From 9d0e2f00a9be1e85199bd7e4e5bfd89e21651ce5 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 3 Nov 2020 12:51:57 +0000 Subject: [PATCH 01/48] First steps of argoless bootstrap --- charts/kubezero-cert-manager/values.yaml | 2 +- deploy/bootstrap.sh | 118 +++++++++++++++++++++++ 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100755 deploy/bootstrap.sh diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index b14b4b9..c415290 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -9,7 +9,7 @@ clusterIssuer: {} # hostedZoneID: 1234567890 localCA: - enabled: true + enabled: false # If selfsigning is false you must provide the ca key and crt below selfsigning: true #ca: diff --git a/deploy/bootstrap.sh b/deploy/bootstrap.sh new file mode 100755 index 0000000..c78e425 --- /dev/null +++ b/deploy/bootstrap.sh @@ -0,0 +1,118 @@ +#!/bin/bash +set -ex + +LOCATION=${1-""} + +# Update only if we use upstream +if [ -z "$LOCATION" ]; then + helm repo add kubezero https://zero-down-time.github.io/kubezero + helm repo update +fi + +DEPLOY_DIR=$( dirname $( realpath $0 )) +which yq || { echo "yq not found!"; exit 1; } + +# Waits for max 300s and retries +function wait_for() { + local TRIES=0 + while true; do + $@ && break + [ $TRIES -eq 200 ] && return 1 + let TRIES=$TRIES+1 + sleep 3 + done +} + +function _helm() { + local action=$1 + local chart=$2 + local release=$3 + local namespace=$4 + shift 4 + + local location + + if [ -z "$LOCATION" ]; then + location="$chart --repo https://zero-down-time.github.io/kubezero" + else + location="$LOCATION/$chart" + fi + + [ -n "$namespace" ] && kubectl get ns $namespace || kubectl create ns $namespace + helm template $location --namespace $namespace --name-template $release $@ | kubectl $action -f - +} + +function deploy() { + _helm apply $@ +} + +function delete() { + _helm delete $@ +} + +################ +# cert-manager # +################ + +# Let's start with minimal cert-manager to get the webhook in place +deploy kubezero-cert-manager cert-manager cert-manager + +echo "Waiting for cert-manager to be ready..." +wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2 +kubectl rollout status deployment -n cert-manager cert-manager-webhook +wait_for kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0" 2>/dev/null 1>&2 + +# Either inject cert-manager backup or bootstrap +if [ -f cert-manager-backup.yaml ]; then + kubectl apply -f cert-manager-backup.yaml +else + deploy kubezero-cert-manager cert-manager cert-manager --set localCA.enabled=true + wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 + kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer +fi + +echo "KubeZero installed successfully." +read + +# Remove all kubezero +delete kubezero-cert-manager cert-manager cert-manager + +exit 0 + +# Determine if we bootstrap or update +helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$? +if [ $rc -eq 0 ]; then + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml +else + + + # Make sure kube-system is allowed to kiam + kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' + + # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server + + # Now lets make sure kiam is working + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 + kubectl rollout status daemonset -n kube-system kiam-agent + + # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 + kubectl rollout status deployment -n istio-operator istio-operator + + # Metrics + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2 + + # Finally we could enable the actual config and deploy all + helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml + helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml +fi -- 2.40.1 From f711655c58dbe8aef5fd8e7019258add5da1ad3f Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 21 Nov 2020 04:24:57 -0800 Subject: [PATCH 02/48] Update of various components, new aroless bootstrap working --- charts/fluent-bit | 1 - charts/kubezero-argo-cd/Chart.yaml | 4 +- .../kubezero-argo-cd/templates/project.yaml | 1 - charts/kubezero-argo-cd/values.yaml | 2 +- charts/kubezero-calico/Chart.yaml | 4 +- charts/kubezero-calico/README.md | 3 +- charts/kubezero-calico/calico-v3.15.patch | 101 - charts/kubezero-calico/calico-v3.16.5.patch | 3359 +++++++++++++++++ charts/kubezero-calico/crds/crds.yaml | 34 + charts/kubezero-calico/templates/crds.yaml | 6 - charts/kubezero-calico/values.yaml | 2 - charts/kubezero-cert-manager/Chart.yaml | 5 +- charts/kubezero-cert-manager/README.md | 8 +- .../templates/cluster-ca.yaml | 19 +- .../templates/cluster-issuer.yaml | 2 +- charts/kubezero-cert-manager/values.yaml | 17 +- charts/kubezero-istio/Chart.yaml | 4 +- charts/kubezero-istio/README.md | 5 +- .../istio-operator/templates/clusterrole.yaml | 1 + .../istio-base.yaml => crds/crd-all.gen.yaml} | 3022 +++++++-------- charts/kubezero-istio/crds/crd-mixer.yaml | 82 + charts/kubezero-istio/crds/crd-operator.yaml | 74 + .../kubezero-istio/templates/envoyfilter.yaml | 2 + .../templates/ingress-certificate.yaml | 2 +- .../templates/ingress-gateway.yaml | 19 +- .../templates/istio-private-ingress.yaml | 10 + charts/kubezero-istio/templates/istio.yaml | 6 + charts/kubezero-istio/update.sh | 18 +- charts/kubezero-istio/values.yaml | 5 +- charts/kubezero-kiam/Chart.yaml | 4 +- charts/kubezero-kiam/README.md | 12 +- .../kubezero-kiam/templates/certificates.yaml | 8 +- charts/kubezero-kiam/values.yaml | 10 +- charts/kubezero-logging/Chart.yaml | 8 +- charts/kubezero-logging/eck/all-in-one.yaml | 3008 --------------- .../kubezero-logging/eck/kustomization.yaml | 6 - charts/kubezero-logging/eck/map-operator.yaml | 14 - charts/kubezero-logging/eck/update.sh | 7 - .../templates/eck/eck-operator.yaml | 3059 --------------- charts/kubezero-logging/values-all.yaml | 6 +- charts/kubezero-logging/values-remote-es.yaml | 0 charts/kubezero-logging/values.yaml | 12 +- charts/kubezero-metrics/Chart.yaml | 7 +- charts/kubezero-metrics/README.md | 18 +- .../templates/istio-service.yaml | 2 + charts/kubezero-metrics/values.yaml | 33 +- charts/kubezero-redis/.helmignore | 23 + charts/kubezero-redis/Chart.yaml | 20 + charts/kubezero-redis/README.md | 44 + charts/kubezero-redis/README.md.gotmpl | 26 + .../templates/istio-authorization-policy.yaml | 26 + .../templates/istio-service.yaml | 22 + charts/kubezero-redis/values.yaml | 27 + charts/kubezero/README.md | 2 +- deploy/bootstrap.sh | 334 +- deploy/deploy.sh | 82 +- deploy/templates/values.yaml | 5 + deploy/values-step-1.yaml | 17 - deploy/values-step-2.yaml | 17 - deploy/values-step-3.yaml | 17 - deploy/values-step-4.yaml | 16 - deploy/values-step-5.yaml | 9 - deploy/values-step-6.yaml | 6 - deploy/values.yaml | 7 +- 64 files changed, 5545 insertions(+), 8187 deletions(-) delete mode 120000 charts/fluent-bit delete mode 100644 charts/kubezero-calico/calico-v3.15.patch create mode 100644 charts/kubezero-calico/calico-v3.16.5.patch delete mode 100644 charts/kubezero-calico/templates/crds.yaml rename charts/kubezero-istio/{templates/istio-base.yaml => crds/crd-all.gen.yaml} (97%) create mode 100644 charts/kubezero-istio/crds/crd-mixer.yaml create mode 100644 charts/kubezero-istio/crds/crd-operator.yaml delete mode 100644 charts/kubezero-logging/eck/all-in-one.yaml delete mode 100644 charts/kubezero-logging/eck/kustomization.yaml delete mode 100644 charts/kubezero-logging/eck/map-operator.yaml delete mode 100755 charts/kubezero-logging/eck/update.sh delete mode 100644 charts/kubezero-logging/templates/eck/eck-operator.yaml delete mode 100644 charts/kubezero-logging/values-remote-es.yaml create mode 100644 charts/kubezero-redis/.helmignore create mode 100644 charts/kubezero-redis/Chart.yaml create mode 100644 charts/kubezero-redis/README.md create mode 100644 charts/kubezero-redis/README.md.gotmpl create mode 100644 charts/kubezero-redis/templates/istio-authorization-policy.yaml create mode 100644 charts/kubezero-redis/templates/istio-service.yaml create mode 100644 charts/kubezero-redis/values.yaml delete mode 100644 deploy/values-step-1.yaml delete mode 100644 deploy/values-step-2.yaml delete mode 100644 deploy/values-step-3.yaml delete mode 100644 deploy/values-step-4.yaml delete mode 100644 deploy/values-step-5.yaml delete mode 100644 deploy/values-step-6.yaml diff --git a/charts/fluent-bit b/charts/fluent-bit deleted file mode 120000 index cd73d77..0000000 --- a/charts/fluent-bit +++ /dev/null @@ -1 +0,0 @@ -../../helm-charts/charts/fluent-bit \ No newline at end of file diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml index 9342700..0f6a372 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argo-cd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argo-cd -version: 0.6.0 +version: 0.6.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,6 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: argo-cd - version: 2.9.3 + version: 2.9.5 repository: https://argoproj.github.io/argo-helm kubeVersion: ">= 1.17.0" diff --git a/charts/kubezero-argo-cd/templates/project.yaml b/charts/kubezero-argo-cd/templates/project.yaml index 8bf499f..c033525 100644 --- a/charts/kubezero-argo-cd/templates/project.yaml +++ b/charts/kubezero-argo-cd/templates/project.yaml @@ -12,7 +12,6 @@ spec: sourceRepos: - '*' - # Only permit applications to deploy to the guestbook namespace in the same cluster destinations: - namespace: argocd server: https://kubernetes.default.svc diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml index 732571d..5191c63 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argo-cd/values.yaml @@ -31,7 +31,7 @@ argo-cd: global: image: - tag: v1.7.8 + tag: v1.7.10 controller: args: diff --git a/charts/kubezero-calico/Chart.yaml b/charts/kubezero-calico/Chart.yaml index 46adbe1..f346a5f 100644 --- a/charts/kubezero-calico/Chart.yaml +++ b/charts/kubezero-calico/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-calico description: KubeZero Umbrella Chart for Calico type: application -version: 0.2.0 -appVersion: v3.16.1 +version: 0.2.1 +appVersion: v3.16.5 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-calico/README.md b/charts/kubezero-calico/README.md index 8b947f8..e660c3b 100644 --- a/charts/kubezero-calico/README.md +++ b/charts/kubezero-calico/README.md @@ -1,6 +1,6 @@ # kubezero-calico -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square) KubeZero Umbrella Chart for Calico @@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from | Key | Type | Default | Description | |-----|------|---------|-------------| | image.tag | string | `""` | | -| installCRDs | bool | `false` | | | loglevel | string | `"Warning"` | | | mtu | int | `8941` | | | network | string | `"vxlan"` | | diff --git a/charts/kubezero-calico/calico-v3.15.patch b/charts/kubezero-calico/calico-v3.15.patch deleted file mode 100644 index 786d290..0000000 --- a/charts/kubezero-calico/calico-v3.15.patch +++ /dev/null @@ -1,101 +0,0 @@ ---- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100 -+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100 -@@ -10,13 +10,13 @@ - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. -- calico_backend: "bird" -+ calico_backend: "vxlan" - # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. -- veth_mtu: "1410" -+ veth_mtu: "8941" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. -@@ -3451,29 +3451,6 @@ - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: -- # This container performs upgrade from host-local IPAM to calico-ipam. -- # It can be deleted if this is a fresh installation, or if you have already -- # upgraded to use calico-ipam. -- - name: upgrade-ipam -- image: calico/cni:v3.15.0 -- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] -- env: -- - name: KUBERNETES_NODE_NAME -- valueFrom: -- fieldRef: -- fieldPath: spec.nodeName -- - name: CALICO_NETWORKING_BACKEND -- valueFrom: -- configMapKeyRef: -- name: calico-config -- key: calico_backend -- volumeMounts: -- - mountPath: /var/lib/cni/networks -- name: host-local-net-dir -- - mountPath: /host/opt/cni/bin -- name: cni-bin-dir -- securityContext: -- privileged: true - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni -@@ -3545,7 +3522,7 @@ - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE -- value: "k8s,bgp" -+ value: "k8s,kubeadm" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" -@@ -3554,7 +3531,7 @@ - value: "Never" - # Enable or Disable VXLAN on the default IP pool. - - name: CALICO_IPV4POOL_VXLAN -- value: "CrossSubnet" -+ value: "Always" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: -@@ -3595,9 +3572,17 @@ - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN -- value: "info" -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYFILE -+ value: "Warning" -+ - name: FELIX_LOGSEVERITYSYS -+ value: "" - - name: FELIX_HEALTHENABLED - value: "true" -+ - name: FELIX_PROMETHEUSGOMETRICSENABLED -+ value: "false" -+ - name: FELIX_PROMETHEUSMETRICSENABLED -+ value: "true" - securityContext: - privileged: true - resources: -@@ -3608,7 +3593,6 @@ - command: - - /bin/calico-node - - -felix-live -- - -bird-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 -@@ -3617,7 +3601,6 @@ - command: - - /bin/calico-node - - -felix-ready -- - -bird-ready - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules diff --git a/charts/kubezero-calico/calico-v3.16.5.patch b/charts/kubezero-calico/calico-v3.16.5.patch new file mode 100644 index 0000000..0db98ff --- /dev/null +++ b/charts/kubezero-calico/calico-v3.16.5.patch @@ -0,0 +1,3359 @@ +--- calico-vxlan.yaml 2020-11-17 08:12:04.783766338 -0800 ++++ templates/calico.yaml 2020-11-17 08:10:35.583765716 -0800 +@@ -10,13 +10,13 @@ + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. +- calico_backend: "vxlan" ++ calico_backend: "{{ .Values.network }}" + # Configure the MTU to use for workload interfaces and tunnels. + # - If Wireguard is enabled, set to your network MTU - 60 + # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 + # - Otherwise, if IPIP is enabled, set to your network MTU - 20 + # - Otherwise, if not using any encapsulation, set to your network MTU. +- veth_mtu: "1410" ++ veth_mtu: "{{ .Values.mtu }}" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. +@@ -55,3230 +55,6 @@ + } + + --- +-# Source: calico/templates/kdd-crds.yaml +- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgpconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPConfiguration +- listKind: BGPConfigurationList +- plural: bgpconfigurations +- singular: bgpconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: BGPConfiguration contains the configuration for any BGP routing. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPConfigurationSpec contains the values of the BGP configuration. +- properties: +- asNumber: +- description: 'ASNumber is the default AS number used by a node. [Default: +- 64512]' +- format: int32 +- type: integer +- communities: +- description: Communities is a list of BGP community values and their +- arbitrary names for tagging routes. +- items: +- description: Community contains standard or large community value +- and its name. +- properties: +- name: +- description: Name given to community value. +- type: string +- value: +- description: Value must be of format `aa:nn` or `aa:nn:mm`. +- For standard community use `aa:nn` format, where `aa` and +- `nn` are 16 bit number. For large community use `aa:nn:mm` +- format, where `aa`, `nn` and `mm` are 32 bit number. Where, +- `aa` is an AS Number, `nn` and `mm` are per-AS identifier. +- pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ +- type: string +- type: object +- type: array +- listenPort: +- description: ListenPort is the port where BGP protocol should listen. +- Defaults to 179 +- maximum: 65535 +- minimum: 1 +- type: integer +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: INFO]' +- type: string +- nodeToNodeMeshEnabled: +- description: 'NodeToNodeMeshEnabled sets whether full node to node +- BGP mesh is enabled. [Default: true]' +- type: boolean +- prefixAdvertisements: +- description: PrefixAdvertisements contains per-prefix advertisement +- configuration. +- items: +- description: PrefixAdvertisement configures advertisement properties +- for the specified CIDR. +- properties: +- cidr: +- description: CIDR for which properties should be advertised. +- type: string +- communities: +- description: Communities can be list of either community names +- already defined in `Specs.Communities` or community value +- of format `aa:nn` or `aa:nn:mm`. For standard community use +- `aa:nn` format, where `aa` and `nn` are 16 bit number. For +- large community use `aa:nn:mm` format, where `aa`, `nn` and +- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and +- `mm` are per-AS identifier. +- items: +- type: string +- type: array +- type: object +- type: array +- serviceClusterIPs: +- description: ServiceClusterIPs are the CIDR blocks from which service +- cluster IPs are allocated. If specified, Calico will advertise these +- blocks, as well as any cluster IPs within them. +- items: +- description: ServiceClusterIPBlock represents a single allowed ClusterIP +- CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- serviceExternalIPs: +- description: ServiceExternalIPs are the CIDR blocks for Kubernetes +- Service External IPs. Kubernetes Service ExternalIPs will only be +- advertised if they are within one of these blocks. +- items: +- description: ServiceExternalIPBlock represents a single allowed +- External IP CIDR block. +- properties: +- cidr: +- type: string +- type: object +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: bgppeers.