2020-09-15 09:09:24 +00:00
36 changed files with 312 additions and 197 deletions
--- a/charts/kubezero-istio/Chart.yaml
+++ b/charts/kubezero-istio/Chart.yaml
@ -2,8 +2,8 @@ apiVersion: v2
 name: kubezero-istio
 description: KubeZero Umbrella Chart for Istio
 type: application
-version: 0.2.4
-appVersion: 1.6.7
+version: 0.3.0
+appVersion: 1.7.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
@ -16,5 +16,5 @@ dependencies:
    version: ">= 0.1.3"
    repository: https://zero-down-time.github.io/kubezero/
  - name: istio-operator
-    version: ">= 1.6"
+    version: ">= 1.7"
 kubeVersion: ">= 1.16.0"
--- a/charts/kubezero-istio/README.md
+++ b/charts/kubezero-istio/README.md
@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio
 Installs Istio Operator and KubeZero Istio profile


-Current chart version is `0.2.4`
+Current chart version is `0.3.0`

 Source code can be found [here](https://kubezero.com)

@ -13,7 +13,7 @@ Source code can be found [here](https://kubezero.com)

 | Repository | Name | Version |
 |------------|------|---------|
-|  | istio-operator | >= 1.6 |
+|  | istio-operator | >= 1.7 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |

 ## KubeZero default configuration
@ -30,10 +30,12 @@ Source code can be found [here](https://kubezero.com)
 | ingress.replicaCount | int | `2` |  |
 | ingress.type | string | `"NodePort"` |  |
 | istio-operator.hub | string | `"docker.io/istio"` |  |
-| istio-operator.tag | string | `"1.6.7"` |  |
+| istio-operator.tag | string | `"1.7.1"` |  |
 | istiod.autoscaleEnabled | bool | `false` |  |
 | istiod.replicaCount | int | `1` |  |

 ## Resources

+- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
+- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
 - https://istio.io/latest/docs/setup/install/standalone-operator/
--- a/charts/kubezero-istio/README.md.gotmpl
+++ b/charts/kubezero-istio/README.md.gotmpl
@ -17,4 +17,6 @@ Installs Istio Operator and KubeZero Istio profile

