From 4cea722fd4a94a90c2d1c6d2ec033d34ed96d156 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 10 Sep 2020 16:44:49 +0100 Subject: [PATCH 01/24] Istio version bump to 1.6.9 --- charts/kubezero-istio/Chart.yaml | 4 +- .../istio-operator/templates/clusterrole.yaml | 1 + .../istio-operator/templates/deployment.yaml | 6 +- .../charts/istio-operator/values.yaml | 3 +- charts/kubezero-istio/delete_istio_14.sh | 7 --- .../kubezero-istio/templates/istio-base.yaml | 62 +++++++++++++++++++ charts/kubezero-istio/update.sh | 2 +- charts/kubezero-istio/values.yaml | 2 +- 8 files changed, 72 insertions(+), 15 deletions(-) delete mode 100755 charts/kubezero-istio/delete_istio_14.sh diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index e738d6e..f1e0e66 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.2.4 -appVersion: 1.6.7 +version: 0.2.5 +appVersion: 1.6.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index 53be806..d02da88 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -81,6 +81,7 @@ rules: verbs: - get - create + - update - apiGroups: - policy resources: diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml index 8350dd5..5e302de 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml @@ -36,13 +36,13 @@ spec: memory: 128Mi env: - name: WATCH_NAMESPACE - value: {{.Values.istioNamespace}} + value: {{.Values.watchedNamespaces | quote}} - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME - value: {{.Values.operatorNamespace}} + value: {{.Values.operatorNamespace | quote}} --- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml index 6a653f5..aa5d70a 100644 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ b/charts/kubezero-istio/charts/istio-operator/values.yaml @@ -1,4 +1,5 @@ hub: gcr.io/istio-testing tag: 1.6-dev operatorNamespace: istio-operator -istioNamespace: istio-system +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system diff --git a/charts/kubezero-istio/delete_istio_14.sh b/charts/kubezero-istio/delete_istio_14.sh deleted file mode 100755 index 3078179..0000000 --- a/charts/kubezero-istio/delete_istio_14.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -# First delete old 1.4 -kubectl delete -f ingress-gateway.yaml -kubectl delete -f istio.yaml -kubectl delete -f istio-init.yaml -kubectl delete -f namespace.yaml diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index fdfc577..2aebcc8 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5220,6 +5220,68 @@ spec: storage: true --- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 199a678..65f10af 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -ISTIO_VERSION=1.6.7 +ISTIO_VERSION=1.6.9 NAME="istio-$ISTIO_VERSION" URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index c179f3d..61379ac 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -14,4 +14,4 @@ ingress: istio-operator: hub: docker.io/istio - tag: 1.6.7 + tag: 1.6.9 -- 2.40.1 From e56d0661d6c1b9712e483f6f6d9ed97ca4e01dd2 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 11:00:51 +0100 Subject: [PATCH 02/24] Make ES heap configurable, set resources accordingly --- charts/kubezero-logging/Chart.yaml | 2 +- charts/kubezero-logging/README.md | 4 ++-- .../kubezero-logging/templates/eck/elasticsearch.yaml | 11 +++++++---- charts/kubezero-logging/values-all.yaml | 5 +++++ 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 9d82968..af2c956 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.3.2 +version: 0.3.3 appVersion: 1.2.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 3e1a2a1..336afd8 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -2,7 +2,7 @@ kubezero-logging ================ KubeZero Umbrella Chart for complete EFK stack -Current chart version is `0.3.2` +Current chart version is `0.3.3` Source code can be found [here](https://kubezero.com) @@ -56,7 +56,7 @@ Source code can be found [here](https://kubezero.com) | es.s3Snapshot.enabled | bool | `false` | | | es.s3Snapshot.iamrole | string | `""` | | | fluent-bit.config.filters | string | `"[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/etc/functions.lua\n call reassemble_cri_logs\n\n[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/etc/functions.lua\n call dedot\n"` | | -| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 10\n DB /var/log/flb_kube.db\n DB.Sync Normal\n[INPUT]\n Name tail\n Path /var/log/kubernetes/audit.log\n Parser json\n Tag kube.api.audit\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 60\n DB /var/log/flb_kube_audit.db\n DB.Sync Normal\n"` | | +| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 10\n DB /var/log/flb_kube.db\n DB.Sync Normal\n[INPUT]\n Name tail\n Path /var/log/kubernetes/audit.log\n Parser json\n Tag audit.api-server\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 60\n DB /var/log/flb_kube_audit.db\n DB.Sync Normal\n"` | | | fluent-bit.config.lua | string | `"function dedot(tag, timestamp, record)\n if record[\"kubernetes\"] == nil then\n return 0, 0, 0\n end\n dedot_keys(record[\"kubernetes\"][\"annotations\"])\n dedot_keys(record[\"kubernetes\"][\"labels\"])\n return 1, timestamp, record\nend\n\nfunction dedot_keys(map)\n if map == nil then\n return\n end\n local new_map = {}\n local changed_keys = {}\n for k, v in pairs(map) do\n local dedotted = string.gsub(k, \"%.\", \"_\")\n if dedotted ~= k then\n new_map[dedotted] = v\n changed_keys[k] = true\n end\n end\n for k in pairs(changed_keys) do\n map[k] = nil\n end\n for k, v in pairs(new_map) do\n map[k] = v\n end\nend\n\nlocal reassemble_state = {}\n\nfunction reassemble_cri_logs(tag, timestamp, record)\n -- IMPORTANT: reassemble_key must be unique for each parser stream\n -- otherwise entries from different sources will get mixed up.