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BGPPeer +- listKind: BGPPeerList +- plural: bgppeers +- singular: bgppeer +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BGPPeerSpec contains the specification for a BGPPeer resource. +- properties: +- asNumber: +- description: The AS Number of the peer. +- format: int32 +- type: integer +- keepOriginalNextHop: +- description: Option to keep the original nexthop field when routes +- are sent to a BGP Peer. Setting "true" configures the selected BGP +- Peers node to use the "next hop keep;" instead of "next hop self;"(default) +- in the specific branch of the Node on "bird.cfg". +- type: boolean +- node: +- description: The node name identifying the Calico node instance that +- is peering with this peer. If this is not set, this represents a +- global peer, i.e. a peer that peers with every node in the deployment. +- type: string +- nodeSelector: +- description: Selector for the nodes that should have this peering. When +- this is set, the Node field must be empty. +- type: string +- password: +- description: Optional BGP password for the peerings generated by this +- BGPPeer resource. +- properties: +- secretKeyRef: +- description: Selects a key of a secret in the node pod's namespace. +- properties: +- key: +- description: The key of the secret to select from. Must be +- a valid secret key. +- type: string +- name: +- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +- TODO: Add other useful fields. apiVersion, kind, uid?' +- type: string +- optional: +- description: Specify whether the Secret or its key must be +- defined +- type: boolean +- required: +- - key +- type: object +- type: object +- peerIP: +- description: The IP address of the peer followed by an optional port +- number to peer with. If port number is given, format should be `[]:port` +- or `:` for IPv4. If optional port number is not set, +- and this peer IP and ASNumber belongs to a calico/node with ListenPort +- set in BGPConfiguration, then we use that port to peer. +- type: string +- peerSelector: +- description: Selector for the remote nodes to peer with. When this +- is set, the PeerIP and ASNumber fields must be empty. For each +- peering between the local node and selected remote nodes, we configure +- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, +- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The +- remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, +- or the global default if that is not set. +- type: string +- required: +- - asNumber +- - peerIP +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: blockaffinities.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: BlockAffinity +- listKind: BlockAffinityList +- plural: blockaffinities +- singular: blockaffinity +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: BlockAffinitySpec contains the specification for a BlockAffinity +- resource. +- properties: +- cidr: +- type: string +- deleted: +- description: Deleted indicates that this block affinity is being deleted. +- This field is a string for compatibility with older releases that +- mistakenly treat this field as a string. +- type: string +- node: +- type: string +- state: +- type: string +- required: +- - cidr +- - deleted +- - node +- - state +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: clusterinformations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: ClusterInformation +- listKind: ClusterInformationList +- plural: clusterinformations +- singular: clusterinformation +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: ClusterInformation contains the cluster specific information. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: ClusterInformationSpec contains the values of describing +- the cluster. +- properties: +- calicoVersion: +- description: CalicoVersion is the version of Calico that the cluster +- is running +- type: string +- clusterGUID: +- description: ClusterGUID is the GUID of the cluster +- type: string +- clusterType: +- description: ClusterType describes the type of the cluster +- type: string +- datastoreReady: +- description: DatastoreReady is used during significant datastore migrations +- to signal to components such as Felix that it should wait before +- accessing the datastore. +- type: boolean +- variant: +- description: Variant declares which variant of Calico should be active. +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: felixconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: FelixConfiguration +- listKind: FelixConfigurationList +- plural: felixconfigurations +- singular: felixconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: Felix Configuration contains the configuration for Felix. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: FelixConfigurationSpec contains the values of the Felix configuration. +- properties: +- allowIPIPPacketsFromWorkloads: +- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix +- will add a rule to drop IPIP encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- allowVXLANPacketsFromWorkloads: +- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix +- will add a rule to drop VXLAN encapsulated traffic from workloads +- [Default: false]' +- type: boolean +- awsSrcDstCheck: +- description: 'Set source-destination-check on AWS EC2 instances. Accepted +- value must be one of "DoNothing", "Enabled" or "Disabled". [Default: +- DoNothing]' +- enum: +- - DoNothing +- - Enable +- - Disable +- type: string +- bpfConnectTimeLoadBalancingEnabled: +- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, +- controls whether Felix installs the connection-time load balancer. The +- connect-time load balancer is required for the host to be able to +- reach Kubernetes services and it improves the performance of pod-to-service +- connections. The only reason to disable it is for debugging purposes. [Default: +- true]' +- type: boolean +- bpfDataIfacePattern: +- description: 'BPFDataIfacePattern is a regular expression that controls +- which interfaces Felix should attach BPF programs to in order to +- catch traffic to/from the network. This needs to match the interfaces +- that Calico workload traffic flows over as well as any interfaces +- that handle incoming traffic to nodeports and services from outside +- the cluster. It should not match the workload interfaces (usually +- named cali...). [Default: ^(en.*|eth.*|tunl0$)]' +- type: string +- bpfDisableUnprivileged: +- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled +- sysctl to disable unprivileged use of BPF. This ensures that unprivileged +- users cannot access Calico''s BPF maps and cannot insert their own +- BPF programs to interfere with Calico''s. [Default: true]' +- type: boolean +- bpfEnabled: +- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. +- [Default: false]' +- type: boolean +- bpfExternalServiceMode: +- description: 'BPFExternalServiceMode in BPF mode, controls how connections +- from outside the cluster to services (node ports and cluster IPs) +- are forwarded to remote workloads. If set to "Tunnel" then both +- request and response traffic is tunneled to the remote node. If +- set to "DSR", the request traffic is tunneled but the response traffic +- is sent directly from the remote node. In "DSR" mode, the remote +- node appears to use the IP of the ingress node; this requires a +- permissive L2 network. [Default: Tunnel]' +- type: string +- bpfKubeProxyEndpointSlicesEnabled: +- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls +- whether Felix's embedded kube-proxy accepts EndpointSlices or not. +- type: boolean +- bpfKubeProxyIptablesCleanupEnabled: +- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF +- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s +- iptables chains. Should only be enabled if kube-proxy is not running. [Default: +- true]' +- type: boolean +- bpfKubeProxyMinSyncPeriod: +- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the +- minimum time between updates to the dataplane for Felix''s embedded +- kube-proxy. Lower values give reduced set-up latency. Higher values +- reduce Felix CPU usage by batching up more work. [Default: 1s]' +- type: string +- bpfLogLevel: +- description: 'BPFLogLevel controls the log level of the BPF programs +- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The +- logs are emitted to the BPF trace pipe, accessible with the command +- `tc exec bpf debug`. [Default: Off].' +- type: string +- chainInsertMode: +- description: 'ChainInsertMode controls whether Felix hooks the kernel’s +- top-level iptables chains by inserting a rule at the top of the +- chain or by appending a rule at the bottom. insert is the safe default +- since it prevents Calico’s rules from being bypassed. If you switch +- to append mode, be sure that the other rules in the chains signal +- acceptance by falling through to the Calico rules, otherwise the +- Calico policy will be bypassed. [Default: insert]' +- type: string +- dataplaneDriver: +- type: string +- debugDisableLogDropping: +- type: boolean +- debugMemoryProfilePath: +- type: string +- debugSimulateCalcGraphHangAfter: +- type: string +- debugSimulateDataplaneHangAfter: +- type: string +- defaultEndpointToHostAction: +- description: 'DefaultEndpointToHostAction controls what happens to +- traffic that goes from a workload endpoint to the host itself (after +- the traffic hits the endpoint egress policy). By default Calico +- blocks traffic from workload endpoints to the host itself with an +- iptables “DROP” action. If you want to allow some or all traffic +- from endpoint to host, set this parameter to RETURN or ACCEPT. Use +- RETURN if you have your own rules in the iptables “INPUT” chain; +- Calico will insert its rules at the top of that chain, then “RETURN” +- packets to the “INPUT” chain once it has completed processing workload +- endpoint egress policy. Use ACCEPT to unconditionally accept packets +- from workloads after processing workload endpoint egress policy. +- [Default: Drop]' +- type: string +- deviceRouteProtocol: +- description: This defines the route protocol added to programmed device +- routes, by default this will be RTPROT_BOOT when left blank. +- type: integer +- deviceRouteSourceAddress: +- description: This is the source address to use on programmed device +- routes. By default the source address is left blank, leaving the +- kernel to choose the source address used. +- type: string +- disableConntrackInvalidCheck: +- type: boolean +- endpointReportingDelay: +- type: string +- endpointReportingEnabled: +- type: boolean +- externalNodesList: +- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes +- which may source tunnel traffic and have the tunneled traffic be +- accepted at calico nodes. +- items: +- type: string +- type: array +- failsafeInboundHostPorts: +- description: 'FailsafeInboundHostPorts is a comma-delimited list of +- UDP/TCP ports that Felix will allow incoming traffic to host endpoints +- on irrespective of the security policy. This is useful to avoid +- accidentally cutting off a host with incorrect configuration. Each +- port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all inbound host ports, use the value none. +- The default value allows ssh access and DHCP. [Default: tcp:22, +- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- failsafeOutboundHostPorts: +- description: 'FailsafeOutboundHostPorts is a comma-delimited list +- of UDP/TCP ports that Felix will allow outgoing traffic from host +- endpoints to irrespective of the security policy. This is useful +- to avoid accidentally cutting off a host with incorrect configuration. +- Each port should be specified as tcp: or udp:. +- For back-compatibility, if the protocol is not specified, it defaults +- to “tcp”. To disable all outbound host ports, use the value none. +- The default value opens etcd’s standard ports to ensure that Felix +- does not get cut off from etcd as well as allowing DHCP and DNS. +- [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, +- udp:53, udp:67]' +- items: +- description: ProtoPort is combination of protocol and port, both +- must be specified. +- properties: +- port: +- type: integer +- protocol: +- type: string +- required: +- - port +- - protocol +- type: object +- type: array +- featureDetectOverride: +- description: FeatureDetectOverride is used to override the feature +- detection. Values are specified in a comma separated list with no +- spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". +- "true" or "false" will force the feature, empty or omitted values +- are auto-detected. +- type: string +- genericXDPEnabled: +- description: 'GenericXDPEnabled enables Generic XDP so network cards +- that don''t support XDP offload or driver modes can use XDP. This +- is not recommended since it doesn''t provide better performance +- than iptables. [Default: false]' +- type: boolean +- healthEnabled: +- type: boolean +- healthHost: +- type: string +- healthPort: +- type: integer +- interfaceExclude: +- description: 'InterfaceExclude is a comma-separated list of interfaces +- that Felix should exclude when monitoring for host endpoints. The +- default value ensures that Felix ignores Kubernetes'' IPVS dummy +- interface, which is used internally by kube-proxy. If you want to +- exclude multiple interface names using a single value, the list +- supports regular expressions. For regular expressions you must wrap +- the value with ''/''. For example having values ''/^kube/,veth1'' +- will exclude all interfaces that begin with ''kube'' and also the +- interface ''veth1''. [Default: kube-ipvs0]' +- type: string +- interfacePrefix: +- description: 'InterfacePrefix is the interface name prefix that identifies +- workload endpoints and so distinguishes them from host endpoint +- interfaces. Note: in environments other than bare metal, the orchestrators +- configure this appropriately. For example our Kubernetes and Docker +- integrations set the ‘cali’ value, and our OpenStack integration +- sets the ‘tap’ value. [Default: cali]' +- type: string +- interfaceRefreshInterval: +- description: InterfaceRefreshInterval is the period at which Felix +- rescans local interfaces to verify their state. The rescan can be +- disabled by setting the interval to 0. +- type: string +- ipipEnabled: +- type: boolean +- ipipMTU: +- description: 'IPIPMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- ipsetsRefreshInterval: +- description: 'IpsetsRefreshInterval is the period at which Felix re-checks +- all iptables state to ensure that no other process has accidentally +- broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: +- 90s]' +- type: string +- iptablesBackend: +- description: IptablesBackend specifies which backend of iptables will +- be used. The default is legacy. +- type: string +- iptablesFilterAllowAction: +- type: string +- iptablesLockFilePath: +- description: 'IptablesLockFilePath is the location of the iptables +- lock file. You may need to change this if the lock file is not in +- its standard location (for example if you have mapped it into Felix’s +- container at a different path). [Default: /run/xtables.lock]' +- type: string +- iptablesLockProbeInterval: +- description: 'IptablesLockProbeInterval is the time that Felix will +- wait between attempts to acquire the iptables lock if it is not +- available. Lower values make Felix more responsive when the lock +- is contended, but use more CPU. [Default: 50ms]' +- type: string +- iptablesLockTimeout: +- description: 'IptablesLockTimeout is the time that Felix will wait +- for the iptables lock, or 0, to disable. To use this feature, Felix +- must share the iptables lock file with all other processes that +- also take the lock. When running Felix inside a container, this +- requires the /run directory of the host to be mounted into the calico/node +- or calico/felix container. [Default: 0s disabled]' +- type: string +- iptablesMangleAllowAction: +- type: string +- iptablesMarkMask: +- description: 'IptablesMarkMask is the mask that Felix selects its +- IPTables Mark bits from. Should be a 32 bit hexadecimal number with +- at least 8 bits set, none of which clash with any other mark bits +- in use on the system. [Default: 0xff000000]' +- format: int32 +- type: integer +- iptablesNATOutgoingInterfaceFilter: +- type: string +- iptablesPostWriteCheckInterval: +- description: 'IptablesPostWriteCheckInterval is the period after Felix +- has done a write to the dataplane that it schedules an extra read +- back in order to check the write was not clobbered by another process. +- This should only occur if another application on the system doesn’t +- respect the iptables lock. [Default: 1s]' +- type: string +- iptablesRefreshInterval: +- description: 'IptablesRefreshInterval is the period at which Felix +- re-checks the IP sets in the dataplane to ensure that no other process +- has accidentally broken Calico’s rules. Set to 0 to disable IP sets +- refresh. Note: the default for this value is lower than the other +- refresh intervals as a workaround for a Linux kernel bug that was +- fixed in kernel version 4.11. If you are using v4.11 or greater +- you may want to set this to, a higher value to reduce Felix CPU +- usage. [Default: 10s]' +- type: string +- ipv6Support: +- type: boolean +- kubeNodePortRanges: +- description: 'KubeNodePortRanges holds list of port ranges used for +- service node ports. Only used if felix detects kube-proxy running +- in ipvs mode. Felix uses these ranges to separate host and workload +- traffic. [Default: 30000:32767].' +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- logFilePath: +- description: 'LogFilePath is the full path to the Felix log. Set to +- none to disable file logging. [Default: /var/log/calico/felix.log]' +- type: string +- logPrefix: +- description: 'LogPrefix is the log prefix that Felix uses when rendering +- LOG rules. [Default: calico-packet]' +- type: string +- logSeverityFile: +- description: 'LogSeverityFile is the log severity above which logs +- are sent to the log file. [Default: Info]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- logSeveritySys: +- description: 'LogSeveritySys is the log severity above which logs +- are sent to the syslog. Set to None for no logging to syslog. [Default: +- Info]' +- type: string +- maxIpsetSize: +- type: integer +- metadataAddr: +- description: 'MetadataAddr is the IP address or domain name of the +- server that can answer VM queries for cloud-init metadata. In OpenStack, +- this corresponds to the machine running nova-api (or in Ubuntu, +- nova-api-metadata). A value of none (case insensitive) means that +- Felix should not set up any NAT rule for the metadata path. [Default: +- 127.0.0.1]' +- type: string +- metadataPort: +- description: 'MetadataPort is the port of the metadata server. This, +- combined with global.MetadataAddr (if not ‘None’), is used to set +- up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. +- In most cases this should not need to be changed [Default: 8775].' +- type: integer +- natOutgoingAddress: +- description: NATOutgoingAddress specifies an address to use when performing +- source NAT for traffic in a natOutgoing pool that is leaving the +- network. By default the address used is an address on the interface +- the traffic is leaving on (ie it uses the iptables MASQUERADE target) +- type: string +- natPortRange: +- anyOf: +- - type: integer +- - type: string +- description: NATPortRange specifies the range of ports that is used +- for port mapping when doing outgoing NAT. When unset the default +- behavior of the network stack is used. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- netlinkTimeout: +- type: string +- openstackRegion: +- description: 'OpenstackRegion is the name of the region that a particular +- Felix belongs to. In a multi-region Calico/OpenStack deployment, +- this must be configured somehow for each Felix (here in the datamodel, +- or in felix.cfg or the environment on each compute node), and must +- match the [calico] openstack_region value configured in neutron.conf +- on each node. [Default: Empty]' +- type: string +- policySyncPathPrefix: +- description: 'PolicySyncPathPrefix is used to by Felix to communicate +- policy changes to external services, like Application layer policy. +- [Default: Empty]' +- type: string +- prometheusGoMetricsEnabled: +- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- prometheusMetricsEnabled: +- description: 'PrometheusMetricsEnabled enables the Prometheus metrics +- server in Felix if set to true. [Default: false]' +- type: boolean +- prometheusMetricsHost: +- description: 'PrometheusMetricsHost is the host that the Prometheus +- metrics server should bind to. [Default: empty]' +- type: string +- prometheusMetricsPort: +- description: 'PrometheusMetricsPort is the TCP port that the Prometheus +- metrics server should bind to. [Default: 9091]' +- type: integer +- prometheusProcessMetricsEnabled: +- description: 'PrometheusProcessMetricsEnabled disables process metrics +- collection, which the Prometheus client does by default, when set +- to false. This reduces the number of metrics reported, reducing +- Prometheus load. [Default: true]' +- type: boolean +- removeExternalRoutes: +- description: Whether or not to remove device routes that have not +- been programmed by Felix. Disabling this will allow external applications +- to also add device routes. This is enabled by default which means +- we will remove externally added routes. +- type: boolean +- reportingInterval: +- description: 'ReportingInterval is the interval at which Felix reports +- its status into the datastore or 0 to disable. Must be non-zero +- in OpenStack deployments. [Default: 30s]' +- type: string +- reportingTTL: +- description: 'ReportingTTL is the time-to-live setting for process-wide +- status reports. [Default: 90s]' +- type: string +- routeRefreshInterval: +- description: 'RouterefreshInterval is the period at which Felix re-checks +- the routes in the dataplane to ensure that no other process has +- accidentally broken Calico’s rules. Set to 0 to disable route refresh. +- [Default: 90s]' +- type: string +- routeSource: +- description: 'RouteSource configures where Felix gets its routing +- information. - WorkloadIPs: use workload endpoints to construct +- routes. - CalicoIPAM: the default - use IPAM data to construct routes.' +- type: string +- routeTableRange: +- description: Calico programs additional Linux route tables for various +- purposes. RouteTableRange specifies the indices of the route tables +- that Calico should use. +- properties: +- max: +- type: integer +- min: +- type: integer +- required: +- - max +- - min +- type: object +- sidecarAccelerationEnabled: +- description: 'SidecarAccelerationEnabled enables experimental sidecar +- acceleration [Default: false]' +- type: boolean +- usageReportingEnabled: +- description: 'UsageReportingEnabled reports anonymous Calico version +- number and cluster size to projectcalico.org. Logs warnings returned +- by the usage server. For example, if a significant security vulnerability +- has been discovered in the version of Calico being used. [Default: +- true]' +- type: boolean +- usageReportingInitialDelay: +- description: 'UsageReportingInitialDelay controls the minimum delay +- before Felix makes a report. [Default: 300s]' +- type: string +- usageReportingInterval: +- description: 'UsageReportingInterval controls the interval at which +- Felix makes reports. [Default: 86400s]' +- type: string +- useInternalDataplaneDriver: +- type: boolean +- vxlanEnabled: +- type: boolean +- vxlanMTU: +- description: 'VXLANMTU is the MTU to set on the tunnel device. See +- Configuring MTU [Default: 1440]' +- type: integer +- vxlanPort: +- type: integer +- vxlanVNI: +- type: integer +- wireguardEnabled: +- description: 'WireguardEnabled controls whether Wireguard is enabled. +- [Default: false]' +- type: boolean +- wireguardInterfaceName: +- description: 'WireguardInterfaceName specifies the name to use for +- the Wireguard interface. [Default: wg.calico]' +- type: string +- wireguardListeningPort: +- description: 'WireguardListeningPort controls the listening port used +- by Wireguard. [Default: 51820]' +- type: integer +- wireguardMTU: +- description: 'WireguardMTU controls the MTU on the Wireguard interface. +- See Configuring MTU [Default: 1420]' +- type: integer +- wireguardRoutingRulePriority: +- description: 'WireguardRoutingRulePriority controls the priority value +- to use for the Wireguard routing rule. [Default: 99]' +- type: integer +- xdpEnabled: +- description: 'XDPEnabled enables XDP acceleration for suitable untracked +- incoming deny rules. [Default: true]' +- type: boolean +- xdpRefreshInterval: +- description: 'XDPRefreshInterval is the period at which Felix re-checks +- all XDP state to ensure that no other process has accidentally broken +- Calico''s BPF maps or attached programs. Set to 0 to disable XDP +- refresh. [Default: 90s]' +- type: string +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkPolicy +- listKind: GlobalNetworkPolicyList +- plural: globalnetworkpolicies +- singular: globalnetworkpolicy +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- applyOnForward: +- description: ApplyOnForward indicates to apply the rules in this policy +- on forward traffic. +- type: boolean +- doNotTrack: +- description: DoNotTrack indicates whether packets matched by the rules +- in this policy should go through the data plane's connection tracking, +- such as Linux conntrack. If True, the rules in this policy are +- applied before any data plane connection tracking, and packets allowed +- by this policy are marked as not to be tracked. +- type: boolean +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- namespaceSelector: +- description: NamespaceSelector is an optional field for an expression +- used to select a pod based on namespaces. +- type: string +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- preDNAT: +- description: PreDNAT indicates to apply the rules in this policy before +- any DNAT. +- type: boolean +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress rules are present in the policy. The +- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules +- (including the case where there are also no Ingress rules) \n +- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress +- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are +- both Ingress and Egress rules. \n When the policy is read back again, +- Types will always be one of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: globalnetworksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: GlobalNetworkSet +- listKind: GlobalNetworkSetList +- plural: globalnetworksets +- singular: globalnetworkset +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs +- that share labels to allow rules to refer to them via selectors. The labels +- of GlobalNetworkSet are not namespaced. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: GlobalNetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: hostendpoints.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: HostEndpoint +- listKind: HostEndpointList +- plural: hostendpoints +- singular: hostendpoint +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: HostEndpointSpec contains the specification for a HostEndpoint +- resource. +- properties: +- expectedIPs: +- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. +- If \"InterfaceName\" is not present, Calico will look for an interface +- matching any of the IPs in the list and apply policy to that. Note: +- \tWhen using the selector match criteria in an ingress or egress +- security Policy \tor Profile, Calico converts the selector into +- a set of IP addresses. For host \tendpoints, the ExpectedIPs field +- is used for that purpose. (If only the interface \tname is specified, +- Calico does not learn the IPs of the interface for use in match +- \tcriteria.)" +- items: +- type: string +- type: array +- interfaceName: +- description: "Either \"*\", or the name of a specific Linux interface +- to apply policy to; or empty. \"*\" indicates that this HostEndpoint +- governs all traffic to, from or through the default network namespace +- of the host named by the \"Node\" field; entering and leaving that +- namespace via any interface, including those from/to non-host-networked +- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint +- only governs traffic that enters or leaves the host through the +- specific interface named by InterfaceName, or - when InterfaceName +- is empty - through the specific interface that has one of the IPs +- in ExpectedIPs. Therefore, when InterfaceName is empty, at least +- one expected IP must be specified. Only external interfaces (such +- as “eth0”) are supported here; it isn't possible for a HostEndpoint +- to protect traffic through a specific local workload interface. +- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; +- initially just pre-DNAT policy. Please check Calico documentation +- for the latest position." +- type: string +- node: +- description: The node name identifying the Calico node instance. +- type: string +- ports: +- description: Ports contains the endpoint's named ports, which may +- be referenced in security policy rules. +- items: +- properties: +- name: +- type: string +- port: +- type: integer +- protocol: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- required: +- - name +- - port +- - protocol +- type: object +- type: array +- profiles: +- description: A list of identifiers of security Profile objects that +- apply to this endpoint. Each profile is applied in the order that +- they appear in this list. Profile rules are applied after the selector-based +- security policy. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamblocks.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMBlock +- listKind: IPAMBlockList +- plural: ipamblocks +- singular: ipamblock +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMBlockSpec contains the specification for an IPAMBlock +- resource. +- properties: +- affinity: +- type: string +- allocations: +- items: +- type: integer +- # TODO: This nullable is manually added in. We should update controller-gen +- # to handle []*int properly itself. +- nullable: true +- type: array +- attributes: +- items: +- properties: +- handle_id: +- type: string +- secondary: +- additionalProperties: +- type: string +- type: object +- type: object +- type: array +- cidr: +- type: string +- deleted: +- type: boolean +- strictAffinity: +- type: boolean +- unallocated: +- items: +- type: integer +- type: array +- required: +- - allocations +- - attributes +- - cidr +- - deleted +- - strictAffinity +- - unallocated +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamconfigs.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMConfig +- listKind: IPAMConfigList +- plural: ipamconfigs +- singular: ipamconfig +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMConfigSpec contains the specification for an IPAMConfig +- resource. +- properties: +- autoAllocateBlocks: +- type: boolean +- strictAffinity: +- type: boolean +- required: +- - autoAllocateBlocks +- - strictAffinity +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ipamhandles.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPAMHandle +- listKind: IPAMHandleList +- plural: ipamhandles +- singular: ipamhandle +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPAMHandleSpec contains the specification for an IPAMHandle +- resource. +- properties: +- block: +- additionalProperties: +- type: integer +- type: object +- handleID: +- type: string +- required: +- - block +- - handleID +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: ippools.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: IPPool +- listKind: IPPoolList +- plural: ippools +- singular: ippool +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: IPPoolSpec contains the specification for an IPPool resource. +- properties: +- blockSize: +- description: The block size to use for IP address assignments from +- this pool. Defaults to 26 for IPv4 and 112 for IPv6. +- type: integer +- cidr: +- description: The pool CIDR. +- type: string +- disabled: +- description: When disabled is true, Calico IPAM will not assign addresses +- from this pool. +- type: boolean +- ipip: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- properties: +- enabled: +- description: When enabled is true, ipip tunneling will be used +- to deliver packets to destinations within this pool. +- type: boolean +- mode: +- description: The IPIP mode. This can be one of "always" or "cross-subnet". A +- mode of "always" will also use IPIP tunneling for routing to +- destination IP addresses within this pool. A mode of "cross-subnet" +- will only use IPIP tunneling when the destination node is on +- a different subnet to the originating node. The default value +- (if not specified) is "always". +- type: string +- type: object +- ipipMode: +- description: Contains configuration for IPIP tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling +- is disabled). +- type: string +- nat-outgoing: +- description: 'Deprecated: this field is only used for APIv1 backwards +- compatibility. Setting this field is not allowed, this field is +- for internal use only.' +- type: boolean +- natOutgoing: +- description: When nat-outgoing is true, packets sent from Calico networked +- containers in this pool to destinations outside of this pool will +- be masqueraded. +- type: boolean +- nodeSelector: +- description: Allows IPPool to allocate for a specific node by label +- selector. +- type: string +- vxlanMode: +- description: Contains configuration for VXLAN tunneling for this pool. +- If not specified, then this is defaulted to "Never" (i.e. VXLAN +- tunneling is disabled). +- type: string +- required: +- - cidr +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: kubecontrollersconfigurations.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: KubeControllersConfiguration +- listKind: KubeControllersConfigurationList +- plural: kubecontrollersconfigurations +- singular: kubecontrollersconfiguration +- scope: Cluster +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: KubeControllersConfigurationSpec contains the values of the +- Kubernetes controllers configuration. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host endpoints. +- Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation of +- host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform reconciliation +- with the Calico datastore. [Default: 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which logs +- are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- status: +- description: KubeControllersConfigurationStatus represents the status +- of the configuration. It's useful for admins to be able to see the actual +- config that was applied, which can be modified by environment variables +- on the kube-controllers process. +- properties: +- environmentVars: +- additionalProperties: +- type: string +- description: EnvironmentVars contains the environment variables on +- the kube-controllers that influenced the RunningConfig. +- type: object +- runningConfig: +- description: RunningConfig contains the effective config that is running +- in the kube-controllers pod, after merging the API resource with +- any environment variables. +- properties: +- controllers: +- description: Controllers enables and configures individual Kubernetes +- controllers +- properties: +- namespace: +- description: Namespace enables and configures the namespace +- controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- node: +- description: Node enables and configures the node controller. +- Enabled by default, set to nil to disable. +- properties: +- hostEndpoint: +- description: HostEndpoint controls syncing nodes to host +- endpoints. Disabled by default, set to nil to disable. +- properties: +- autoCreate: +- description: 'AutoCreate enables automatic creation +- of host endpoints for every node. [Default: Disabled]' +- type: string +- type: object +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- syncLabels: +- description: 'SyncLabels controls whether to copy Kubernetes +- node labels to Calico nodes. [Default: Enabled]' +- type: string +- type: object +- policy: +- description: Policy enables and configures the policy controller. +- Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- serviceAccount: +- description: ServiceAccount enables and configures the service +- account controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- workloadEndpoint: +- description: WorkloadEndpoint enables and configures the workload +- endpoint controller. Enabled by default, set to nil to disable. +- properties: +- reconcilerPeriod: +- description: 'ReconcilerPeriod is the period to perform +- reconciliation with the Calico datastore. [Default: +- 5m]' +- type: string +- type: object +- type: object +- etcdV3CompactionPeriod: +- description: 'EtcdV3CompactionPeriod is the period between etcdv3 +- compaction requests. Set to 0 to disable. [Default: 10m]' +- type: string +- healthChecks: +- description: 'HealthChecks enables or disables support for health +- checks [Default: Enabled]' +- type: string +- logSeverityScreen: +- description: 'LogSeverityScreen is the log severity above which +- logs are sent to the stdout. [Default: Info]' +- type: string +- required: +- - controllers +- type: object +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networkpolicies.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkPolicy +- listKind: NetworkPolicyList +- plural: networkpolicies +- singular: networkpolicy +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- properties: +- egress: +- description: The ordered set of egress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- ingress: +- description: The ordered set of ingress rules. Each rule contains +- a set of packet match criteria and a corresponding action to apply. +- items: +- description: "A Rule encapsulates a set of match criteria and an +- action. Both selector-based security Policy and security Profiles +- reference rules - separated out as a list of rules for both ingress +- and egress packet matching. \n Each positive match criteria has +- a negated version, prefixed with ”Not”. All the match criteria +- within a rule must be satisfied for a packet to match. A single +- rule can contain the positive and negative version of a match +- and both must be satisfied for the rule to match." +- properties: +- action: +- type: string +- destination: +- description: Destination contains the match criteria that apply +- to destination entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- http: +- description: HTTP contains match criteria that apply to HTTP +- requests. +- properties: +- methods: +- description: Methods is an optional field that restricts +- the rule to apply only to HTTP requests that use one of +- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple +- methods are OR'd together. +- items: +- type: string +- type: array +- paths: +- description: 'Paths is an optional field that restricts +- the rule to apply to HTTP requests that use one of the +- listed HTTP Paths. Multiple paths are OR''d together. +- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may +- ONLY specify either a `exact` or a `prefix` match. The +- validator will check for it.' +- items: +- description: 'HTTPPath specifies an HTTP path to match. +- It may be either of the form: exact: : which matches +- the path exactly or prefix: : which matches +- the path prefix' +- properties: +- exact: +- type: string +- prefix: +- type: string +- type: object +- type: array +- type: object +- icmp: +- description: ICMP is an optional field that restricts the rule +- to apply to a specific type and code of ICMP traffic. This +- should only be specified if the Protocol field is set to "ICMP" +- or "ICMPv6". +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- ipVersion: +- description: IPVersion is an optional field that restricts the +- rule to only match a specific IP version. +- type: integer +- metadata: +- description: Metadata contains additional information for this +- rule +- properties: +- annotations: +- additionalProperties: +- type: string +- description: Annotations is a set of key value pairs that +- give extra information about the rule +- type: object +- type: object +- notICMP: +- description: NotICMP is the negated version of the ICMP field. +- properties: +- code: +- description: Match on a specific ICMP code. If specified, +- the Type value must also be specified. This is a technical +- limitation imposed by the kernel’s iptables firewall, +- which Calico uses to enforce the rule. +- type: integer +- type: +- description: Match on a specific ICMP type. For example +- a value of 8 refers to ICMP Echo Request (i.e. pings). +- type: integer +- type: object +- notProtocol: +- anyOf: +- - type: integer +- - type: string +- description: NotProtocol is the negated version of the Protocol +- field. +- pattern: ^.* +- x-kubernetes-int-or-string: true +- protocol: +- anyOf: +- - type: integer +- - type: string +- description: "Protocol is an optional field that restricts the +- rule to only apply to traffic of a specific IP protocol. Required +- if any of the EntityRules contain Ports (because ports only +- apply to certain protocols). \n Must be one of these string +- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", +- \"UDPLite\" or an integer in the range 1-255." +- pattern: ^.* +- x-kubernetes-int-or-string: true +- source: +- description: Source contains the match criteria that apply to +- source entity. +- properties: +- namespaceSelector: +- description: "NamespaceSelector is an optional field that +- contains a selector expression. Only traffic that originates +- from (or terminates at) endpoints within the selected +- namespaces will be matched. When both NamespaceSelector +- and Selector are defined on the same rule, then only workload +- endpoints that are matched by both selectors will be selected +- by the rule. \n For NetworkPolicy, an empty NamespaceSelector +- implies that the Selector is limited to selecting only +- workload endpoints in the same namespace as the NetworkPolicy. +- \n For NetworkPolicy, `global()` NamespaceSelector implies +- that the Selector is limited to selecting only GlobalNetworkSet +- or HostEndpoint. \n For GlobalNetworkPolicy, an empty +- NamespaceSelector implies the Selector applies to workload +- endpoints across all namespaces." +- type: string +- nets: +- description: Nets is an optional field that restricts the +- rule to only apply to traffic that originates from (or +- terminates at) IP addresses in any of the given subnets. +- items: +- type: string +- type: array +- notNets: +- description: NotNets is the negated version of the Nets +- field. +- items: +- type: string +- type: array +- notPorts: +- description: NotPorts is the negated version of the Ports +- field. Since only some protocols have ports, if any ports +- are specified it requires the Protocol match in the Rule +- to be set to "TCP" or "UDP". +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- notSelector: +- description: NotSelector is the negated version of the Selector +- field. See Selector field for subtleties with negated +- selectors. +- type: string +- ports: +- description: "Ports is an optional field that restricts +- the rule to only apply to traffic that has a source (destination) +- port that matches one of these ranges/values. This value +- is a list of integers or strings that represent ranges +- of ports. \n Since only some protocols have ports, if +- any ports are specified it requires the Protocol match +- in the Rule to be set to \"TCP\" or \"UDP\"." +- items: +- anyOf: +- - type: integer +- - type: string +- pattern: ^.* +- x-kubernetes-int-or-string: true +- type: array +- selector: +- description: "Selector is an optional field that contains +- a selector expression (see Policy for sample syntax). +- \ Only traffic that originates from (terminates at) endpoints +- matching the selector will be matched. \n Note that: in +- addition to the negated version of the Selector (see NotSelector +- below), the selector expression syntax itself supports +- negation. The two types of negation are subtly different. +- One negates the set of matched endpoints, the other negates +- the whole match: \n \tSelector = \"!has(my_label)\" matches +- packets that are from other Calico-controlled \tendpoints +- that do not have the label “my_label”. \n \tNotSelector +- = \"has(my_label)\" matches packets that are not from +- Calico-controlled \tendpoints that do have the label “my_label”. +- \n The effect is that the latter will accept packets from +- non-Calico sources whereas the former is limited to packets +- from Calico-controlled endpoints." +- type: string +- serviceAccounts: +- description: ServiceAccounts is an optional field that restricts +- the rule to only apply to traffic that originates from +- (or terminates at) a pod running as a matching service +- account. +- properties: +- names: +- description: Names is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account whose name is in the list. +- items: +- type: string +- type: array +- selector: +- description: Selector is an optional field that restricts +- the rule to only apply to traffic that originates +- from (or terminates at) a pod running as a service +- account that matches the given label selector. If +- both Names and Selector are specified then they are +- AND'ed. +- type: string +- type: object +- type: object +- required: +- - action +- type: object +- type: array +- order: +- description: Order is an optional field that specifies the order in +- which the policy is applied. Policies with higher "order" are applied +- after those with lower order. If the order is omitted, it may be +- considered to be "infinite" - i.e. the policy will be applied last. Policies +- with identical order will be applied in alphanumerical order based +- on the Policy "Name". +- type: number +- selector: +- description: "The selector is an expression used to pick pick out +- the endpoints that the policy should be applied to. \n Selector +- expressions follow this syntax: \n \tlabel == \"string_literal\" +- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" +- \ -> not equal; also matches if label is not present \tlabel in +- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is +- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", +- ... } -> true if the value of label X is not one of \"a\", \"b\", +- \"c\" \thas(label_name) -> True if that label is present \t! expr +- -> negation of expr \texpr && expr -> Short-circuit and \texpr +- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() +- or the empty selector -> matches all endpoints. \n Label names are +- allowed to contain alphanumerics, -, _ and /. String literals are +- more permissive but they do not support escape characters. \n Examples +- (with made-up labels): \n \ttype == \"webserver\" && deployment +- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != +- \"dev\" \t! has(label_name)" +- type: string +- serviceAccountSelector: +- description: ServiceAccountSelector is an optional field for an expression +- used to select a pod based on service accounts. +- type: string +- types: +- description: "Types indicates whether this policy applies to ingress, +- or to egress, or to both. When not explicitly specified (and so +- the value on creation is empty or nil), Calico defaults Types according +- to what Ingress and Egress are present in the policy. The default +- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including +- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress +- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, +- PolicyTypeEgress ], if there are both Ingress and Egress rules. +- \n When the policy is read back again, Types will always be one +- of these values, never empty or nil." +- items: +- description: PolicyType enumerates the possible values of the PolicySpec +- Types field. +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +- +---- +-apiVersion: apiextensions.k8s.io/v1 +-kind: CustomResourceDefinition +-metadata: +- annotations: +- controller-gen.kubebuilder.io/version: (devel) +- creationTimestamp: null +- name: networksets.crd.projectcalico.org +-spec: +- group: crd.projectcalico.org +- names: +- kind: NetworkSet +- listKind: NetworkSetList +- plural: networksets +- singular: networkset +- scope: Namespaced +- versions: +- - name: v1 +- schema: +- openAPIV3Schema: +- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. +- properties: +- apiVersion: +- description: 'APIVersion defines the versioned schema of this representation +- of an object. Servers should convert recognized schemas to the latest +- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' +- type: string +- kind: +- description: 'Kind is a string value representing the REST resource this +- object represents. Servers may infer this from the endpoint the client +- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' +- type: string +- metadata: +- type: object +- spec: +- description: NetworkSetSpec contains the specification for a NetworkSet +- resource. +- properties: +- nets: +- description: The list of IP networks that belong to this set. +- items: +- type: string +- type: array +- type: object +- type: object +- served: true +- storage: true +-status: +- acceptedNames: +- kind: "" +- plural: "" +- conditions: [] +- storedVersions: [] +- +---- +---- + # Source: calico/templates/calico-kube-controllers-rbac.yaml + + # Include a clusterrole for the kube-controllers component, +@@ -3563,38 +339,10 @@ + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: +- # This container performs upgrade from host-local IPAM to calico-ipam. +- # It can be deleted if this is a fresh installation, or if you have already +- # upgraded to use calico-ipam. +- - name: upgrade-ipam +- image: calico/cni:v3.16.5 +- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] +- envFrom: +- - configMapRef: +- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +- name: kubernetes-services-endpoint +- optional: true +- env: +- - name: KUBERNETES_NODE_NAME +- valueFrom: +- fieldRef: +- fieldPath: spec.nodeName +- - name: CALICO_NETWORKING_BACKEND +- valueFrom: +- configMapKeyRef: +- name: calico-config +- key: calico_backend +- volumeMounts: +- - mountPath: /var/lib/cni/networks +- name: host-local-net-dir +- - mountPath: /host/opt/cni/bin +- name: cni-bin-dir +- securityContext: +- privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni +- image: calico/cni:v3.16.5 ++ image: calico/cni:{{ default .Chart.AppVersion .Values.image.tag }} + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: +@@ -3635,7 +383,7 @@ + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver +- image: calico/pod2daemon-flexvol:v3.16.5 ++ image: calico/pod2daemon-flexvol:{{ default .Chart.AppVersion .Values.image.tag }} + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver +@@ -3646,7 +394,7 @@ + # container programs network policy and routes on each + # host. + - name: calico-node +- image: calico/node:v3.16.5 ++ image: calico/node:{{ default .Chart.AppVersion .Values.image.tag }} + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. +@@ -3672,7 +420,7 @@ + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE +- value: "k8s,bgp" ++ value: "k8s,kubeadm" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" +@@ -3702,7 +450,7 @@ + key: veth_mtu + # Disable AWS source-destination check on nodes. + - name: FELIX_AWSSRCDSTCHECK +- value: Disable ++ value: DoNothing + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. +@@ -3719,7 +467,15 @@ + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN +- value: "info" ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYFILE ++ value: "{{ .Values.loglevel }}" ++ - name: FELIX_LOGSEVERITYSYS ++ value: "" ++ - name: FELIX_PROMETHEUSGOMETRICSENABLED ++ value: "{{ .Values.prometheus }}" ++ - name: FELIX_PROMETHEUSMETRICSENABLED ++ value: "{{ .Values.prometheus }}" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: +@@ -3840,6 +596,7 @@ + spec: + nodeSelector: + kubernetes.io/os: linux ++ node-role.kubernetes.io/master: "" + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly +@@ -3850,7 +607,7 @@ + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers +- image: calico/kube-controllers:v3.16.5 ++ image: calico/kube-controllers:{{ default .Chart.AppVersion .Values.image.tag }} + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS diff --git a/charts/kubezero-calico/crds/crds.yaml b/charts/kubezero-calico/crds/crds.yaml index da6def4..afb8ee3 100644 --- a/charts/kubezero-calico/crds/crds.yaml +++ b/charts/kubezero-calico/crds/crds.yaml @@ -1,3 +1,4 @@ +--- # Source: calico/templates/kdd-crds.yaml @@ -192,6 +193,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` @@ -396,6 +420,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: diff --git a/charts/kubezero-calico/templates/crds.yaml b/charts/kubezero-calico/templates/crds.yaml deleted file mode 100644 index 45ab72d..0000000 --- a/charts/kubezero-calico/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.installCRDs }} -{{- range $path, $_ := .Files.Glob "crds/*.yaml" }} -{{ $.Files.Get $path }} ---- -{{- end }} -{{- end }} diff --git a/charts/kubezero-calico/values.yaml b/charts/kubezero-calico/values.yaml index 04a2979..281caa3 100644 --- a/charts/kubezero-calico/values.yaml +++ b/charts/kubezero-calico/values.yaml @@ -1,5 +1,3 @@ -installCRDs: false - image: tag: "" diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 9096c45..518d68e 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.4.0 +version: 0.4.