 ## Resources

+- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec
+- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml
 - https://istio.io/latest/docs/setup/install/standalone-operator/
--- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/Chart.yaml
@ -1,12 +1,12 @@
 apiVersion: v1
 name: istio-operator
-version: 1.6.0
+version: 1.7.0
 tillerVersion: ">=2.7.2"
 description: Helm chart for deploying Istio operator
 keywords:
  - istio
  - operator
 sources:
-  - http://github.com/istio/istio/operator
+  - https://github.com/istio/istio/tree/master/operator
 engine: gotpl
-icon: https://istio.io/favicons/android-192x192.png
+icon: https://istio.io/latest/favicons/android-192x192.png
--- a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml
@ -0,0 +1,74 @@
+# SYNC WITH manifests/charts/base/files
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: istiooperators.install.istio.io
+  labels:
+    release: istio
+spec:
+  group: install.istio.io
+  names:
+    kind: IstioOperator
+    plural: istiooperators
+    singular: istiooperator
+    shortNames:
+      - iop
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - description: Istio control plane revision
+          jsonPath: .spec.revision
+          name: Revision
+          type: string
+        - description: IOP current state
+          jsonPath: .status.status
+          type: string
+          name: Status
+        - jsonPath: .metadata.creationTimestamp
+          description:
+            "CreationTimestamp is a timestamp representing the server time when
+            this object was created. It is not guaranteed to be set in happens-before order
+            across separate operations. Clients may not set this value. It is represented
+            in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+            lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+          name: Age
+          type: date
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              description:
+                "APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description:
+                "Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            spec:
+              description:
+                "Specification of the desired state of the istio control plane resource.
+                More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+              x-kubernetes-preserve-unknown-fields: true
+              type: object
+            status:
+              description:
+                "Status describes each of istio control plane component status at the current time.
+                0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
+                More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
+                https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
+              x-kubernetes-preserve-unknown-fields: true
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+
--- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml
@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 rules:
 # istio groups
 - apiGroups:
@ -29,12 +29,6 @@ rules:
  - '*'
  verbs:
  - '*'
- apiGroups:
-  - rbac.istio.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 - apiGroups:
  - security.istio.io
  resources:
@ -81,6 +75,7 @@ rules:
  verbs:
  - get
  - create
+  - update
 - apiGroups:
  - policy
  resources:
--- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml
@ -1,13 +1,13 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 subjects:
 - kind: ServiceAccount
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  namespace: {{.Values.operatorNamespace}}
 roleRef:
  kind: ClusterRole
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
  apiGroup: rbac.authorization.k8s.io
 ---
--- a/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/crd-operator.yaml
@ -1,46 +0,0 @@
-# SYNC WITH manifests/charts/base/files
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: istiooperators.install.istio.io
-spec:
-  group: install.istio.io
-  names:
-    kind: IstioOperator
-    plural: istiooperators
-    singular: istiooperator
-    shortNames:
-    - iop
-  scope: Namespaced
-  subresources:
-    status: {}
-  validation:
-    openAPIV3Schema:
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        spec:
-          description: 'Specification of the desired state of the istio control plane resource.
-            More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
-          type: object
-        status:
-          description: 'Status describes each of istio control plane component status at the current time.
-            0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
-            More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
-            https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
-          type: object
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
---
--- a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml
@ -0,0 +1,6 @@
+{{- if .Values.enableCRDTemplates -}}
+{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}}
+---
+{{ $.Files.Get $path }}
+{{- end -}}
+{{- end -}}
--- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: {{.Values.operatorNamespace}}
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 spec:
  replicas: 1
  selector:
@ -13,7 +13,7 @@ spec:
      labels:
        name: istio-operator
    spec:
-      serviceAccountName: istio-operator
+      serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
      nodeSelector:
        kubernetes.io/os: linux
        node-role.kubernetes.io/master: ""
@ -26,23 +26,32 @@ spec:
          command:
          - operator
          - server
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1337
+            runAsUser: 1337
+            runAsNonRoot: true
          imagePullPolicy: IfNotPresent
          resources:
-            limits:
-              cpu: 200m
-              memory: 256Mi
-            requests:
-              cpu: 50m
-              memory: 128Mi
+{{ toYaml .Values.operator.resources | trim | indent 12 }}
          env:
            - name: WATCH_NAMESPACE
-              value: {{.Values.istioNamespace}}
+              value: {{.Values.watchedNamespaces | quote}}
            - name: LEADER_ELECTION_NAMESPACE
-              value: {{.Values.operatorNamespace}}
+              value: {{.Values.operatorNamespace | quote}}
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: OPERATOR_NAME
-              value: {{.Values.operatorNamespace}}
+              value: {{.Values.operatorNamespace | quote}}
+            - name: WAIT_FOR_RESOURCES_TIMEOUT
+              value: {{.Values.waitForResourcesTimeout | quote}}
+            - name: REVISION
+              value: {{.Values.revision | quote}}
 ---
--- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml
@ -4,7 +4,7 @@ metadata:
  namespace: {{.Values.operatorNamespace}}
  labels:
    name: istio-operator
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 spec:
  ports:
  - name: http-metrics
--- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml
@ -2,5 +2,5 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  namespace: {{.Values.operatorNamespace}}
-  name: istio-operator
+  name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 ---
--- a/charts/kubezero-istio/charts/istio-operator/values.yaml
+++ b/charts/kubezero-istio/charts/istio-operator/values.yaml
@ -1,4 +1,25 @@
 hub: gcr.io/istio-testing
-tag: 1.6-dev
+tag: latest
+
 operatorNamespace: istio-operator
-istioNamespace: istio-system
+
+# Used to replace istioNamespace to support operator watch multiple namespaces.
+watchedNamespaces: istio-system
+waitForResourcesTimeout: 300s
+
+# Used for helm2 to add the CRDs to templates.
+enableCRDTemplates: false
+
+# revision for the operator resources
+revision: ""
+
+# Operator resource defaults
+operator:
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 128Mi
+
--- a/charts/kubezero-istio/delete_istio_14.sh
+++ b/charts/kubezero-istio/delete_istio_14.sh
@ -1,7 +0,0 @@
-#!/bin/bash
-
-# First delete old 1.4 
-kubectl delete -f ingress-gateway.yaml
-kubectl delete -f istio.yaml
-kubectl delete -f istio-init.yaml
-kubectl delete -f namespace.yaml
--- a/charts/kubezero-istio/istio-operator.patch
+++ b/charts/kubezero-istio/istio-operator.patch
@ -1,11 +1,9 @@
-diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
-index 5ef7848..8350dd5 100644
--- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
-+++ b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml
-@@ -14,6 +14,12 @@ spec:
+--- charts/istio-operator/templates/deployment.yaml	2020-09-11 14:57:25.007439918 +0100
+++ charts/istio-operator/templates/deployment.yaml	2020-09-11 14:59:57.998019251 +0100
+@@ -14,6 +14,12 @@
         name: istio-operator
     spec:
-       serviceAccountName: istio-operator
+       serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}
 +      nodeSelector:
 +        kubernetes.io/os: linux
 +        node-role.kubernetes.io/master: ""
--- a/charts/kubezero-istio/templates/istio-base.yaml
+++ b/charts/kubezero-istio/templates/istio-base.yaml
@ -5220,6 +5220,7 @@ spec:
      storage: true
 ---

