2,7 +2,7 @@ kubezero-kiam ============= KubeZero Umbrella Chart for Kiam -Current chart version is `0.2.8` +Current chart version is `0.2.10` Source code can be found [here](https://kubezero.com) @@ -43,6 +43,10 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | +| kiam.agent.resources.limits.cpu | string | `"50m"` | | +| kiam.agent.resources.limits.memory | string | `"20Mi"` | | +| kiam.agent.resources.requests.cpu | string | `"50m"` | | +| kiam.agent.resources.requests.memory | string | `"20Mi"` | | | kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | | | kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | | | kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | | @@ -52,6 +56,7 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kiam.agent.updateStrategy | string | `"RollingUpdate"` | | | kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` | | +| kiam.enabled | bool | `true` | | | kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role | | kiam.server.deployment.enabled | bool | `true` | | | kiam.server.deployment.replicas | int | `1` | | @@ -61,6 +66,10 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | +| kiam.server.resources.limits.cpu | string | `"100m"` | | +| kiam.server.resources.limits.memory | string | `"50Mi"` | | +| kiam.server.resources.requests.cpu | string | `"100m"` | | +| kiam.server.resources.requests.memory | string | `"50Mi"` | | | kiam.server.service.port | int | `6444` | | | kiam.server.service.targetPort | int | `6444` | | | kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | | diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index 07b95e0..b96d4f5 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -1,4 +1,5 @@ kiam: + enabled: true server: image: tag: "v3.6" diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 9d82968..53a5e1e 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.3.2 +version: 0.3.5 appVersion: 1.2.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -23,7 +23,7 @@ dependencies: repository: https://kubernetes-charts.storage.googleapis.com/ condition: fluentd.enabled - name: fluent-bit - version: 0.6.4 + version: 0.7.2 repository: https://zero-down-time.github.io/kubezero/ # repository: https://fluent.github.io/helm-charts condition: fluent-bit.enabled diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 3e1a2a1..fc8ca85 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -2,7 +2,7 @@ kubezero-logging ================ KubeZero Umbrella Chart for complete EFK stack -Current chart version is `0.3.2` +Current chart version is `0.3.5` Source code can be found [here](https://kubezero.com) @@ -11,7 +11,7 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | -| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.6.4 | +| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream @@ -56,7 +56,7 @@ Source code can be found [here](https://kubezero.com) | es.s3Snapshot.enabled | bool | `false` | | | es.s3Snapshot.iamrole | string | `""` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/etc/functions.lua\n call reassemble_cri_logs\n\n[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/etc/functions.lua\n call dedot\n"` | | -| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 10\n DB /var/log/flb_kube.db\n DB.Sync Normal\n[INPUT]\n Name tail\n Path /var/log/kubernetes/audit.log\n Parser json\n Tag kube.api.audit\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 60\n DB /var/log/flb_kube_audit.db\n DB.Sync Normal\n"` | | +| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 10\n DB /var/log/flb_kube.db\n DB.Sync Normal\n[INPUT]\n Name tail\n Path /var/log/kubernetes/audit.log\n Parser json\n Tag audit.api-server\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 60\n DB /var/log/flb_kube_audit.db\n DB.Sync Normal\n"` | | | fluent-bit.config.lua | string | `"function dedot(tag, timestamp, record)\n if record[\"kubernetes\"] == nil then\n return 0, 0, 0\n end\n dedot_keys(record[\"kubernetes\"][\"annotations\"])\n dedot_keys(record[\"kubernetes\"][\"labels\"])\n return 1, timestamp, record\nend\n\nfunction dedot_keys(map)\n if map == nil then\n return\n end\n local new_map = {}\n local changed_keys = {}\n for k, v in pairs(map) do\n local dedotted = string.gsub(k, \"%.\", \"_\")\n if dedotted ~= k then\n new_map[dedotted] = v\n changed_keys[k] = true\n end\n end\n for k in pairs(changed_keys) do\n map[k] = nil\n end\n for k, v in pairs(new_map) do\n map[k] = v\n end\nend\n\nlocal reassemble_state = {}\n\nfunction reassemble_cri_logs(tag, timestamp, record)\n -- IMPORTANT: reassemble_key must be unique for each parser stream\n -- otherwise entries from different sources will get mixed up.