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: cert-manager - version: 1.0.3 + version: 1.0.4 repository: https://charts.jetstack.io + condition: cert-manager.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index a600e3f..2559b10 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 1.0.3 | +| https://charts.jetstack.io | cert-manager | 1.0.4 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## AWS - IAM Role @@ -38,10 +38,10 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.enabled | bool | `true` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | -| cert-manager.installCRDs | bool | `true` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | @@ -51,5 +51,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | clusterIssuer | object | `{}` | | -| localCA.enabled | bool | `true` | | +| localCA.enabled | bool | `false` | | | localCA.selfsigning | bool | `true` | | diff --git a/charts/kubezero-cert-manager/templates/cluster-ca.yaml b/charts/kubezero-cert-manager/templates/cluster-ca.yaml index bd2f45a..0188959 100644 --- a/charts/kubezero-cert-manager/templates/cluster-ca.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-ca.yaml @@ -3,11 +3,11 @@ # KubeZero / Local cluster CA # The resources are serialized via waves in Argo -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-selfsigning-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -15,11 +15,11 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kubezero-local-ca - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: @@ -30,6 +30,7 @@ spec: isCA: true issuerRef: name: kubezero-selfsigning-issuer + kind: ClusterIssuer usages: - "any" --- @@ -39,7 +40,7 @@ apiVersion: v1 kind: Secret metadata: name: kubezero-ca-tls - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} data: @@ -48,11 +49,11 @@ data: --- {{- end }} -apiVersion: cert-manager.io/v1alpha2 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: kubezero-local-ca-issuer - namespace: kube-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} annotations: diff --git a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml index 4861733..f7280fc 100644 --- a/charts/kubezero-cert-manager/templates/cluster-issuer.yaml +++ b/charts/kubezero-cert-manager/templates/cluster-issuer.yaml @@ -1,5 +1,5 @@ {{- if .Values.clusterIssuer.name }} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: {{ .Values.clusterIssuer.name }} diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index c415290..9a7bade 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -17,34 +17,45 @@ localCA: # crt: cert-manager: - installCRDs: true + enabled: true + + global: + leaderElection: + namespace: "cert-manager" + + podAnnotations: {} + # iam.amazonaws.com/role: "" + tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + ingressShim: defaultIssuerName: letsencrypt-dns-prod defaultIssuerKind: ClusterIssuer + webhook: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + cainjector: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + extraArgs: - "--dns01-recursive-nameservers-only" # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true + prometheus: servicemonitor: enabled: false # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" - podAnnotations: {} - # iam.amazonaws.com/role: "" diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 3857a76..c88751d 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.3.4 -appVersion: 1.7.3 +version: 0.4.0 +appVersion: 1.7.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index bdde239..3fd2b38 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.4](https://img.shields.io/badge/AppVersion-1.7.4-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -34,10 +34,11 @@ Kubernetes: `>= 1.16.0` | ingress.dnsNames[0] | string | `"*"` | | | ingress.private.enabled | bool | `true` | | | ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | +| ingress.public.enabled | bool | `true` | | | ingress.replicaCount | int | `2` | | | ingress.type | string | `"NodePort"` | | | istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.7.3"` | | +| istio-operator.tag | string | `"1.7.4"` | | | istiod.autoscaleEnabled | bool | `false` | | | istiod.replicaCount | int | `1` | | diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml index bdbd5bd..ef92c5e 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml @@ -99,6 +99,7 @@ rules: - events - namespaces - pods + - pods/proxy - persistentvolumeclaims - secrets - services diff --git a/charts/kubezero-istio/templates/istio-base.yaml b/charts/kubezero-istio/crds/crd-all.gen.yaml similarity index 97% rename from charts/kubezero-istio/templates/istio-base.yaml rename to charts/kubezero-istio/crds/crd-all.gen.yaml index 64e4f02..be68f83 100644 --- a/charts/kubezero-istio/templates/istio-base.yaml +++ b/charts/kubezero-istio/crds/crd-all.gen.yaml @@ -1,66 +1,25 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: "helm.sh/resource-policy": keep labels: - app: mixer + app: istio-mixer chart: istio heritage: Tiller - istio: core - package: istio.io.mixer release: istio - name: attributemanifests.config.istio.io + name: httpapispecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - - policy-istio-io - kind: attributemanifest - listKind: attributemanifestList - plural: attributemanifests - singular: attributemanifest + - apim-istio-io + kind: HTTPAPISpec + listKind: HTTPAPISpecList + plural: httpapispecs + singular: httpapispec scope: Namespaced versions: - name: v1alpha2 @@ -68,45 +27,239 @@ spec: openAPIV3Schema: properties: spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: - attributes: - additionalProperties: + api_keys: + items: + oneOf: + - not: + anyOf: + - required: + - query + - required: + - header + - required: + - cookie + - required: + - query + - required: + - header + - required: + - cookie properties: - description: - description: A human-readable description of the attribute's - purpose. + cookie: format: string type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string type: string type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. + type: array + apiKeys: + items: + oneOf: + - not: + anyOf: + - required: + - query + - required: + - header + - required: + - cookie + - required: + - query + - required: + - header + - required: + - cookie + properties: + cookie: + format: string + type: string + header: + description: API key is sent in a request header. + format: string + type: string + query: + description: API Key is sent as a query parameter. + format: string + type: string + type: object + type: array + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string + patterns: + description: List of HTTP patterns to match. + items: + oneOf: + - not: + anyOf: + - required: + - uriTemplate + - required: + - regex + - required: + - uriTemplate + - required: + - regex + properties: + attributes: + properties: + attributes: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + - required: + - stringValue + - required: + - int64Value + - required: + - doubleValue + - required: + - boolValue + - required: + - bytesValue + - required: + - timestampValue + - required: + - durationValue + - required: + - stringMapValue + properties: + boolValue: + type: boolean + bytesValue: + format: binary + type: string + doubleValue: + format: double + type: number + durationValue: + type: string + int64Value: + format: int64 + type: integer + stringMapValue: + properties: + entries: + additionalProperties: + format: string + type: string + description: Holds a set of name/value pairs. + type: object + type: object + stringValue: + format: string + type: string + timestampValue: + format: dateTime + type: string + type: object + description: A map of attribute name to its value. + type: object + type: object + httpMethod: + format: string + type: string + regex: + format: string + type: string + uriTemplate: + format: string + type: string + type: object + type: array type: object status: type: object @@ -116,6 +269,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -123,192 +277,85 @@ metadata: annotations: "helm.sh/resource-policy": keep labels: - app: istio-pilot + app: istio-mixer chart: istio heritage: Tiller - istio: security release: istio - name: authorizationpolicies.security.istio.io + name: httpapispecbindings.config.istio.io spec: - group: security.istio.io + group: config.istio.io names: categories: - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy + - apim-istio-io + kind: HTTPAPISpecBinding + listKind: HTTPAPISpecBindingList + plural: httpapispecbindings + singular: httpapispecbinding scope: Namespaced versions: - - name: v1beta1 + - name: v1alpha2 schema: openAPIV3Schema: properties: spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - type: string - rules: - description: Optional. + api_specs: items: properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: + name: + description: The short name of the HTTPAPISpec. format: string type: string - type: object - type: object + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + apiSpecs: + items: + properties: + name: + description: The short name of the HTTPAPISpec. + format: string + type: string + namespace: + description: Optional namespace of the HTTPAPISpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed HTTPAPISpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array type: object status: type: object @@ -318,6 +365,186 @@ spec: storage: true subresources: status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpec + listKind: QuotaSpecList + plural: quotaspecs + singular: quotaspec + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: Determines the quotas used for individual requests. + properties: + rules: + description: A list of Quota rules. + items: + properties: + match: + description: If empty, match all request. + items: + properties: + clause: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Map of attribute names to StringMatch type. + type: object + type: object + type: array + quotas: + description: The list of quotas to charge. + items: + properties: + charge: + format: int32 + type: integer + quota: + format: string + type: string + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - apim-istio-io + kind: QuotaSpecBinding + listKind: QuotaSpecBindingList + plural: quotaspecbindings + singular: quotaspecbinding + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + properties: + quotaSpecs: + items: + properties: + name: + description: The short name of the QuotaSpec. + format: string + type: string + namespace: + description: Optional namespace of the QuotaSpec. + format: string + type: string + type: object + type: array + services: + description: One or more services to map the listed QuotaSpec onto. + items: + properties: + domain: + description: Domain suffix used to construct the service FQDN + in implementations that support such specification. + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: Optional one or more labels that uniquely identify + the service version. + type: object + name: + description: The short name of the service such as "foo". + format: string + type: string + namespace: + description: Optional namespace of the service. + format: string + type: string + service: + description: The service FQDN. + format: string + type: string + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2622,6 +2849,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2859,6 +3087,7 @@ spec: storage: true subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3147,1171 +3376,7 @@ spec: storage: false subresources: status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-handler - package: handler - release: istio - name: handlers.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: handler - listKind: handlerList - plural: handlers - singular: handler - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Handler allows the operator to configure a specific adapter - implementation. - properties: - adapter: - description: The name of a specific adapter implementation. - format: string - type: string - compiledAdapter: - description: The name of the compiled in adapter this handler instantiates. - format: string - type: string - connection: - description: Information on how to connect to the out-of-process adapter. - properties: - address: - description: The address of the backend. - format: string - type: string - authentication: - description: Auth config for the connection to the backend. - oneOf: - - not: - anyOf: - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - properties: - mutual: - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: The path to the file holding client certificate - for mutual TLS. - format: string - type: string - privateKey: - description: The path to the file holding the private - key for mutual TLS. - format: string - type: string - serverName: - description: Used to configure mixer mutual TLS client - to supply server name for SNI. - format: string - type: string - type: object - tls: - properties: - authHeader: - description: Access token is passed as authorization header. - enum: - - PLAIN - - BEARER - type: string - caCertificates: - format: string - type: string - customHeader: - description: Customized header key to hold access token, - e.g. - format: string - type: string - oauth: - description: Oauth config to fetch access token from auth - provider. - properties: - clientId: - description: OAuth client id for mixer. - format: string - type: string - clientSecret: - description: The path to the file holding the client - secret for oauth. - format: string - type: string - endpointParams: - additionalProperties: - format: string - type: string - description: Additional parameters for requests to - the token endpoint. - type: object - scopes: - description: List of requested permissions. - items: - format: string - type: string - type: array - tokenUrl: - description: The Resource server's token endpoint - URL. - format: string - type: string - type: object - serverName: - format: string - type: string - tokenPath: - format: string - type: string - type: object - type: object - timeout: - description: Timeout for remote calls to the backend. - type: string - type: object - name: - description: Must be unique in the entire Mixer configuration. - format: string - type: string - params: - description: Depends on adapter implementation. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - listKind: HTTPAPISpecBindingList - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - listKind: HTTPAPISpecList - plural: httpapispecs - singular: httpapispec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - not: - anyOf: - - required: - - uriTemplate - - required: - - regex - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-instance - package: instance - release: istio - name: instances.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: instance - listKind: instanceList - plural: instances - singular: instance - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: An Instance tells Mixer how to create instances for particular - template. - properties: - attributeBindings: - additionalProperties: - format: string - type: string - type: object - compiledTemplate: - description: The name of the compiled in template this instance creates - instances for. - format: string - type: string - name: - format: string - type: string - params: - description: Depends on referenced template. - type: object - x-kubernetes-preserve-unknown-fields: true - template: - description: The name of the template this instance creates instances - for. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - listKind: QuotaSpecBindingList - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - listKind: QuotaSpecList - plural: quotaspecs - singular: quotaspec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - listKind: ruleList - plural: rules - singular: rule - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the - unsampled limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4608,6 +3673,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -4878,46 +3944,7 @@ spec: storage: false subresources: status: {} ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5479,7 +4506,8 @@ spec: description: Retry policy for HTTP requests. properties: attempts: - description: Number of retries for a given request. + description: Number of retries to be allowed for a given + request. format: int32 type: integer perTryTimeout: @@ -6271,7 +5299,8 @@ spec: description: Retry policy for HTTP requests. properties: attempts: - description: Number of retries for a given request. + description: Number of retries to be allowed for a given + request. format: int32 type: integer perTryTimeout: @@ -6528,6 +5557,7 @@ spec: storage: false subresources: status: {} + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -6668,225 +5698,915 @@ spec: storage: false subresources: status: {} + --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-service-account - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer release: istio + name: attributemanifests.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: attributemanifest + listKind: attributemanifestList + plural: attributemanifests + singular: attributemanifest + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + attributes: + additionalProperties: + properties: + description: + description: A human-readable description of the attribute's + purpose. + format: string + type: string + valueType: + description: The type of data carried by this attribute. + enum: + - VALUE_TYPE_UNSPECIFIED + - STRING + - INT64 + - DOUBLE + - BOOL + - TIMESTAMP + - IP_ADDRESS + - EMAIL_ADDRESS + - URI + - DNS_NAME + - DURATION + - STRING_MAP + type: string + type: object + description: The set of attributes this Istio component will be responsible + for producing at runtime. + type: object + name: + description: Name of the component producing these attributes. + format: string + type: string + revision: + description: The revision of this document. + format: string + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-service-account - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istiod + app: mixer + chart: istio + heritage: Tiller + istio: mixer-handler + package: handler release: istio + name: handlers.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: handler + listKind: handlerList + plural: handlers + singular: handler + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: Handler allows the operator to configure a specific adapter + implementation. + properties: + adapter: + description: The name of a specific adapter implementation. + format: string + type: string + compiledAdapter: + description: The name of the compiled in adapter this handler instantiates. + format: string + type: string + connection: + description: Information on how to connect to the out-of-process adapter. + properties: + address: + description: The address of the backend. + format: string + type: string + authentication: + description: Auth config for the connection to the backend. + oneOf: + - not: + anyOf: + - properties: + tls: + allOf: + - oneOf: + - not: + anyOf: + - required: + - tokenPath + - required: + - oauth + - required: + - tokenPath + - required: + - oauth + - oneOf: + - not: + anyOf: + - required: + - authHeader + - required: + - customHeader + - required: + - authHeader + - required: + - customHeader + required: + - tls + - required: + - mutual + - properties: + tls: + allOf: + - oneOf: + - not: + anyOf: + - required: + - tokenPath + - required: + - oauth + - required: + - tokenPath + - required: + - oauth + - oneOf: + - not: + anyOf: + - required: + - authHeader + - required: + - customHeader + - required: + - authHeader + - required: + - customHeader + required: + - tls + - required: + - mutual + properties: + mutual: + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: The path to the file holding client certificate + for mutual TLS. + format: string + type: string + privateKey: + description: The path to the file holding the private + key for mutual TLS. + format: string + type: string + serverName: + description: Used to configure mixer mutual TLS client + to supply server name for SNI. + format: string + type: string + type: object + tls: + properties: + authHeader: + description: Access token is passed as authorization header. + enum: + - PLAIN + - BEARER + type: string + caCertificates: + format: string + type: string + customHeader: + description: Customized header key to hold access token, + e.g. + format: string + type: string + oauth: + description: Oauth config to fetch access token from auth + provider. + properties: + clientId: + description: OAuth client id for mixer. + format: string + type: string + clientSecret: + description: The path to the file holding the client + secret for oauth. + format: string + type: string + endpointParams: + additionalProperties: + format: string + type: string + description: Additional parameters for requests to + the token endpoint. + type: object + scopes: + description: List of requested permissions. + items: + format: string + type: string + type: array + tokenUrl: + description: The Resource server's token endpoint + URL. + format: string + type: string + type: object + serverName: + format: string + type: string + tokenPath: + format: string + type: string + type: object + type: object + timeout: + description: Timeout for remote calls to the backend. + type: string + type: object + name: + description: Must be unique in the entire Mixer configuration. + format: string + type: string + params: + description: Depends on adapter implementation. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: mixer + chart: istio + heritage: Tiller + istio: mixer-instance + package: instance release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] + name: instances.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: instance + listKind: instanceList + plural: instances + singular: instance + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: An Instance tells Mixer how to create instances for particular + template. + properties: + attributeBindings: + additionalProperties: + format: string + type: string + type: object + compiledTemplate: + description: The name of the compiled in template this instance creates + instances for. + format: string + type: string + name: + format: string + type: string + params: + description: Depends on referenced template. + type: object + x-kubernetes-preserve-unknown-fields: true + template: + description: The name of the template this instance creates instances + for. + format: string + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istiod + app: mixer + chart: istio + heritage: Tiller + istio: core + package: istio.io.mixer release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] + name: rules.config.istio.io +spec: + group: config.istio.io + names: + categories: + - istio-io + - policy-istio-io + kind: rule + listKind: ruleList + plural: rules + singular: rule + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes the rules used to configure Mixer''s policy and + telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' + properties: + actions: + description: The actions that will be executed when match evaluates + to `true`. + items: + properties: + handler: + description: Fully qualified name of the handler to invoke. + format: string + type: string + instances: + items: + format: string + type: string + type: array + name: + description: A handle to refer to the results of the action. + format: string + type: string + type: object + type: array + match: + description: Match is an attribute based predicate. + format: string + type: string + requestHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + responseHeaderOperations: + items: + properties: + name: + description: Header name literal value. + format: string + type: string + operation: + description: Header operation type. + enum: + - REPLACE + - REMOVE + - APPEND + type: string + values: + description: Header value expressions. + items: + format: string + type: string + type: array + type: object + type: array + sampling: + properties: + random: + description: Provides filtering of actions based on random selection + per request. + properties: + attributeExpression: + description: Specifies an attribute expression to use to override + the numerator in the `percent_sampled` field. + format: string + type: string + percentSampled: + description: The default sampling rate, expressed as a percentage. + properties: + denominator: + description: Specifies the denominator. + enum: + - HUNDRED + - TEN_THOUSAND + type: string + numerator: + description: Specifies the numerator. + type: integer + type: object + useIndependentRandomness: + description: By default sampling will be based on the value + of the request header `x-request-id`. + type: boolean + type: object + rateLimit: + properties: + maxUnsampledEntries: + description: Number of entries to allow during the `sampling_duration` + before sampling is enforced. + format: int64 + type: integer + samplingDuration: + description: Window in which to enforce the sampling rate. + type: string + samplingRate: + description: The rate at which to sample entries once the + unsampled limit has been reached. + format: int64 + type: integer + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istio-reader-istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: istio-reader + app: istio-pilot + chart: istio + heritage: Tiller + istio: security release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - - security.istio.io - - authentication.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + type: string + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: istiod-istio-system - namespace: istio-system + annotations: + "helm.sh/resource-policy": keep labels: - app: pilot + app: istio-pilot + chart: istio + heritage: Tiller + istio: security release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + --- diff --git a/charts/kubezero-istio/crds/crd-mixer.yaml b/charts/kubezero-istio/crds/crd-mixer.yaml new file mode 100644 index 0000000..eba26fa --- /dev/null +++ b/charts/kubezero-istio/crds/crd-mixer.yaml @@ -0,0 +1,82 @@ +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + status: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + properties: + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + status: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/crds/crd-operator.yaml b/charts/kubezero-istio/crds/crd-operator.yaml new file mode 100644 index 0000000..6ed970d --- /dev/null +++ b/charts/kubezero-istio/crds/crd-operator.yaml @@ -0,0 +1,74 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + type: string + name: Status + - jsonPath: .metadata.creationTimestamp + description: + "CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: + "Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + status: + description: + "Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- + diff --git a/charts/kubezero-istio/templates/envoyfilter.yaml b/charts/kubezero-istio/templates/envoyfilter.yaml index 3351376..ef12ebd 100644 --- a/charts/kubezero-istio/templates/envoyfilter.yaml +++ b/charts/kubezero-istio/templates/envoyfilter.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.public.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: @@ -30,6 +31,7 @@ spec: name: 5 int_value: 60 state: STATE_LISTENING +{{- end }} {{- if .Values.ingress.private.enabled }} --- diff --git a/charts/kubezero-istio/templates/ingress-certificate.yaml b/charts/kubezero-istio/templates/ingress-certificate.yaml index eab9e8c..b8a3277 100644 --- a/charts/kubezero-istio/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio/templates/ingress-certificate.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.dnsNames }} -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: public-ingress-cert diff --git a/charts/kubezero-istio/templates/ingress-gateway.yaml b/charts/kubezero-istio/templates/ingress-gateway.yaml index 66f447c..c2b64b6 100644 --- a/charts/kubezero-istio/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio/templates/ingress-gateway.yaml @@ -1,4 +1,5 @@ -apiVersion: networking.istio.io/v1alpha3 +{{- if .Values.ingress.public.enabled }} +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: ingressgateway @@ -28,10 +29,10 @@ spec: privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt credentialName: public-ingress-cert - +{{- end }} {{- if .Values.ingress.private.enabled }} --- -apiVersion: networking.istio.io/v1alpha3 +apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: private-ingressgateway @@ -84,4 +85,16 @@ spec: privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt credentialName: public-ingress-cert + - port: + number: 6379 + name: redis + protocol: TCP + hosts: + {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + - port: + number: 6380 + name: redis-1 + protocol: TCP + hosts: + {{- toYaml .Values.ingress.dnsNames | nindent 4 }} {{- end }} diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml index 6820900..634b58e 100644 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ b/charts/kubezero-istio/templates/istio-private-ingress.yaml @@ -120,6 +120,16 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 31672 {{- end }} + - name: redis + port: 6379 + {{- if eq .Values.ingress.type "NodePort" }} + nodePort: 31379 + {{- end }} + - name: redis-1 + port: 6380 + {{- if eq .Values.ingress.type "NodePort" }} + nodePort: 31380 + {{- end }} global: jwtPolicy: first-party-jwt diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml index c01c9e5..195eed9 100644 --- a/charts/kubezero-istio/templates/istio.yaml +++ b/charts/kubezero-istio/templates/istio.yaml @@ -8,6 +8,9 @@ metadata: spec: profile: empty components: + base: + enabled: true + {{- if .Values.ingress.public.enabled }} ingressGateways: - enabled: true k8s: @@ -62,6 +65,7 @@ spec: value: 90 name: istio-ingressgateway + {{- end }} pilot: enabled: true k8s: @@ -102,6 +106,7 @@ spec: interval: 30s time: 60s values: + {{- if .Values.ingress.public.enabled }} gateways: istio-ingressgateway: autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} @@ -134,6 +139,7 @@ spec: {{- if eq .Values.ingress.type "NodePort" }} nodePort: 30443 {{- end }} + {{- end }} global: jwtPolicy: first-party-jwt logAsJson: true diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 3e1f876..0a5a153 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.7.3 +export ISTIO_VERSION=1.7.4 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" @@ -10,17 +10,17 @@ if [ ! -d istio-$ISTIO_VERSION ]; then curl -sL "$URL" | tar xz fi -# Now lets extract what we need +# Get matching istioctl +[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } + +# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs +# Now lets extract istio-operator chart rm -rf charts/istio-operator cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts # Apply our patch patch -i istio-operator.patch -p0 -[ -x istioctl ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } - -# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs -./istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml - -# Remove double CRD -patch -i istio-base.patch -p3 +# Extract crds +rm -rf crds +cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds . diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 79fec8b..9f1658d 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -6,6 +6,8 @@ ingress: autoscaleEnabled: false replicaCount: 2 type: NodePort + public: + enabled: true private: enabled: true nodeSelector: "31080_31443_31671_31672_31224" @@ -13,5 +15,6 @@ ingress: - "*" istio-operator: + operatorNamespace: istio-system hub: docker.io/istio - tag: 1.7.3 + tag: 1.7.4 diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index ba2ddfc..8503fc5 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.2.11 +version: 0.2.12 appVersion: 3.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kiam - version: 5.8.1 + version: 5.9.0 repository: https://uswitch.github.io/kiam-helm-charts/charts/ condition: kiam.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index 8366b57..a71327a 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -1,6 +1,6 @@ # kubezero-kiam -![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) +![Version: 0.2.12](https://img.shields.io/badge/Version-0.2.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square) KubeZero Umbrella Chart for Kiam @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 | +| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.9.