+
 # Cni component is disabled.

 # EgressGateways istio-egressgateway component is disabled.
--- a/charts/kubezero-istio/templates/istio-private-ingress.yaml
+++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml
@ -30,15 +30,15 @@ spec:
            name: istio-private-ingressgateway
        {{- end }}
        env:
-        # https://github.com/istio/istio/issues/26524
+        # https://github.com/istio/istio/issues/26524, not in 1.7 either
        #- name: TERMINATION_DRAIN_DURATION_SECONDS
        #  value: "60"
        - name: ISTIO_META_HTTP10
          value: '"1"'
        - name: ISTIO_META_ROUTER_MODE
          value: standard
-        - name: ISTIO_META_IDLE_TIMEOUT
-          value: "3600s"
+        #- name: ISTIO_META_IDLE_TIMEOUT
+        #  value: "3600s"
        {{- if eq .Values.ingress.type "NodePort" }}
        nodeSelector:
          node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}"
@ -64,6 +64,10 @@ spec:
            - path: spec.template.spec.terminationGracePeriodSeconds
              value: 90

+  meshConfig:
+    accessLogFile: /dev/stdout
+    accessLogEncoding: 'JSON'
+
  values:
    gateways:
      istio-ingressgateway:
@ -87,11 +91,13 @@ spec:
          {{- end }}
        - name: http2
          port: 80
+          targetPort: 8080
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31080
          {{- end }}
        - name: https
          port: 443
+          targetPort: 8443
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31443
          {{- end }}
@ -110,24 +116,11 @@ spec:
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 31672
          {{- end }}
-        sds:
-          enabled: true
-          image: node-agent-k8s
-          resources:
-            limits:
-              cpu: 2000m
-              memory: 1024Mi
-            requests:
-              cpu: 100m
-              memory: 128Mi
-        secretVolumes:
-        - mountPath: /etc/istio/ingressgateway-certs
-          name: ingressgateway-certs
-          secretName: istio-ingressgateway-certs
-        - mountPath: /etc/istio/ingressgateway-ca-certs
-          name: ingressgateway-ca-certs
-          secretName: istio-ingressgateway-ca-certs

    global:
      jwtPolicy: first-party-jwt
+      logAsJson: true
+      defaultPodDisruptionBudget:
+        enabled: false
+
 {{- end }}
--- a/charts/kubezero-istio/templates/istio.yaml
+++ b/charts/kubezero-istio/templates/istio.yaml
@ -7,14 +7,7 @@ metadata:
 {{ include "kubezero-lib.labels" . | indent 4 }}
 spec:
  profile: empty
-  addonComponents:
-    prometheus:
-      enabled: false
  components:
-    citadel:
-      enabled: false
-    galley:
-      enabled: false
    ingressGateways:
    - enabled: true
      k8s:
@ -34,22 +27,22 @@ spec:
            name: istio-ingressgateway
        {{- end }}
        env:
-        # https://github.com/istio/istio/issues/26524
+        # https://github.com/istio/istio/issues/26524, not in 1.7 !
        #- name: TERMINATION_DRAIN_DURATION_SECONDS
        #  value: "60"
        - name: ISTIO_META_HTTP10
          value: '"1"'
        - name: ISTIO_META_ROUTER_MODE
          value: standard
-        - name: ISTIO_META_IDLE_TIMEOUT
-          value: "3600s"
+        #- name: ISTIO_META_IDLE_TIMEOUT
+        #  value: "3600s"
        {{- if eq .Values.ingress.type "NodePort" }}
        nodeSelector:
          node.kubernetes.io/ingress.public: "30080_30443"
        {{- end }}
        resources:
          limits:
-            # cpu: 2000m
+            #cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
@ -92,10 +85,11 @@ spec:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master