\n -- Either make sure that your parser tags satisfy this or construct\n -- reassemble_key some other way\n local reassemble_key = tag\n -- if partial line, accumulate\n if record.logtag == 'P' then\n reassemble_state[reassemble_key] = reassemble_state[reassemble_key] or \"\" .. record.message\n return -1, 0, 0\n end\n -- otherwise it's a full line, concatenate with accumulated partial lines if any\n record.message = reassemble_state[reassemble_key] or \"\" .. (record.message or \"\")\n reassemble_state[reassemble_key] = nil\n return 1, timestamp, record\nend\n"` | | | fluent-bit.config.outputs | string | `"[OUTPUT]\n Match *\n Name forward\n Host logging-fluentd\n Port 24224\n tls on\n tls.verify off\n Shared_Key cloudbender\n"` | | | fluent-bit.config.service | string | `"[SERVICE]\n Flush 5\n Daemon Off\n Log_Level warn\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port 2020\n"` | | diff --git a/charts/kubezero-logging/templates/eck/elasticsearch.yaml b/charts/kubezero-logging/templates/eck/elasticsearch.yaml index a9dfd27..854affc 100644 --- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml +++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml @@ -48,13 +48,16 @@ spec: - name: elasticsearch resources: requests: - cpu: 100m - memory: 2500Mi + cpu: {{ default "200m" .cpu_request }} + memory: {{ mul 2 ( default "4" .jvm_heap ) }}Gi limits: - memory: 4Gi + {{- if .cpu_limit }} + cpu: {{ .cpu_limit }} + {{- end }} + memory: {{ mul 2 ( default "4" .jvm_heap ) }}Gi env: - name: ES_JAVA_OPTS - value: "-Xms2g -Xmx2g" + value: -Xms{{ default "2" .jvm_heap }}g -Xmx{{ default "2" .jvm_heap }}g affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/charts/kubezero-logging/values-all.yaml b/charts/kubezero-logging/values-all.yaml index c87d0ad..e5997b7 100644 --- a/charts/kubezero-logging/values-all.yaml +++ b/charts/kubezero-logging/values-all.yaml @@ -18,6 +18,8 @@ es: size: 512Gi class: ebs-sc-gp2-xfs zone: us-west-2a + jvm_heap: 4 + cpu_limit: 2 s3Snapshot: enabled: true iamrole: "dfsf" # INSERT_CLOUDFORMATION_OUTPUT_ElasticSearchSnapshots @@ -32,3 +34,6 @@ kibana: fluentd: enabled: true + +fluent-bit: + enabled: true -- 2.40.1 From d13fc9d519cecaec0a305aa15148c13d69fc0583 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 11:07:49 +0100 Subject: [PATCH 03/24] Fix math in resources calc --- charts/kubezero-logging/templates/eck/elasticsearch.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubezero-logging/templates/eck/elasticsearch.yaml b/charts/kubezero-logging/templates/eck/elasticsearch.yaml index 854affc..1a0d431 100644 --- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml +++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml @@ -49,12 +49,12 @@ spec: resources: requests: cpu: {{ default "200m" .cpu_request }} - memory: {{ mul 2 ( default "4" .jvm_heap ) }}Gi + memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi limits: {{- if .cpu_limit }} cpu: {{ .cpu_limit }} {{- end }} - memory: {{ mul 2 ( default "4" .jvm_heap ) }}Gi + memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi env: - name: ES_JAVA_OPTS value: -Xms{{ default "2" .jvm_heap }}g -Xmx{{ default "2" .jvm_heap }}g -- 2.40.1 From 2f7693388ef6d69cc799e919de6b497a115a655c Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 12:08:58 +0100 Subject: [PATCH 04/24] Minot istio tweaks --- charts/kubezero-istio/README.md.gotmpl | 2 ++ charts/kubezero-istio/templates/istio.yaml | 11 ++++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/charts/kubezero-istio/README.md.gotmpl b/charts/kubezero-istio/README.md.gotmpl index a0447aa..2a38ba6 100644 --- a/charts/kubezero-istio/README.md.gotmpl +++ b/charts/kubezero-istio/README.md.gotmpl @@ -17,4 +17,6 @@ Installs Istio Operator and KubeZero Istio profile ## Resources +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml - https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 50831ae..92ab6e7 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -34,15 +34,15 @@ spec: name: istio-ingressgateway {{- end }} env: - # https://github.com/istio/istio/issues/26524 + # https://github.com/istio/istio/issues/26524, not in 1.7 ! #- name: TERMINATION_DRAIN_DURATION_SECONDS # value: "60" - name: ISTIO_META_HTTP10 value: '"1"' - name: ISTIO_META_ROUTER_MODE value: standard - - name: ISTIO_META_IDLE_TIMEOUT - value: "3600s" + #- name: ISTIO_META_IDLE_TIMEOUT + # value: "3600s" {{- if eq .Values.ingress.type "NodePort" }} nodeSelector: node.kubernetes.io/ingress.public: "30080_30443" @@ -149,15 +149,12 @@ spec: disablePolicyChecks: false global: jwtPolicy: first-party-jwt + logAsJson: true omitSidecarInjectorConfigMap: true proxy: accessLogEncoding: JSON autoInject: disabled - envoyStatsd: - enabled: false - useMCP: false pilot: - sidecar: false autoscaleEnabled: false mixer: policy: -- 2.40.1 From 72a2a40e81200f72401ff45b1a2b22ac59ac4885 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 12:23:08 +0100 Subject: [PATCH 05/24] more istio cleanup --- .../templates/istio-private-ingress.yaml | 26 +++---------------- charts/kubezero-istio/templates/istio.yaml | 19 +------------- 2 files changed, 4 insertions(+), 41 deletions(-) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index bcb998c..6c8aa12 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -30,15 +30,15 @@ spec: name: istio-private-ingressgateway {{- end }} env: - # https://github.com/istio/istio/issues/26524 + # https://github.com/istio/istio/issues/26524, not in 1.7 either #- name: TERMINATION_DRAIN_DURATION_SECONDS # value: "60" - name: ISTIO_META_HTTP10 value: '"1"' - name: ISTIO_META_ROUTER_MODE value: standard - - name: ISTIO_META_IDLE_TIMEOUT - value: "3600s" + #- name: ISTIO_META_IDLE_TIMEOUT + # value: "3600s" {{- if eq .Values.ingress.type "NodePort" }} nodeSelector: node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}" @@ -110,24 +110,4 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31672 {{- end }} - sds: - enabled: true - image: node-agent-k8s - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - secretVolumes: - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - - global: - jwtPolicy: first-party-jwt {{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 92ab6e7..1a1973f 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -49,7 +49,7 @@ spec: {{- end }} resources: limits: - # cpu: 2000m + #cpu: 2000m memory: 1024Mi requests: cpu: 100m @@ -127,23 +127,6 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} - sds: - enabled: true - image: node-agent-k8s - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - secretVolumes: - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs meshConfig: accessLogFile: /dev/stdout disablePolicyChecks: false -- 2.40.1 From 5c64544dcb24ecadcadb4926e114a952de972d92 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 12:32:46 +0100 Subject: [PATCH 06/24] more istio cleanup --- .../kubezero-istio/templates/istio-private-ingress.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 6c8aa12..a3e028c 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -110,4 +110,12 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31672 {{- end }} + + global: + jwtPolicy: first-party-jwt + logAsJson: true + omitSidecarInjectorConfigMap: true + proxy: + accessLogEncoding: JSON + autoInject: disabled {{- end }} -- 2.40.1 From a09327f3f02eadb75b60d08bc42d4cbb5072bcfe Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 12:37:22 +0100 Subject: [PATCH 07/24] more istio cleanup --- charts/kubezero-istio/templates/istio.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 1a1973f..94866a9 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -134,6 +134,7 @@ spec: jwtPolicy: first-party-jwt logAsJson: true omitSidecarInjectorConfigMap: true + operatorManageWebhooks: true proxy: accessLogEncoding: JSON autoInject: disabled -- 2.40.1 From eba052f2f6c12576fbd2bc1f1946c97b491cad47 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 14:42:25 +0100 Subject: [PATCH 08/24] Remove double CRD for Istio --- .../kubezero-istio/templates/istio-base.yaml | 61 ------------------- 1 file changed, 61 deletions(-) diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index 2aebcc8..4324e5c 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5221,67 +5221,6 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. -- 2.40.1 From 203f236e23041019648c6621df3ba9aaaa10c66a Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:06:38 +0100 Subject: [PATCH 09/24] Version bump Istio to 1.7.1 --- charts/kubezero-istio/Chart.yaml | 6 +- charts/kubezero-istio/README.md | 8 +- .../charts/istio-operator/Chart.yaml | 6 +- .../istio-operator/crds/crd-operator.yaml | 74 +++++++++++++++++++ .../istio-operator/templates/clusterrole.yaml | 8 +- .../templates/clusterrole_binding.yaml | 6 +- .../templates/crd-operator.yaml | 46 ------------ .../charts/istio-operator/templates/crds.yaml | 6 ++ .../istio-operator/templates/deployment.yaml | 25 +++++-- .../istio-operator/templates/service.yaml | 2 +- .../templates/service_account.yaml | 2 +- .../charts/istio-operator/values.yaml | 22 +++++- charts/kubezero-istio/istio-operator.patch | 10 +-- .../kubezero-istio/templates/istio-base.yaml | 61 +++++++++++++++ charts/kubezero-istio/update.sh | 4 +- charts/kubezero-istio/values.yaml | 2 +- 16 files changed, 203 insertions(+), 85 deletions(-) create mode 100644 charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml create mode 100644 charts/kubezero-istio/charts/istio-operator/templates/crds.yaml diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index f1e0e66..27ff228 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.2.5 -appVersion: 1.6.9 +version: 0.3.0 +appVersion: 1.7.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,5 +16,5 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-operator - version: ">= 1.6" + version: ">= 1.7" kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 23cbeac..b3ac36e 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio Installs Istio Operator and KubeZero Istio profile -Current chart version is `0.2.4` +Current chart version is `0.3.0` Source code can be found [here](https://kubezero.com) @@ -13,7 +13,7 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| -| | istio-operator | >= 1.6 | +| | istio-operator | >= 1.7 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -30,10 +30,12 @@ Source code can be found [here](https://kubezero.com) | ingress.replicaCount | int | `2` | | | ingress.type | string | `"NodePort"` | | | istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.6.7"` | | +| istio-operator.tag | string | `"1.7.1"` | | | istiod.autoscaleEnabled | bool | `false` | | | istiod.replicaCount | int | `1` | | ## Resources +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml - https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio/charts/istio-operator/Chart.yaml b/charts/kubezero-istio/charts/istio-operator/Chart.yaml index 4f4977f..807caae 100644 --- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-operator/Chart.yaml @@ -1,12 +1,12 @@ apiVersion: v1 name: istio-operator -version: 1.6.0 +version: 1.7.0 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio operator keywords: - istio - operator sources: - - http://github.com/istio/istio/operator + - https://github.com/istio/istio/tree/master/operator engine: gotpl -icon: https://istio.io/favicons/android-192x192.png +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 0000000..05fb86a --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,74 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + type: string + name: Status + - jsonPath: .metadata.creationTimestamp + description: + "CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: + "Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: + "Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index d02da88..bdbd5bd 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} rules: # istio groups - apiGroups: @@ -29,12 +29,6 @@ rules: - '*' verbs: - '*' -- apiGroups: - - rbac.