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## KubeZero default configuration @@ -47,8 +47,8 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.gatewayTimeoutCreation | string | `"5s"` | | | kiam.agent.host.interface | string | `"cali+"` | | | kiam.agent.host.iptables | bool | `false` | | -| kiam.agent.image.tag | string | `"v3.6"` | | -| kiam.agent.log.level | string | `"warn"` | | +| kiam.agent.log.level | string | `"info"` | | +| kiam.agent.priorityClassName | string | `"system-node-critical"` | | | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | @@ -69,9 +69,9 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role | | kiam.server.deployment.enabled | bool | `true` | | | kiam.server.deployment.replicas | int | `1` | | -| kiam.server.image.tag | string | `"v3.6"` | | -| kiam.server.log.level | string | `"warn"` | | +| kiam.server.log.level | string | `"info"` | | | kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kiam.server.priorityClassName | string | `"system-cluster-critical"` | | | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | diff --git a/charts/kubezero-kiam/templates/certificates.yaml b/charts/kubezero-kiam/templates/certificates.yaml index c2a9775..9d4b21c 100644 --- a/charts/kubezero-kiam/templates/certificates.yaml +++ b/charts/kubezero-kiam/templates/certificates.yaml @@ -1,28 +1,32 @@ -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-agent + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-agent-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: - "kiam-agent" --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kiam-server + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: secretName: kiam-server-tls issuerRef: name: kubezero-local-ca-issuer + kind: ClusterIssuer usages: - "any" dnsNames: diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index d09c24b..3c5b38d 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -3,8 +3,6 @@ annotateKubeSystemNameSpace: false kiam: enabled: true server: - image: - tag: "v3.6" # kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role assumeRoleArn: '' useHostNetwork: true @@ -33,6 +31,7 @@ kiam: effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" + priorityClassName: system-cluster-critical prometheus: servicemonitor: enabled: false @@ -40,11 +39,9 @@ kiam: labels: release: metrics log: - level: warn + level: info agent: - image: - tag: "v3.6" gatewayTimeoutCreation: "5s" updateStrategy: RollingUpdate # IP tables set on each node at boot, see CloudBender @@ -68,6 +65,7 @@ kiam: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + priorityClassName: system-node-critical prometheus: servicemonitor: enabled: false @@ -75,7 +73,7 @@ kiam: labels: release: metrics log: - level: warn + level: info # extraEnv: # - name: GRPC_GO_LOG_SEVERITY_LEVEL # value: "info" diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index a9431a9..d099831 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.4.1 -appVersion: 1.2.1 +version: 0.5.0 +appVersion: 1.3.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -18,6 +18,10 @@ dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ + - name: eck-operator + version: 1.3.0 + repository: https://helm.elastic.co + condition: eck-operator.enabled - name: fluentd version: 2.5.1 repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/charts/kubezero-logging/eck/all-in-one.yaml b/charts/kubezero-logging/eck/all-in-one.yaml deleted file mode 100644 index e2a1574..0000000 --- a/charts/kubezero-logging/eck/all-in-one.yaml +++ /dev/null @@ -1,3008 +0,0 @@ ---- -# Source: crds/all-crds.yaml -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: apmservers.apm.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: APM version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows APM agent central configuration - management in Kibana. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server pods. - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - health: - description: ApmServerHealth expresses the status of the Apm Server - instances. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking - to Kibana. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains - the secret token - type: string - service: - description: ExternalService is the name of the service the agents should - connect to. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: beats.beat.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: available - type: integer - - JSONPath: .status.expectedNodes - description: Expected nodes - name: expected - type: integer - - JSONPath: .spec.type - description: Beat type - name: type - type: string - - JSONPath: .spec.version - description: Beat version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, - `ConfigRef`] can be specified. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Beat configuration. Beat settings must be specified - as yaml, under a single "beat.yml" entry. At most one of [`Config`, - `ConfigRef`] can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: DaemonSet specifies the Beat should be deployed as a DaemonSet, - and allows providing its spec. Cannot be used along with `deployment`. - If both are absent a default for the Type is used. - properties: {} - type: object - deployment: - description: Deployment specifies the Beat should be deployed as a Deployment, - and allows providing its spec. Cannot be used along with `daemonSet`. - If both are absent a default for the Type is used. - properties: - replicas: - format: int32 - type: integer - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - image: - description: Image is the Beat Docker image to deploy. Version and Type - have to match the Beat in the image. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows automatic setup of dashboards - and visualizations. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes Secrets - containing sensitive configuration options for the Beat. Secrets data - can be then referenced in the Beat config using the Secret's keys - or as specified in `Entries` field of each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to Elasticsearch resource in a different namespace. Can only - be used if ECK is enforcing RBAC on references. - type: string - type: - description: Type is the type of the Beat to deploy (filebeat, metricbeat, - heartbeat, auditbeat, journalbeat, packetbeat, etc.). Any string can - be used, but well-known types will have the image field defaulted - and have the appropriate Elasticsearch roles created automatically. - It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Elasticsearch version - name: version - type: string - - JSONPath: .status.phase - name: phase - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - auth: - description: Auth contains user authentication and authorization security - settings for Elasticsearch. - properties: - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the - Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch - cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) for - the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: VolumeClaimTemplates is a list of persistent volume - claims to be used by each Pod in this NodeSet. Every claim in - this list must have a matching volumeMount in one of the containers - defined in the PodTemplate. Items defined here take precedence - over any default claims added by the operator with the same - name. - items: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of - this representation of an object. Servers should convert - recognized schemas to the latest internal value, and may - reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST - resource this object represents. Servers may infer this - from the endpoint the client submits requests to. Cannot - be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Spec defines the desired characteristics of - a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the desired access - modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: This field requires the VolumeSnapshotDataSource - alpha feature gate to be enabled and currently VolumeSnapshot - is the only supported data source. If the provisioner - can support VolumeSnapshot data source, it will create - a new volume and data will be restored to the volume - at the same time. If the provisioner does not support - VolumeSnapshot data source, volume will not be created - and the failure will be reported as an event. In the - future, we plan to support more data source types - and the behavior of the provisioner may change. - properties: - apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume - is required by the claim. Value of Filesystem is implied - when not included in claim spec. This is a beta feature. - type: string - volumeName: - description: VolumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - status: - description: 'Status represents the current information/status - of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the actual access - modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: Represents the actual resources of the - underlying volume. - type: object - conditions: - description: Current Condition of persistent volume - claim. If underlying persistent volume is being resized - then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contails - details about state of pvc - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned - from one status to another. - format: date-time - type: string - message: - description: Human-readable message indicating - details about last transition. - type: string - reason: - description: Unique, this should be a short, machine - understandable string that gives the reason - for condition's last transition. If it reports - "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - phase: - description: Phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: PodDisruptionBudget provides access to the default pod - disruption budget for the Elasticsearch cluster. The default budget - selects all cluster pods and sets `maxUnavailable` to 1. To disable, - set `PodDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: ObjectMeta is the metadata of the PDB. The name and - namespace provided here are managed by ECK and will be ignored. - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at most "maxUnavailable" - pods selected by "selector" are unavailable after the eviction, - i.e. even in absence of the evicted pod. For example, one - can prevent all voluntary evictions by specifying 0. This - is a mutually exclusive setting with "minAvailable". - minAvailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at least "minAvailable" - pods selected by "selector" will still be available after - the eviction, i.e. even in the absence of the evicted pod. So - for example you can prevent all voluntary evictions by specifying - "100%". - selector: - description: Label query over pods whose evictions are managed - by the disruption budget. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: object - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional - connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster - connection. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch - cluster running within the same k8s cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, - defaults to the current namespace. - type: string - required: - - name - type: object - name: - description: Name is the name of the remote cluster as it is set - in the Elasticsearch settings. The name is expected to be unique - for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. a remote Elasticsearch cluster) in a different - namespace. Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when - applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: MaxSurge is the maximum number of new pods that - can be created exceeding the original number of pods defined - in the specification. MaxSurge is only taken into consideration - when scaling up. Setting a negative value will disable the - restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: MaxUnavailable is the maximum number of pods that - can be unavailable (not ready) during the update due to circumstances - under the control of the operator. Setting a negative value - will disable this restriction. Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Enterprise Search version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Enterprise Search configuration. Configuration - settings are merged and have precedence over settings specified in - `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Enterprise Search - pods. - type: object - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: EnterpriseSearchHealth expresses the health of the Enterprise - Search instances. - type: string - service: - description: ExternalService is the name of the service associated to - the Enterprise Search Pods. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: kibanas.kibana.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Kibana version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -# Source: eck/templates/namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: elastic-system ---- -# Source: eck/templates/service-account.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/webhook.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "elastic-webhook-server-cert" - namespace: elastic-system ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-operator -rules: -- apiGroups: - - "authorization.k8s.io" - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resources: - - pods - - endpoints - - events - - persistentvolumeclaims - - secrets - - services - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - - elasticsearches/status - - elasticsearches/finalizers - - enterpriselicenses - - enterpriselicenses/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - - kibanas/status - - kibanas/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - - apmservers/status - - apmservers/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - - enterprisesearches/status - - enterprisesearches/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - - beats/status - - beats/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-view" - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["get", "list", "watch"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["get", "list", "watch"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["get", "list", "watch"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["get", "list", "watch"] ---- -# Source: eck/templates/cluster-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: "elastic-operator-edit" - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-admin: "true" -rules: - - apiGroups: ["elasticsearch.k8s.elastic.co"] - resources: ["elasticsearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["apm.k8s.elastic.co"] - resources: ["apmservers"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["kibana.k8s.elastic.co"] - resources: ["kibanas"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["enterprisesearch.k8s.elastic.co"] - resources: ["enterprisesearches"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] - - apiGroups: ["beat.k8s.elastic.co"] - resources: ["beats"] - verbs: ["create", "delete", "deletecollection", "patch", "update"] ---- -# Source: eck/templates/managed-ns-role-bindings.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: elastic-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/operator-role-binding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: elastic-operator - namespace: elastic-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -# Source: eck/templates/webhook.yaml -apiVersion: v1 -kind: Service -metadata: - name: elastic-webhook-server - namespace: elastic-system -spec: - ports: - - name: https - port: 443 - targetPort: 9443 - selector: - control-plane: elastic-operator ---- -# Source: eck/templates/statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: elastic-operator - namespace: elastic-system - labels: - control-plane: elastic-operator -spec: - selector: - matchLabels: - control-plane: elastic-operator - serviceName: elastic-operator - template: - metadata: - annotations: - # Rename the fields "error" to "error.message" and "source" to "event.source" - # This is to avoid a conflict with the ECS "error" and "source" documents. - "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]" - labels: - control-plane: elastic-operator - spec: - terminationGracePeriodSeconds: 10 - serviceAccountName: elastic-operator - containers: - - image: "docker.elastic.co/eck/eck-operator:1.2.1" - imagePullPolicy: IfNotPresent - name: manager - args: - - "manager" - - "--log-verbosity=0" - - "--metrics-port=0" - - "--container-registry=docker.elastic.co" - - "--max-concurrent-reconciles=3" - - "--ca-cert-validity=8760h" - - "--ca-cert-rotate-before=24h" - - "--cert-validity=8760h" - - "--cert-rotate-before=24h" - - "--enable-webhook" - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_IMAGE - value: "docker.elastic.co/eck/eck-operator:1.2.1" - - name: WEBHOOK_SECRET - value: "elastic-webhook-server-cert" - resources: - limits: - cpu: 1 - memory: 512Mi - requests: - cpu: 100m - memory: 150Mi - ports: - - containerPort: 9443 - name: https-webhook - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: "elastic-webhook-server-cert" ---- -# Source: eck/templates/webhook.