-    sidecarInjector:
-      enabled: false
    telemetry:
      enabled: false
+  meshConfig:
+    accessLogFile: /dev/stdout
+    accessLogEncoding: 'JSON'
  values:
    gateways:
      istio-ingressgateway:
@ -119,45 +113,22 @@ spec:
          {{- end }}
        - name: http2
          port: 80
+          targetPort: 8080
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 30080
          {{- end }}
        - name: https
          port: 443
+          targetPort: 8443
          {{- if eq .Values.ingress.type "NodePort" }}
          nodePort: 30443
          {{- end }}
-        sds:
-          enabled: true
-          image: node-agent-k8s
-          resources:
-            limits:
-              cpu: 2000m
-              memory: 1024Mi
-            requests:
-              cpu: 100m
-              memory: 128Mi
-        secretVolumes:
-        - mountPath: /etc/istio/ingressgateway-certs
-          name: ingressgateway-certs
-          secretName: istio-ingressgateway-certs
-        - mountPath: /etc/istio/ingressgateway-ca-certs
-          name: ingressgateway-ca-certs
-          secretName: istio-ingressgateway-ca-certs
-    meshConfig:
-      accessLogFile: /dev/stdout
-      disablePolicyChecks: false
    global:
      jwtPolicy: first-party-jwt
-      omitSidecarInjectorConfigMap: true
-      proxy:
-        accessLogEncoding: JSON
-        autoInject: disabled
-        envoyStatsd:
-          enabled: false
-      useMCP: false
+      logAsJson: true
+      defaultPodDisruptionBudget:
+        enabled: false
    pilot:
-      sidecar: false
      autoscaleEnabled: false
    mixer:
      policy:
--- a/charts/kubezero-istio/update.sh
+++ b/charts/kubezero-istio/update.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 set -ex

-ISTIO_VERSION=1.6.7
+ISTIO_VERSION=1.7.1

 NAME="istio-$ISTIO_VERSION"
 URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
@ -15,7 +15,7 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
 rm -rf istio-${ISTIO_VERSION}

 # Apply our patch
-patch  -i istio-operator.patch -p3
+patch  -i istio-operator.patch -p0

 # Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
 istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml
--- a/charts/kubezero-istio/values.yaml
+++ b/charts/kubezero-istio/values.yaml
@ -14,4 +14,4 @@ ingress:

 istio-operator:
  hub: docker.io/istio
-  tag: 1.6.7
+  tag: 1.7.1
--- a/charts/kubezero-kiam/Chart.yaml
+++ b/charts/kubezero-kiam/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-kiam
 description: KubeZero Umbrella Chart for Kiam
 type: application
-version: 0.2.9
+version: 0.2.10
 appVersion: 3.6
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
@ -18,4 +18,5 @@ dependencies:
  - name: kiam
    version: 5.8.1
    repository: https://uswitch.github.io/kiam-helm-charts/charts/
+    condition: kiam.enabled
 kubeVersion: ">= 1.16.0"
--- a/charts/kubezero-kiam/README.md
+++ b/charts/kubezero-kiam/README.md
@ -2,7 +2,7 @@ kubezero-kiam
 =============
 KubeZero Umbrella Chart for Kiam

-Current chart version is `0.2.8`
+Current chart version is `0.2.10`

 Source code can be found [here](https://kubezero.com)