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - security.istio.io resources: diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml index 39e2663..9b9df7d 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml @@ -1,13 +1,13 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} subjects: - kind: ServiceAccount - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{.Values.operatorNamespace}} roleRef: kind: ClusterRole - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} apiGroup: rbac.authorization.k8s.io --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml deleted file mode 100644 index 6b85c37..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml new file mode 100644 index 0000000..a370365 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml index 5e302de..73b5d66 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: replicas: 1 selector: @@ -13,7 +13,7 @@ spec: labels: name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -26,14 +26,19 @@ spec: command: - operator - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true imagePullPolicy: IfNotPresent resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi +{{ toYaml .Values.operator.resources | trim | indent 12 }} env: - name: WATCH_NAMESPACE value: {{.Values.watchedNamespaces | quote}} @@ -45,4 +50,8 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: {{.Values.operatorNamespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} --- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml index 93e2638..e7967a7 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml @@ -4,7 +4,7 @@ metadata: namespace: {{.Values.operatorNamespace}} labels: name: istio-operator - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} spec: ports: - name: http-metrics diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml index 32307f3..cb708ee 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: namespace: {{.Values.operatorNamespace}} - name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} --- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml index aa5d70a..45c5c96 100644 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ b/charts/kubezero-istio/charts/istio-operator/values.yaml @@ -1,5 +1,25 @@ hub: gcr.io/istio-testing -tag: 1.6-dev +tag: latest + operatorNamespace: istio-operator + # Used to replace istioNamespace to support operator watch multiple namespaces. watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# Operator resource defaults +operator: + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + diff --git a/charts/kubezero-istio/istio-operator.patch b/charts/kubezero-istio/istio-operator.patch index 7043f50..bf36436 100644 --- a/charts/kubezero-istio/istio-operator.patch +++ b/charts/kubezero-istio/istio-operator.patch @@ -1,11 +1,9 @@ -diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -index 5ef7848..8350dd5 100644 ---- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml -@@ -14,6 +14,12 @@ spec: +--- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100 ++++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100 +@@ -14,6 +14,12 @@ name: istio-operator spec: - serviceAccountName: istio-operator + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/master: "" diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index 4324e5c..2aebcc8 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5221,6 +5221,67 @@ spec: --- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 65f10af..ed50e1d 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -ISTIO_VERSION=1.6.9 +ISTIO_VERSION=1.7.1 NAME="istio-$ISTIO_VERSION" URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" @@ -15,7 +15,7 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts rm -rf istio-${ISTIO_VERSION} # Apply our patch -patch -i istio-operator.patch -p3 +patch -i istio-operator.patch -p0 # Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 61379ac..24c778c 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -14,4 +14,4 @@ ingress: istio-operator: hub: docker.io/istio - tag: 1.6.9 + tag: 1.7.1 -- 2.40.1 From e9c0d356955ad49e767d1543102d6e569cfcc963 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:15:53 +0100 Subject: [PATCH 10/24] Remove deprecated fields for 1.7 --- charts/kubezero-istio/templates/istio.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 94866a9..28de25e 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -11,8 +11,6 @@ spec: prometheus: enabled: false components: - citadel: - enabled: false galley: enabled: false ingressGateways: @@ -92,8 +90,6 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/master - sidecarInjector: - enabled: false telemetry: enabled: false values: @@ -127,9 +123,6 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} - meshConfig: - accessLogFile: /dev/stdout - disablePolicyChecks: false global: jwtPolicy: first-party-jwt logAsJson: true -- 2.40.1 From 6f60ec1dd9f7cdbfac26817f752e42b2af773606 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:18:30 +0100 Subject: [PATCH 11/24] Remove deprecated fields for 1.7 --- charts/kubezero-istio/templates/istio.