\n -- Either make sure that your parser tags satisfy this or construct\n -- reassemble_key some other way\n local reassemble_key = tag\n -- if partial line, accumulate\n if record.logtag == 'P' then\n reassemble_state[reassemble_key] = reassemble_state[reassemble_key] or \"\" .. record.message\n return -1, 0, 0\n end\n -- otherwise it's a full line, concatenate with accumulated partial lines if any\n record.message = reassemble_state[reassemble_key] or \"\" .. (record.message or \"\")\n reassemble_state[reassemble_key] = nil\n return 1, timestamp, record\nend\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Match *\n Name forward\n Host logging-fluentd\n Port 24224\n tls on\n tls.verify off\n Shared_Key cloudbender\n"` | | | fluent-bit.config.service | string | `"[SERVICE]\n Flush 5\n Daemon Off\n Log_Level warn\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port 2020\n"` | | diff --git a/charts/kubezero-logging/templates/eck/elasticsearch.yaml b/charts/kubezero-logging/templates/eck/elasticsearch.yaml index a9dfd27..1a0d431 100644 --- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml +++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml @@ -48,13 +48,16 @@ spec: - name: elasticsearch resources: requests: - cpu: 100m - memory: 2500Mi + cpu: {{ default "200m" .cpu_request }} + memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi limits: - memory: 4Gi + {{- if .cpu_limit }} + cpu: {{ .cpu_limit }} + {{- end }} + memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi env: - name: ES_JAVA_OPTS - value: "-Xms2g -Xmx2g" + value: -Xms{{ default "2" .jvm_heap }}g -Xmx{{ default "2" .jvm_heap }}g affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/kubezero-logging/values-all.yaml b/charts/kubezero-logging/values-all.yaml index c87d0ad..e5997b7 100644 --- a/charts/kubezero-logging/values-all.yaml +++ b/charts/kubezero-logging/values-all.yaml @@ -18,6 +18,8 @@ es: size: 512Gi class: ebs-sc-gp2-xfs zone: us-west-2a + jvm_heap: 4 + cpu_limit: 2 s3Snapshot: enabled: true iamrole: "dfsf" # INSERT_CLOUDFORMATION_OUTPUT_ElasticSearchSnapshots @@ -32,3 +34,6 @@ kibana: fluentd: enabled: true + +fluent-bit: + enabled: true diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index b4c8a4c..2932c5d 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -79,10 +79,13 @@ Source code can be found [here](https://kubezero.com) | prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | prometheus-operator.prometheus.enabled | bool | `true` | | | prometheus-operator.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | -| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"512Mi"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` | | | prometheus-operator.prometheus.prometheusSpec.retention | string | `"8d"` | | | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | | -| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"8Gi"` | | +| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | | | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | | | prometheus-operator.prometheusOperator.admissionWebhooks.enabled | bool | `false` | | | prometheus-operator.prometheusOperator.createCustomResource | bool | `true` | | diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 2961135..b1ea4e9 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -40,8 +40,8 @@ else EOF fi - # Deploy initial argo-cad - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set cert-manager.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + # Deploy initial argocd + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml # Wait for argocd-server to be running kubectl rollout status deployment -n argocd kubezero-argocd-server @@ -55,7 +55,7 @@ EOF if [ -f cert-manager-backup.yaml ]; then kubectl apply -f cert-manager-backup.yaml else - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 wait_for kubectl get ClusterIssuer letsencrypt-dns-prod 2>/dev/null 1>&2 @@ -64,17 +64,17 @@ EOF fi # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set kiam.enabled=false --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 kubectl rollout status daemonset -n kube-system kiam-agent # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set argo-cd.istio.enabled=false --set metrics.istio.prometheus.enabled=false --set metrics.istio.grafana.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 kubectl rollout status deployment -n istio-operator istio-operator diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index bc5af0d..784dc5c 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -8,22 +8,20 @@ kubezero: values: network: {{ default "vxlan" .Values.calico.network }} mtu: {{ default "8941" .Values.calico.mtu }} - prometheus: {{ .Values.metrics.enabled }} + prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }} cert-manager: enabled: {{ index .Values "cert-manager" "enabled" }} values: # Disable all until webhook is in place - {{- if index .Values "cert-manager" "not_ready" }} localCA: - enabled: false - {{- end }} + enabled: {{ index .Values "cert-manager" "ready" }} {{- if eq .Values.platform "aws" }} cert-manager: podAnnotations: iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" {{- end }} - {{- if not .Values.kiam.not_ready }} + {{- if and .Values.kiam.enabled .Values.kiam.ready }} clusterIssuer: name: letsencrypt-dns-prod server: https://acme-v02.api.letsencrypt.org/directory @@ -47,25 +45,24 @@ kubezero: {{- if eq .Values.platform "aws" }} - {{- if not ( index .Values "cert-manager" "not_ready" ) }} kiam: enabled: {{ .Values.kiam.enabled }} values: kiam: + enabled: {{ not .Values.kiam.certsOnly }} server: assumeRoleArn: "{{ .Values.kiam.IamArn }}" deployment: replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} prometheus: servicemonitor: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} agent: prometheus: servicemonitor: - enabled: {{ .Values.metrics.enabled }} - {{- end }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} - {{- if not .Values.kiam.not_ready }} + {{- if and .Values.kiam.enabled .Values.kiam.ready }} # AWS only components aws-ebs-csi-driver: enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} @@ -95,7 +92,7 @@ kubezero: values: istiod: replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - {{- if not ( index .Values "cert-manager" "not_ready" ) }} + {{- if index .Values "cert-manager" "ready" }} {{- if .Values.istio.ingress }} ingress: {{- toYaml .Values.istio.ingress | nindent 8 }} @@ -105,14 +102,14 @@ kubezero: metrics: enabled: {{ .Values.metrics.enabled }} values: - {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.enabled }} + {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.ready }} grafana: istio: {{- with .Values.metrics.istio.grafana }} {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.enabled }} + {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.ready }} prometheus: istio: {{- with .Values.metrics.istio.prometheus }} @@ -149,7 +146,7 @@ kubezero: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - prometheus: {{ .Values.metrics.enabled }} + prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- if .Values.logging.es.s3Snapshot }} s3Snapshot: @@ -169,9 +166,9 @@ kubezero: fluentd: enabled: {{ .Values.logging.fluentd.enabled }} metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} url: {{ .Values.logging.fluentd.url }} - {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }} + {{- if and .Values.logging.fluentd.istio .Values.istio.enabled .Values.istio.ready }} istio: {{- with .Values.logging.fluentd.istio }} {{- toYaml . | nindent 10 }} @@ -181,7 +178,7 @@ kubezero: fluent-bit: enabled: {{ index .Values.logging "fluent-bit" "enabled" }} metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- if index .Values.logging "fluent-bit" "config" }} config: {{- with index .Values.logging "fluent-bit" "config" }} @@ -192,13 +189,13 @@ kubezero: argo-cd: controller: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} repoServer: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} server: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- with index .Values "argo-cd" "server" }} {{- toYaml . | nindent 4 }} {{- end }} @@ -206,7 +203,7 @@ argo-cd: configs: {{- toYaml . | nindent 4 }} {{- end }} - {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} + {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled .Values.istio.ready }} istio: {{- with index .Values "argo-cd" "istio" }} {{- toYaml . | nindent 4 }} diff --git a/deploy/values-step-1.yaml b/deploy/values-step-1.yaml new file mode 100644 index 0000000..4a78cef --- /dev/null +++ b/deploy/values-step-1.yaml @@ -0,0 +1,17 @@ +kiam: + enabled: false + ready: false + +cert-manager: + ready: false + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-2.yaml b/deploy/values-step-2.yaml new file mode 100644 index 0000000..23ee941 --- /dev/null +++ b/deploy/values-step-2.yaml @@ -0,0 +1,17 @@ +kiam: + enabled: false + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-3.yaml b/deploy/values-step-3.yaml new file mode 100644 index 0000000..c552249 --- /dev/null +++ b/deploy/values-step-3.yaml @@ -0,0 +1,17 @@ +kiam: + certsOnly: true + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-4.yaml b/deploy/values-step-4.yaml new file mode 100644 index 0000000..4091229 --- /dev/null +++ b/deploy/values-step-4.yaml @@ -0,0 +1,16 @@ +kiam: + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-5.yaml b/deploy/values-step-5.yaml new file mode 100644 index 0000000..d37a3c3 --- /dev/null +++ b/deploy/values-step-5.yaml @@ -0,0 +1,6 @@ +istio: + ready: false + +metrics: + enabled: false + ready: false diff --git a/deploy/values.yaml b/deploy/values.yaml index fc500ae..8fa526f 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -9,6 +9,7 @@ calico: cert-manager: enabled: true + ready: true IamArn: "" aws-ebs-csi-driver: @@ -20,13 +21,16 @@ aws-efs-csi-driver: kiam: enabled: true + ready: true IamArn: "" istio: + ready: true enabled: false metrics: enabled: false + ready: true istio: grafana: enabled: false