@ -43,6 +43,10 @@ By default all access to the meta-data service is blocked, expect for:
 | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` |  |
 | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` |  |
 | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` |  |
+| kiam.agent.resources.limits.cpu | string | `"50m"` |  |
+| kiam.agent.resources.limits.memory | string | `"20Mi"` |  |
+| kiam.agent.resources.requests.cpu | string | `"50m"` |  |
+| kiam.agent.resources.requests.memory | string | `"20Mi"` |  |
 | kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` |  |
 | kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` |  |
 | kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` |  |
@ -52,6 +56,7 @@ By default all access to the meta-data service is blocked, expect for:
 | kiam.agent.tolerations[0].key | string | `"node-role.kubernetes.io/master"` |  |
 | kiam.agent.updateStrategy | string | `"RollingUpdate"` |  |
 | kiam.agent.whiteListRouteRegexp | string | `"^/latest/(meta-data/instance-id|dynamic)"` |  |
+| kiam.enabled | bool | `true` |  |
 | kiam.server.assumeRoleArn | string | `""` |  kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role |
 | kiam.server.deployment.enabled | bool | `true` |  |
 | kiam.server.deployment.replicas | int | `1` |  |
@ -61,6 +66,10 @@ By default all access to the meta-data service is blocked, expect for:
 | kiam.server.prometheus.servicemonitor.enabled | bool | `false` |  |
 | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` |  |
 | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` |  |
+| kiam.server.resources.limits.cpu | string | `"100m"` |  |
+| kiam.server.resources.limits.memory | string | `"50Mi"` |  |
+| kiam.server.resources.requests.cpu | string | `"100m"` |  |
+| kiam.server.resources.requests.memory | string | `"50Mi"` |  |
 | kiam.server.service.port | int | `6444` |  |
 | kiam.server.service.targetPort | int | `6444` |  |
 | kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` |  |
--- a/charts/kubezero-kiam/values.yaml
+++ b/charts/kubezero-kiam/values.yaml
@ -1,4 +1,5 @@
 kiam:
+  enabled: true
  server:
    image:
      tag: "v3.6"
--- a/charts/kubezero-logging/Chart.yaml
+++ b/charts/kubezero-logging/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-logging
 description: KubeZero Umbrella Chart for complete EFK stack
 type: application
-version: 0.3.2
+version: 0.3.5
 appVersion: 1.2.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
@ -23,7 +23,7 @@ dependencies:
    repository: https://kubernetes-charts.storage.googleapis.com/
    condition: fluentd.enabled
  - name: fluent-bit
-    version: 0.6.4
+    version: 0.7.2
    repository: https://zero-down-time.github.io/kubezero/
    # repository: https://fluent.github.io/helm-charts
    condition: fluent-bit.enabled
--- a/charts/kubezero-logging/README.md
+++ b/charts/kubezero-logging/README.md
@ -2,7 +2,7 @@ kubezero-logging
 ================
 KubeZero Umbrella Chart for complete EFK stack

-Current chart version is `0.3.2`
+Current chart version is `0.3.5`

 Source code can be found [here](https://kubezero.com)

@ -11,7 +11,7 @@ Source code can be found [here](https://kubezero.com)
 | Repository | Name | Version |
 |------------|------|---------|
 | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 |
-| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.6.4 |
+| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 |
 | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |