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 28de25e..33e280f 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -7,12 +7,7 @@ metadata: {{ include "kubezero-lib.labels" . | indent 4 }} spec: profile: empty - addonComponents: - prometheus: - enabled: false components: - galley: - enabled: false ingressGateways: - enabled: true k8s: -- 2.40.1 From 05d9e25f8df0588417ea5356ff9bedcbfb125eb6 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:20:51 +0100 Subject: [PATCH 12/24] Remove deprecated fields for 1.7 --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 3 --- charts/kubezero-istio/templates/istio.yaml | 3 --- 2 files changed, 6 deletions(-) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index a3e028c..1f1e60d 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -115,7 +115,4 @@ spec: jwtPolicy: first-party-jwt logAsJson: true omitSidecarInjectorConfigMap: true - proxy: - accessLogEncoding: JSON - autoInject: disabled {{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 33e280f..122cd27 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -123,9 +123,6 @@ spec: logAsJson: true omitSidecarInjectorConfigMap: true operatorManageWebhooks: true - proxy: - accessLogEncoding: JSON - autoInject: disabled pilot: autoscaleEnabled: false mixer: -- 2.40.1 From 33339dbe21b7bf779089722980fba987567db260 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:22:34 +0100 Subject: [PATCH 13/24] Re-enable access logs --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 3 +++ charts/kubezero-istio/templates/istio.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 1f1e60d..83bbce0 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -64,6 +64,9 @@ spec: - path: spec.template.spec.terminationGracePeriodSeconds value: 90 + meshConfig: + accessLogFile: /dev/stdout + values: gateways: istio-ingressgateway: diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 122cd27..877ae43 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -87,6 +87,8 @@ spec: telemetry: enabled: false + meshConfig: + accessLogFile: /dev/stdout values: gateways: istio-ingressgateway: -- 2.40.1 From 7a93b343310d963abeb7e85c2a58667ee929c8a6 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:28:51 +0100 Subject: [PATCH 14/24] Re-enable JSON access logs --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 1 + charts/kubezero-istio/templates/istio.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 83bbce0..46c6519 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -66,6 +66,7 @@ spec: meshConfig: accessLogFile: /dev/stdout + accessLogEncoding: json values: gateways: diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 877ae43..6a0a48e 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -89,6 +89,7 @@ spec: enabled: false meshConfig: accessLogFile: /dev/stdout + accessLogEncoding: json values: gateways: istio-ingressgateway: -- 2.40.1 From aa664bec01f24db62669e3f9f683f71a31eaef00 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:32:14 +0100 Subject: [PATCH 15/24] Remove xp settings --- charts/kubezero-istio/templates/istio.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 6a0a48e..f3d2df5 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -124,8 +124,8 @@ spec: global: jwtPolicy: first-party-jwt logAsJson: true - omitSidecarInjectorConfigMap: true - operatorManageWebhooks: true + #omitSidecarInjectorConfigMap: true + #operatorManageWebhooks: true pilot: autoscaleEnabled: false mixer: -- 2.40.1 From 530934e60301cc3e753156681dbcb3fc481cde70 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:39:47 +0100 Subject: [PATCH 16/24] Set JSON for access logs --- charts/kubezero-istio/templates/istio.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index f3d2df5..5a08e21 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -89,7 +89,7 @@ spec: enabled: false meshConfig: accessLogFile: /dev/stdout - accessLogEncoding: json + accessLogEncoding: 'JSON' values: gateways: istio-ingressgateway: -- 2.40.1 From f7ba0ffa33d6d6d6e3347a4f5b5b0b853f13bfd5 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 15:45:04 +0100 Subject: [PATCH 17/24] Move ports > 1024 as we run non-root --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 2 ++ charts/kubezero-istio/templates/istio.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 46c6519..5a6675e 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -91,11 +91,13 @@ spec: {{- end }} - name: http2 port: 80 + targetPort: 8080 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31080 {{- end }} - name: https port: 443 + targetPort: 8443 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31443 {{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 5a08e21..6f665c5 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -113,11 +113,13 @@ spec: {{- end }} - name: http2 port: 80 + targetPort: 8080 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30080 {{- end }} - name: https port: 443 + targetPort: 8443 {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} -- 2.40.1 From fb5229613d7858d55017afdb49421533730e0707 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 16:01:15 +0100 Subject: [PATCH 18/24] Istio is really picky --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 5a6675e..8cb6cbf 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -66,7 +66,7 @@ spec: meshConfig: accessLogFile: /dev/stdout - accessLogEncoding: json + accessLogEncoding: 'JSON' values: gateways: -- 2.40.1 From 4a405a0cbc015e2de8c070147ce8ae315f38945e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 16:03:22 +0100 Subject: [PATCH 19/24] Still double CRDs --- .../kubezero-istio/templates/istio-base.yaml | 61 ------------------- 1 file changed, 61 deletions(-) diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/templates/istio-base.yaml index 2aebcc8..4324e5c 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/templates/istio-base.yaml @@ -5221,67 +5221,6 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - versions: - - name: v1alpha1 - served: true - storage: true ---- - # Cni component is disabled. # EgressGateways istio-egressgateway component is disabled. -- 2.40.1 From c347c56764814b7436246c120a2a959a25c39745 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Sep 2020 18:21:00 +0100 Subject: [PATCH 20/24] Disable default poddisruptionbudgets, replace with individual todo --- charts/kubezero-istio/templates/istio-private-ingress.yaml | 4 +++- charts/kubezero-istio/templates/istio.yaml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 8cb6cbf..5f9ea4f 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -120,5 +120,7 @@ spec: global: jwtPolicy: first-party-jwt logAsJson: true - omitSidecarInjectorConfigMap: true + defaultPodDisruptionBudget: + enabled: false + {{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index 6f665c5..0e4a554 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -126,8 +126,8 @@ spec: global: jwtPolicy: first-party-jwt logAsJson: true - #omitSidecarInjectorConfigMap: true - #operatorManageWebhooks: true + defaultPodDisruptionBudget: + enabled: false pilot: autoscaleEnabled: false mixer: -- 2.40.1 From 3a97bbed31f7d54fafc289fdfc168180af46bebb Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 14 Sep 2020 15:24:40 +0100 Subject: [PATCH 21/24] Latest deploy bootstrap tweaks --- charts/kubezero-kiam/Chart.yaml | 3 ++- charts/kubezero-kiam/values.yaml | 1 + deploy/deploy.sh | 12 +++++----- deploy/templates/values.yaml | 39 ++++++++++++++++---------------- deploy/values-step-1.yaml | 17 ++++++++++++++ deploy/values-step-2.yaml | 17 ++++++++++++++ deploy/values-step-3.yaml | 17 ++++++++++++++ deploy/values-step-4.yaml | 16 +++++++++++++ deploy/values-step-5.yaml | 6 +++++ 9 files changed, 101 insertions(+), 27 deletions(-) create mode 100644 deploy/values-step-1.yaml create mode 100644 deploy/values-step-2.yaml create mode 100644 deploy/values-step-3.yaml create mode 100644 deploy/values-step-4.yaml create mode 100644 deploy/values-step-5.yaml diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index 30afad9..812628f 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.2.9 +version: 0.2.10 appVersion: 3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -18,4 +18,5 @@ dependencies: - name: kiam version: 5.8.1 repository: https://uswitch.github.io/kiam-helm-charts/charts/ + condition: kiam.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index 07b95e0..866680b 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -1,4 +1,5 @@ kiam: + enabled: false server: image: tag: "v3.6" diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 2961135..b1ea4e9 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -40,8 +40,8 @@ else EOF fi - # Deploy initial argo-cad - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set cert-manager.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + # Deploy initial argocd + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml # Wait for argocd-server to be running kubectl rollout status deployment -n argocd kubezero-argocd-server @@ -55,7 +55,7 @@ EOF if [ -f cert-manager-backup.yaml ]; then kubectl apply -f cert-manager-backup.yaml else - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 wait_for kubectl get ClusterIssuer letsencrypt-dns-prod 2>/dev/null 1>&2 @@ -64,17 +64,17 @@ EOF fi # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set kiam.enabled=false --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 kubectl rollout status daemonset -n kube-system kiam-agent # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set argo-cd.istio.enabled=false --set metrics.istio.prometheus.enabled=false --set metrics.istio.grafana.enabled=false > generated-values.yaml + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 kubectl rollout status deployment -n istio-operator istio-operator diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index bc5af0d..cb14d44 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -8,12 +8,12 @@ kubezero: values: network: {{ default "vxlan" .Values.calico.network }} mtu: {{ default "8941" .Values.calico.mtu }} - prometheus: {{ .Values.metrics.enabled }} + prometheus: {{ .Values.metrics.ready }} cert-manager: enabled: {{ index .Values "cert-manager" "enabled" }} values: # Disable all until webhook is in place - {{- if index .Values "cert-manager" "not_ready" }} + {{- if not ( index .Values "cert-manager" "ready" ) }} localCA: enabled: false {{- end }} @@ -23,7 +23,7 @@ kubezero: iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" {{- end }} - {{- if not .Values.kiam.not_ready }} + {{- if .Values.kiam.ready }} clusterIssuer: name: letsencrypt-dns-prod server: https://acme-v02.api.letsencrypt.org/directory @@ -47,25 +47,24 @@ kubezero: {{- if eq .Values.platform "aws" }} - {{- if not ( index .Values "cert-manager" "not_ready" ) }} kiam: enabled: {{ .Values.kiam.enabled }} values: kiam: + enabled: {{ ( not .Values.kiam.certsOnly ) }} server: assumeRoleArn: "{{ .Values.kiam.IamArn }}" deployment: replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} prometheus: servicemonitor: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} agent: prometheus: servicemonitor: - enabled: {{ .Values.metrics.enabled }} - {{- end }} + enabled: {{ .Values.metrics.ready }} - {{- if not .Values.kiam.not_ready }} + {{- if .Values.kiam.ready }} # AWS only components aws-ebs-csi-driver: enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} @@ -95,7 +94,7 @@ kubezero: values: istiod: replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - {{- if not ( index .Values "cert-manager" "not_ready" ) }} + {{- if index .Values "cert-manager" "ready" }} {{- if .Values.istio.ingress }} ingress: {{- toYaml .Values.istio.ingress | nindent 8 }} @@ -103,16 +102,16 @@ kubezero: {{- end }} metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} values: - {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.enabled }} + {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.ready }} grafana: istio: {{- with .Values.metrics.istio.grafana }} {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.enabled }} + {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.ready }} prometheus: istio: {{- with .Values.metrics.istio.prometheus }} @@ -149,7 +148,7 @@ kubezero: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - prometheus: {{ .Values.metrics.enabled }} + prometheus: {{ .Values.metrics.ready }} {{- if .Values.logging.es.s3Snapshot }} s3Snapshot: @@ -169,9 +168,9 @@ kubezero: fluentd: enabled: {{ .Values.logging.fluentd.enabled }} metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} url: {{ .Values.logging.fluentd.url }} - {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }} + {{- if and .Values.logging.fluentd.istio .Values.istio.ready }} istio: {{- with .Values.logging.fluentd.istio }} {{- toYaml . | nindent 10 }} @@ -181,7 +180,7 @@ kubezero: fluent-bit: enabled: {{ index .Values.logging "fluent-bit" "enabled" }} metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} {{- if index .Values.logging "fluent-bit" "config" }} config: {{- with index .Values.logging "fluent-bit" "config" }} @@ -192,13 +191,13 @@ kubezero: argo-cd: controller: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} repoServer: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} server: metrics: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ .Values.metrics.ready }} {{- with index .Values "argo-cd" "server" }} {{- toYaml . | nindent 4 }} {{- end }} @@ -206,7 +205,7 @@ argo-cd: configs: {{- toYaml . | nindent 4 }} {{- end }} - {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} + {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.ready }} istio: {{- with index .Values "argo-cd" "istio" }} {{- toYaml . | nindent 4 }} diff --git a/deploy/values-step-1.yaml b/deploy/values-step-1.yaml new file mode 100644 index 0000000..4a78cef --- /dev/null +++ b/deploy/values-step-1.yaml @@ -0,0 +1,17 @@ +kiam: + enabled: false + ready: false + +cert-manager: + ready: false + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-2.yaml b/deploy/values-step-2.yaml new file mode 100644 index 0000000..23ee941 --- /dev/null +++ b/deploy/values-step-2.yaml @@ -0,0 +1,17 @@ +kiam: + enabled: false + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-3.yaml b/deploy/values-step-3.yaml new file mode 100644 index 0000000..c552249 --- /dev/null +++ b/deploy/values-step-3.yaml @@ -0,0 +1,17 @@ +kiam: + certsOnly: true + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-4.yaml b/deploy/values-step-4.yaml new file mode 100644 index 0000000..4091229 --- /dev/null +++ b/deploy/values-step-4.yaml @@ -0,0 +1,16 @@ +kiam: + ready: false + +cert-manager: + ready: true + +istio: + enabled: false + ready: false + +metrics: + enabled: false + ready: false + +logging: + enabled: false diff --git a/deploy/values-step-5.yaml b/deploy/values-step-5.yaml new file mode 100644 index 0000000..d37a3c3 --- /dev/null +++ b/deploy/values-step-5.yaml @@ -0,0 +1,6 @@ +istio: + ready: false + +metrics: + enabled: false + ready: false -- 2.40.1 From 09d29f270460ad3393ef4451ccc9dcbacd8f29ac Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 14 Sep 2020 16:06:53 +0100 Subject: [PATCH 22/24] New bootstrap flow --- charts/kubezero-kiam/values.yaml | 2 +- deploy/templates/values.yaml | 34 +++++++++++++++----------------- deploy/values.yaml | 4 ++++ 3 files changed, 21 insertions(+), 19 deletions(-) diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index 866680b..b96d4f5 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -1,5 +1,5 @@ kiam: - enabled: false + enabled: true server: image: tag: "v3.6" diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index cb14d44..784dc5c 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -8,22 +8,20 @@ kubezero: values: network: {{ default "vxlan" .Values.calico.network }} mtu: {{ default "8941" .Values.calico.mtu }} - prometheus: {{ .Values.metrics.ready }} + prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }} cert-manager: enabled: {{ index .Values "cert-manager" "enabled" }} values: # Disable all until webhook is in place - {{- if not ( index .Values "cert-manager" "ready" ) }} localCA: - enabled: false - {{- end }} + enabled: {{ index .Values "cert-manager" "ready" }} {{- if eq .Values.platform "aws" }} cert-manager: podAnnotations: iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" {{- end }} - {{- if .Values.kiam.ready }} + {{- if and .Values.kiam.enabled .Values.kiam.ready }} clusterIssuer: name: letsencrypt-dns-prod server: https://acme-v02.api.letsencrypt.org/directory @@ -51,20 +49,20 @@ kubezero: enabled: {{ .Values.kiam.enabled }} values: kiam: - enabled: {{ ( not .Values.kiam.certsOnly ) }} + enabled: {{ not .Values.kiam.certsOnly }} server: assumeRoleArn: "{{ .Values.kiam.IamArn }}" deployment: replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} prometheus: servicemonitor: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} agent: prometheus: servicemonitor: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} - {{- if .Values.kiam.ready }} + {{- if and .Values.kiam.enabled .Values.kiam.ready }} # AWS only components aws-ebs-csi-driver: enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} @@ -102,7 +100,7 @@ kubezero: {{- end }} metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ .Values.metrics.enabled }} values: {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.ready }} grafana: @@ -148,7 +146,7 @@ kubezero: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - prometheus: {{ .Values.metrics.ready }} + prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- if .Values.logging.es.s3Snapshot }} s3Snapshot: @@ -168,9 +166,9 @@ kubezero: fluentd: enabled: {{ .Values.logging.fluentd.enabled }} metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} url: {{ .Values.logging.fluentd.url }} - {{- if and .Values.logging.fluentd.istio .Values.istio.ready }} + {{- if and .Values.logging.fluentd.istio .Values.istio.enabled .Values.istio.ready }} istio: {{- with .Values.logging.fluentd.istio }} {{- toYaml . | nindent 10 }} @@ -180,7 +178,7 @@ kubezero: fluent-bit: enabled: {{ index .Values.logging "fluent-bit" "enabled" }} metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- if index .Values.logging "fluent-bit" "config" }} config: {{- with index .Values.logging "fluent-bit" "config" }} @@ -191,13 +189,13 @@ kubezero: argo-cd: controller: metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} repoServer: metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} server: metrics: - enabled: {{ .Values.metrics.ready }} + enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }} {{- with index .Values "argo-cd" "server" }} {{- toYaml . | nindent 4 }} {{- end }} @@ -205,7 +203,7 @@ argo-cd: configs: {{- toYaml . | nindent 4 }} {{- end }} - {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.ready }} + {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled .Values.istio.ready }} istio: {{- with index .Values "argo-cd" "istio" }} {{- toYaml . | nindent 4 }} diff --git a/deploy/values.yaml b/deploy/values.yaml index fc500ae..8fa526f 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -9,6 +9,7 @@ calico: cert-manager: enabled: true + ready: true IamArn: "" aws-ebs-csi-driver: @@ -20,13 +21,16 @@ aws-efs-csi-driver: kiam: enabled: true + ready: true IamArn: "" istio: + ready: true enabled: false metrics: enabled: false + ready: true istio: grafana: enabled: false -- 2.40.1 From ce5290591fe86b6688f5d11f34c5538d2153c7cd Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 14 Sep 2020 17:26:19 +0100 Subject: [PATCH 23/24] fluent-bit version bump --- charts/kubezero-logging/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index af2c956..53a5e1e 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.3.3 +version: 0.3.5 appVersion: 1.2.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -23,7 +23,7 @@ dependencies: repository: https://kubernetes-charts.storage.googleapis.com/ condition: fluentd.enabled - name: fluent-bit - version: 0.6.4 + version: 0.7.2 repository: https://zero-down-time.github.io/kubezero/ # repository: https://fluent.github.io/helm-charts condition: fluent-bit.enabled -- 2.40.1 From 900863acaeaf1bd052582fbcd0eedbf06eb1ea23 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 14 Sep 2020 17:26:39 +0100 Subject: [PATCH 24/24] Docs update --- charts/kubezero-kiam/README.md | 11 ++++++++++- charts/kubezero-logging/README.md | 4 ++-- charts/kubezero-metrics/README.md | 7 +++++-- 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index d973e8b..efc81e3 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -2,7 +2,7 @@ kubezero-kiam ============= KubeZero Umbrella Chart for Kiam -Current chart version is `0.2.8` +Current chart version is `0.2.10` Source code can be found [here](https://kubezero.com) @@ -43,6 +43,10 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | +| kiam.agent.resources.limits.cpu | string | `"50m"` | | +| kiam.agent.resources.limits.memory | string | `"20Mi"` | | +| kiam.agent.resources.requests.cpu | string | `"50m"` | | +| kiam.agent.resources.requests.memory | string | `"20Mi"` | | | kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | | | kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | | | kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | | @@ -52,6 +56,7 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kiam.agent.updateStrategy | string | `"RollingUpdate"` | | | kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` | | +| kiam.enabled | bool | `true` | | | kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role | | kiam.server.deployment.enabled | bool | `true` | | | kiam.server.deployment.replicas | int | `1` | | @@ -61,6 +66,10 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | +| kiam.server.resources.limits.cpu | string | `"100m"` | | +| kiam.server.resources.limits.memory | string | `"50Mi"` | | +| kiam.server.resources.requests.cpu | string | `"100m"` | | +| kiam.server.resources.requests.memory | string | `"50Mi"` | | | kiam.server.service.port | int | `6444` | | | kiam.server.service.targetPort | int | `6444` | | | kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | | diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 336afd8..fc8ca85 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -2,7 +2,7 @@ kubezero-logging ================ KubeZero Umbrella Chart for complete EFK stack -Current chart version is `0.3.3` +Current chart version is `0.3.5` Source code can be found [here](https://kubezero.com) @@ -11,7 +11,7 @@ Source code can be found [here](https://kubezero.com) | Repository | Name | Version | |------------|------|---------| | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | -| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.6.4 | +| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index b4c8a4c..2932c5d 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -79,10 +79,13 @@ Source code can be found [here](https://kubezero.com) | prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | prometheus-operator.prometheus.enabled | bool | `true` | | | prometheus-operator.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | -| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"512Mi"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | +| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` | | | prometheus-operator.prometheus.prometheusSpec.retention | string | `"8d"` | | | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | | -| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"8Gi"` | | +| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | | | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | | | prometheus-operator.prometheusOperator.admissionWebhooks.enabled | bool | `false` | | | prometheus-operator.prometheusOperator.createCustomResource | bool | `true` | | -- 2.40.1