 ## Changes from upstream
@ -56,7 +56,7 @@ Source code can be found [here](https://kubezero.com)
 | es.s3Snapshot.enabled | bool | `false` |  |
 | es.s3Snapshot.iamrole | string | `""` |  |
 | fluent-bit.config.filters | string | `"[FILTER]\n    Name    lua\n    Match   kube.*\n    script  /fluent-bit/etc/functions.lua\n    call    reassemble_cri_logs\n\n[FILTER]\n    Name kubernetes\n    Match kube.*\n    Merge_Log On\n    Keep_Log Off\n    K8S-Logging.Parser On\n    K8S-Logging.Exclude On\n\n[FILTER]\n    Name    lua\n    Match   kube.*\n    script  /fluent-bit/etc/functions.lua\n    call    dedot\n"` |  |
-| fluent-bit.config.inputs | string | `"[INPUT]\n    Name tail\n    Path /var/log/containers/*.log\n    Parser cri\n    Tag kube.*\n    Mem_Buf_Limit 5MB\n    Skip_Long_Lines On\n    Refresh_Interval 10\n    DB /var/log/flb_kube.db\n    DB.Sync Normal\n[INPUT]\n    Name tail\n    Path /var/log/kubernetes/audit.log\n    Parser json\n    Tag kube.api.audit\n    Mem_Buf_Limit 5MB\n    Skip_Long_Lines On\n    Refresh_Interval 60\n    DB /var/log/flb_kube_audit.db\n    DB.Sync Normal\n"` |  |
+| fluent-bit.config.inputs | string | `"[INPUT]\n    Name tail\n    Path /var/log/containers/*.log\n    Parser cri\n    Tag kube.*\n    Mem_Buf_Limit 5MB\n    Skip_Long_Lines On\n    Refresh_Interval 10\n    DB /var/log/flb_kube.db\n    DB.Sync Normal\n[INPUT]\n    Name tail\n    Path /var/log/kubernetes/audit.log\n    Parser json\n    Tag audit.api-server\n    Mem_Buf_Limit 5MB\n    Skip_Long_Lines On\n    Refresh_Interval 60\n    DB /var/log/flb_kube_audit.db\n    DB.Sync Normal\n"` |  |
 | fluent-bit.config.lua | string | `"function dedot(tag, timestamp, record)\n    if record[\"kubernetes\"] == nil then\n        return 0, 0, 0\n    end\n    dedot_keys(record[\"kubernetes\"][\"annotations\"])\n    dedot_keys(record[\"kubernetes\"][\"labels\"])\n    return 1, timestamp, record\nend\n\nfunction dedot_keys(map)\n    if map == nil then\n        return\n    end\n    local new_map = {}\n    local changed_keys = {}\n    for k, v in pairs(map) do\n        local dedotted = string.gsub(k, \"%.\", \"_\")\n        if dedotted ~= k then\n            new_map[dedotted] = v\n            changed_keys[k] = true\n        end\n    end\n    for k in pairs(changed_keys) do\n        map[k] = nil\n    end\n    for k, v in pairs(new_map) do\n        map[k] = v\n    end\nend\n\nlocal reassemble_state = {}\n\nfunction reassemble_cri_logs(tag, timestamp, record)\n   -- IMPORTANT: reassemble_key must be unique for each parser stream\n   -- otherwise entries from different sources will get mixed up.\n   -- Either make sure that your parser tags satisfy this or construct\n   -- reassemble_key some other way\n   local reassemble_key = tag\n   -- if partial line, accumulate\n   if record.logtag == 'P' then\n      reassemble_state[reassemble_key] = reassemble_state[reassemble_key] or \"\" .. record.message\n      return -1, 0, 0\n   end\n   -- otherwise it's a full line, concatenate with accumulated partial lines if any\n   record.message = reassemble_state[reassemble_key] or \"\" .. (record.message or \"\")\n   reassemble_state[reassemble_key] = nil\n   return 1, timestamp, record\nend\n"` |  |
 | fluent-bit.config.outputs | string | `"[OUTPUT]\n    Match *\n    Name forward\n    Host logging-fluentd\n    Port 24224\n    tls on\n    tls.verify off\n    Shared_Key cloudbender\n"` |  |
 | fluent-bit.config.service | string | `"[SERVICE]\n    Flush 5\n    Daemon Off\n    Log_Level warn\n    Parsers_File parsers.conf\n    Parsers_File custom_parsers.conf\n    HTTP_Server On\n    HTTP_Listen 0.0.0.0\n    HTTP_Port 2020\n"` |  |
--- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml
+++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml
@ -48,13 +48,16 @@ spec:
        - name: elasticsearch
          resources:
            requests:
-              cpu: 100m
-              memory: 2500Mi
+              cpu: {{ default "200m" .cpu_request }}
+              memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi
            limits:
-              memory: 4Gi
+              {{- if .cpu_limit }}
+              cpu: {{ .cpu_limit }}
+              {{- end }}
+              memory: {{ mul 2 ( default "2" .jvm_heap ) }}Gi
          env:
          - name: ES_JAVA_OPTS
-            value: "-Xms2g -Xmx2g"
+            value: -Xms{{ default "2" .jvm_heap }}g -Xmx{{ default "2" .jvm_heap }}g
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
--- a/charts/kubezero-logging/values-all.yaml
+++ b/charts/kubezero-logging/values-all.yaml
@ -18,6 +18,8 @@ es:
      size: 512Gi
      class: ebs-sc-gp2-xfs
    zone: us-west-2a
+    jvm_heap: 4
+    cpu_limit: 2
  s3Snapshot:
    enabled: true
    iamrole: "dfsf" # INSERT_CLOUDFORMATION_OUTPUT_ElasticSearchSnapshots
@ -32,3 +34,6 @@ kibana:

 fluentd:
  enabled: true
+
+fluent-bit:
+  enabled: true
--- a/charts/kubezero-metrics/README.md
+++ b/charts/kubezero-metrics/README.md
@ -79,10 +79,13 @@ Source code can be found [here](https://kubezero.com)
 | prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` |  |
 | prometheus-operator.prometheus.enabled | bool | `true` |  |
 | prometheus-operator.prometheus.prometheusSpec.portName | string | `"http-prometheus"` |  |
-| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"512Mi"` |  |
+| prometheus-operator.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` |  |
+| prometheus-operator.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` |  |
+| prometheus-operator.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` |  |
+| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` |  |
 | prometheus-operator.prometheus.prometheusSpec.retention | string | `"8d"` |  |
 | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` |  |
-| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"8Gi"` |  |
+| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` |  |
 | prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` |  |
 | prometheus-operator.prometheusOperator.admissionWebhooks.enabled | bool | `false` |  |
 | prometheus-operator.prometheusOperator.createCustomResource | bool | `true` |  |
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@ -40,8 +40,8 @@ else
 EOF
  fi

-  # Deploy initial argo-cad
-  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set cert-manager.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml
+  # Deploy initial argocd
+  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml
  helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml
  # Wait for argocd-server to be running
  kubectl rollout status deployment -n argocd kubezero-argocd-server
@ -55,7 +55,7 @@ EOF
  if [ -f cert-manager-backup.yaml ]; then
    kubectl apply -f cert-manager-backup.yaml
  else
-    helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml
+    helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml
    helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
    wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2
    wait_for kubectl get ClusterIssuer letsencrypt-dns-prod 2>/dev/null 1>&2
@ -64,17 +64,17 @@ EOF
  fi

  # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet
-  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set kiam.enabled=false --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml
+  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml
  helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml

  # Now lets make sure kiam is working
-  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set istio.enabled=false --set metrics.enabled=false --set logging.enabled=false > generated-values.yaml
+  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml
  helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
  wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2
  kubectl rollout status daemonset -n kube-system kiam-agent

  # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case
-  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set argo-cd.istio.enabled=false --set metrics.istio.prometheus.enabled=false --set metrics.istio.grafana.enabled=false > generated-values.yaml
+  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml  > generated-values.yaml
  helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
  wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2
  kubectl rollout status deployment -n istio-operator istio-operator
--- a/deploy/templates/values.yaml
+++ b/deploy/templates/values.yaml
@ -8,22 +8,20 @@ kubezero:
    values:
      network: {{ default "vxlan" .Values.calico.network }}
      mtu: {{ default "8941" .Values.calico.mtu }}
-      prometheus: {{ .Values.metrics.enabled }}
+      prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }}
  cert-manager:
    enabled: {{ index .Values "cert-manager" "enabled" }}
    values:
      # Disable all until webhook is in place
-      {{- if index .Values "cert-manager" "not_ready" }}
      localCA:
-        enabled: false
-      {{- end }}
+        enabled: {{ index .Values "cert-manager" "ready" }}
      {{- if eq .Values.platform "aws" }}
      cert-manager:
        podAnnotations:
          iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}"
      {{- end }}

-      {{- if not .Values.kiam.not_ready }}
+      {{- if and .Values.kiam.enabled .Values.kiam.ready }}
      clusterIssuer:
        name: letsencrypt-dns-prod
        server: https://acme-v02.api.letsencrypt.org/directory
@ -47,25 +45,24 @@ kubezero:


  {{- if eq .Values.platform "aws" }}
-  {{- if not ( index .Values "cert-manager" "not_ready" ) }}
  kiam:
    enabled: {{ .Values.kiam.enabled }}
    values:
      kiam:
+        enabled: {{ not .Values.kiam.certsOnly }}
        server:
          assumeRoleArn: "{{ .Values.kiam.IamArn }}"
          deployment:
            replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }}
          prometheus:
            servicemonitor:
-              enabled: {{ .Values.metrics.enabled }}
+              enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
        agent:
          prometheus:
            servicemonitor:
-              enabled: {{ .Values.metrics.enabled }}
-  {{- end }}
+              enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}

-  {{- if not .Values.kiam.not_ready }}
+  {{- if and .Values.kiam.enabled .Values.kiam.ready }}
  # AWS only components
  aws-ebs-csi-driver:
    enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}
@ -95,7 +92,7 @@ kubezero:
    values:
      istiod:
        replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
-      {{- if not ( index .Values "cert-manager" "not_ready" ) }}
+      {{- if index .Values "cert-manager" "ready" }}
      {{- if .Values.istio.ingress }}
      ingress:
        {{- toYaml .Values.istio.ingress | nindent 8 }}
@ -105,14 +102,14 @@ kubezero:
  metrics:
    enabled: {{ .Values.metrics.enabled }}
    values:
-      {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.enabled }}
+      {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.ready }}
      grafana:
        istio:
          {{- with .Values.metrics.istio.grafana }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
      {{- end }}
-      {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.enabled }}
+      {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.ready }}
      prometheus:
        istio:
          {{- with .Values.metrics.istio.prometheus }}
@ -149,7 +146,7 @@ kubezero:
        {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- end }}
-        prometheus: {{ .Values.metrics.enabled }}
+        prometheus: {{ default .Values.metrics.enabled .Values.metrics.ready }}

        {{- if .Values.logging.es.s3Snapshot }}
        s3Snapshot:
@ -169,9 +166,9 @@ kubezero:
      fluentd:
        enabled: {{ .Values.logging.fluentd.enabled }}
        metrics:
-          enabled: {{ .Values.metrics.enabled }}
+          enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
        url: {{ .Values.logging.fluentd.url }}
-        {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }}
+        {{- if and .Values.logging.fluentd.istio .Values.istio.enabled .Values.istio.ready }}
        istio:
          {{- with .Values.logging.fluentd.istio }}
          {{- toYaml . | nindent 10 }}
@ -181,7 +178,7 @@ kubezero:
      fluent-bit:
        enabled: {{ index .Values.logging "fluent-bit" "enabled" }}
        metrics:
-          enabled: {{ .Values.metrics.enabled }}
+          enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
        {{- if index .Values.logging "fluent-bit" "config" }}
        config:
          {{- with index .Values.logging "fluent-bit" "config" }}
@ -192,13 +189,13 @@ kubezero:
 argo-cd:
  controller:
    metrics:
-      enabled: {{ .Values.metrics.enabled }}
+      enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
  repoServer:
    metrics:
-      enabled: {{ .Values.metrics.enabled }}
+      enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
  server:
    metrics:
-      enabled: {{ .Values.metrics.enabled }}
+      enabled: {{ default .Values.metrics.enabled .Values.metrics.ready }}
    {{- with index .Values "argo-cd" "server" }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@ -206,7 +203,7 @@ argo-cd:
  configs:
    {{- toYaml . | nindent 4 }}
  {{- end }}
-  {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }}
+  {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled .Values.istio.ready }}
  istio:
    {{- with index .Values "argo-cd" "istio" }}
    {{- toYaml . | nindent 4 }}
--- a/deploy/values-step-1.yaml
+++ b/deploy/values-step-1.yaml
@ -0,0 +1,17 @@
+kiam:
+  enabled: false
+  ready: false
+
+cert-manager:
+  ready: false
+
+istio:
+  enabled: false
+  ready: false
+
+metrics:
+  enabled: false
+  ready: false
+
+logging:
+  enabled: false
--- a/deploy/values-step-2.yaml
+++ b/deploy/values-step-2.yaml
@ -0,0 +1,17 @@
+kiam:
+  enabled: false
+  ready: false
+
+cert-manager:
+  ready: true
+
+istio:
+  enabled: false
+  ready: false
+
+metrics:
+  enabled: false
+  ready: false
+
+logging:
+  enabled: false
--- a/deploy/values-step-3.yaml
+++ b/deploy/values-step-3.yaml
@ -0,0 +1,17 @@
+kiam:
+  certsOnly: true
+  ready: false
+
+cert-manager:
+  ready: true
+
+istio:
+  enabled: false
+  ready: false
+
+metrics:
+  enabled: false
+  ready: false
+
+logging:
+  enabled: false
--- a/deploy/values-step-4.yaml
+++ b/deploy/values-step-4.yaml
@ -0,0 +1,16 @@
+kiam:
+  ready: false
+
+cert-manager:
+  ready: true
+
+istio:
+  enabled: false
+  ready: false
+
+metrics:
+  enabled: false
+  ready: false
+
+logging:
+  enabled: false
--- a/deploy/values-step-5.yaml
+++ b/deploy/values-step-5.yaml
@ -0,0 +1,6 @@
+istio:
+  ready: false
+
+metrics:
+  enabled: false
+  ready: false
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@ -9,6 +9,7 @@ calico:

 cert-manager:
  enabled: true
+  ready: true
  IamArn: ""

 aws-ebs-csi-driver:
@ -20,13 +21,16 @@ aws-efs-csi-driver:

 kiam:
  enabled: true
+  ready: true
  IamArn: ""

 istio:
+  ready: true
  enabled: false

 metrics:
  enabled: false
+  ready: true
  istio:
    grafana:
      enabled: false