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: elastic-webhook.k8s.elastic.co -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1beta1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-beat-k8s-elastic-co-v1beta1-beat - failurePolicy: Ignore - name: elastic-beat-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - beat.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - beats -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1beta1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - kibanas - diff --git a/charts/kubezero-logging/eck/kustomization.yaml b/charts/kubezero-logging/eck/kustomization.yaml deleted file mode 100644 index 6adfff1..0000000 --- a/charts/kubezero-logging/eck/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -resources: -- all-in-one.yaml - -# map operator to controller nodes -patchesStrategicMerge: -- map-operator.yaml diff --git a/charts/kubezero-logging/eck/map-operator.yaml b/charts/kubezero-logging/eck/map-operator.yaml deleted file mode 100644 index e21c16f..0000000 --- a/charts/kubezero-logging/eck/map-operator.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: elastic-operator -spec: - template: - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule diff --git a/charts/kubezero-logging/eck/update.sh b/charts/kubezero-logging/eck/update.sh deleted file mode 100755 index 7083513..0000000 --- a/charts/kubezero-logging/eck/update.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -ECK_VERSION=1.2.1 - -curl -o all-in-one.yaml https://download.elastic.co/downloads/eck/${ECK_VERSION}/all-in-one.yaml - -kubectl kustomize . > ../templates/eck-operator.yaml diff --git a/charts/kubezero-logging/templates/eck/eck-operator.yaml b/charts/kubezero-logging/templates/eck/eck-operator.yaml deleted file mode 100644 index 366a36e..0000000 --- a/charts/kubezero-logging/templates/eck/eck-operator.yaml +++ /dev/null @@ -1,3059 +0,0 @@ -{{- if .Values.es.nodeSets }} -apiVersion: v1 -kind: Namespace -metadata: - name: elastic-system ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: apmservers.apm.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: APM version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch - cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server - resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows APM agent central configuration - management in Kibana. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the APM Server pods. - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking - to Elasticsearch clusters. - type: string - health: - description: ApmServerHealth expresses the status of the Apm Server - instances. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking - to Kibana. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains - the secret token - type: string - service: - description: ExternalService is the name of the service the agents should - connect to. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: beats.beat.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: available - type: integer - - JSONPath: .status.expectedNodes - description: Expected nodes - name: expected - type: integer - - JSONPath: .spec.type - description: Beat type - name: type - type: string - - JSONPath: .spec.version - description: Beat version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, - `ConfigRef`] can be specified. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Beat configuration. Beat settings must be specified - as yaml, under a single "beat.yml" entry. At most one of [`Config`, - `ConfigRef`] can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: DaemonSet specifies the Beat should be deployed as a DaemonSet, - and allows providing its spec. Cannot be used along with `deployment`. - If both are absent a default for the Type is used. - type: object - deployment: - description: Deployment specifies the Beat should be deployed as a Deployment, - and allows providing its spec. Cannot be used along with `daemonSet`. - If both are absent a default for the Type is used. - properties: - replicas: - format: int32 - type: integer - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - image: - description: Image is the Beat Docker image to deploy. Version and Type - have to match the Beat in the image. - type: string - kibanaRef: - description: KibanaRef is a reference to a Kibana instance running in - the same Kubernetes cluster. It allows automatic setup of dashboards - and visualizations. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes Secrets - containing sensitive configuration options for the Beat. Secrets data - can be then referenced in the Beat config using the Secret's keys - or as specified in `Entries` field of each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to Elasticsearch resource in a different namespace. Can only - be used if ECK is enforcing RBAC on references. - type: string - type: - description: Type is the type of the Beat to deploy (filebeat, metricbeat, - heartbeat, auditbeat, journalbeat, packetbeat, etc.). Any string can - be used, but well-known types will have the image field defaulted - and have the appropriate Elasticsearch roles created automatically. - It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Elasticsearch version - name: version - type: string - - JSONPath: .status.phase - name: phase - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes - cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch - cluster. - properties: - auth: - description: Auth contains user authentication and authorization security - settings for Elasticsearch. - properties: - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the - Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch - cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes - sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch - nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the - Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, - annotations, affinity rules, resource requests, and so on) for - the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: VolumeClaimTemplates is a list of persistent volume - claims to be used by each Pod in this NodeSet. Every claim in - this list must have a matching volumeMount in one of the containers - defined in the PodTemplate. Items defined here take precedence - over any default claims added by the operator with the same - name. - items: - description: PersistentVolumeClaim is a user's request for and - claim to a persistent volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of - this representation of an object. Servers should convert - recognized schemas to the latest internal value, and may - reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST - resource this object represents. Servers may infer this - from the endpoint the client submits requests to. Cannot - be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Spec defines the desired characteristics of - a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the desired access - modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - dataSource: - description: This field requires the VolumeSnapshotDataSource - alpha feature gate to be enabled and currently VolumeSnapshot - is the only supported data source. If the provisioner - can support VolumeSnapshot data source, it will create - a new volume and data will be restored to the volume - at the same time. If the provisioner does not support - VolumeSnapshot data source, volume will not be created - and the failure will be reported as an event. In the - future, we plan to support more data source types - and the behavior of the provisioner may change. - properties: - apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being - referenced - type: string - name: - description: Name is the name of resource being - referenced - type: string - required: - - kind - - name - type: object - resources: - description: 'Resources represents the minimum resources - the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - selector: - description: A label query over volumes to consider - for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - storageClassName: - description: 'Name of the StorageClass required by the - claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' - type: string - volumeMode: - description: volumeMode defines what type of volume - is required by the claim. Value of Filesystem is implied - when not included in claim spec. This is a beta feature. - type: string - volumeName: - description: VolumeName is the binding reference to - the PersistentVolume backing this claim. - type: string - type: object - status: - description: 'Status represents the current information/status - of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - accessModes: - description: 'AccessModes contains the actual access - modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' - items: - type: string - type: array - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - description: Represents the actual resources of the - underlying volume. - type: object - conditions: - description: Current Condition of persistent volume - claim. If underlying persistent volume is being resized - then the Condition will be set to 'ResizeStarted'. - items: - description: PersistentVolumeClaimCondition contails - details about state of pvc - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned - from one status to another. - format: date-time - type: string - message: - description: Human-readable message indicating - details about last transition. - type: string - reason: - description: Unique, this should be a short, machine - understandable string that gives the reason - for condition's last transition. If it reports - "ResizeStarted" that means the underlying persistent - volume is being resized. - type: string - status: - type: string - type: - description: PersistentVolumeClaimConditionType - is a valid value of PersistentVolumeClaimCondition.Type - type: string - required: - - status - - type - type: object - type: array - phase: - description: Phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: PodDisruptionBudget provides access to the default pod - disruption budget for the Elasticsearch cluster. The default budget - selects all cluster pods and sets `maxUnavailable` to 1. To disable, - set `PodDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: ObjectMeta is the metadata of the PDB. The name and - namespace provided here are managed by ECK and will be ignored. - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at most "maxUnavailable" - pods selected by "selector" are unavailable after the eviction, - i.e. even in absence of the evicted pod. For example, one - can prevent all voluntary evictions by specifying 0. This - is a mutually exclusive setting with "minAvailable". - minAvailable: - anyOf: - - type: integer - - type: string - description: An eviction is allowed if at least "minAvailable" - pods selected by "selector" will still be available after - the eviction, i.e. even in the absence of the evicted pod. So - for example you can prevent all voluntary evictions by specifying - "100%". - selector: - description: Label query over pods whose evictions are managed - by the disruption budget. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: object - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional - connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster - connection. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch - cluster running within the same k8s cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, - defaults to the current namespace. - type: string - required: - - name - type: object - name: - description: Name is the name of the remote cluster as it is set - in the Elasticsearch settings. The name is expected to be unique - for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. a remote Elasticsearch cluster) in a different - namespace. Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should - be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when - applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: MaxSurge is the maximum number of new pods that - can be created exceeding the original number of pods defined - in the specification. MaxSurge is only taken into consideration - when scaling up. Setting a negative value will disable the - restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: MaxUnavailable is the maximum number of pods that - can be unavailable (not ready) during the update due to circumstances - under the control of the operator. Setting a negative value - will disable this restriction. Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned - by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch - is in from the controller point of view. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Enterprise Search version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise - Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - configRef: - description: ConfigRef contains a reference to an existing Kubernetes - Secret holding the Enterprise Search configuration. Configuration - settings are merged and have precedence over settings specified in - `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise - Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Enterprise Search - pods. - type: object - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch - clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: EnterpriseSearchHealth expresses the health of the Enterprise - Search instances. - type: string - service: - description: ExternalService is the name of the service associated to - the Enterprise Search Pods. - type: string - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.2.5 - creationTimestamp: null - name: kibanas.kibana.k8s.elastic.co -spec: - additionalPrinterColumns: - - JSONPath: .status.health - name: health - type: string - - JSONPath: .status.availableNodes - description: Available nodes - name: nodes - type: integer - - JSONPath: .spec.version - description: Kibana version - name: version - type: string - - JSONPath: .metadata.creationTimestamp - name: age - type: date - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster - running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults - to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes - Service object. - properties: - metadata: - description: ObjectMeta is the metadata of the service. The - name and namespace provided here are managed by ECK and will - be ignored. - type: object - spec: - description: Spec is the specification of the service. - properties: - clusterIP: - description: 'clusterIP is the IP address of the service - and is usually assigned randomly by the master. If an - address is specified manually and is not in use by others, - it will be allocated to the service; otherwise, creation - of the service will fail. This field can not be changed - through updates. Valid values are "None", empty string - (""), or a valid IP address. "None" can be specified for - headless services when proxying is not required. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - externalIPs: - description: externalIPs is a list of IP addresses for which - nodes in the cluster will also accept traffic for this - service. These IPs are not managed by Kubernetes. The - user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external - load-balancers that are not part of the Kubernetes system. - items: - type: string - type: array - externalName: - description: externalName is the external reference that - kubedns or equivalent will return as a CNAME record for - this service. No proxying will be involved. Must be a - valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - and requires Type to be ExternalName. - type: string - externalTrafficPolicy: - description: externalTrafficPolicy denotes if this Service - desires to route external traffic to node-local or cluster-wide - endpoints. "Local" preserves the client source IP and - avoids a second hop for LoadBalancer and Nodeport type - services, but risks potentially imbalanced traffic spreading. - "Cluster" obscures the client source IP and may cause - a second hop to another node, but should have good overall - load-spreading. - type: string - healthCheckNodePort: - description: healthCheckNodePort specifies the healthcheck - nodePort for the service. If not specified, HealthCheckNodePort - is created by the service api backend with the allocated - nodePort. Will use user-specified nodePort value if specified - by the client. Only effects when Type is set to LoadBalancer - and ExternalTrafficPolicy is set to Local. - format: int32 - type: integer - ipFamily: - description: ipFamily specifies whether this Service has - a preference for a particular IP family (e.g. IPv4 vs. - IPv6). If a specific IP family is requested, the clusterIP - field will be allocated from that family, if it is available - in the cluster. If no IP family is requested, the cluster's - primary IP family will be used. Other IP fields (loadBalancerIP, - loadBalancerSourceRanges, externalIPs) and controllers - which allocate external load-balancers should use the - same IP family. Endpoints for this Service will be of - this family. This field is immutable after creation. - Assigning a ServiceIPFamily not available in the cluster - (e.g. IPv6 in IPv4 only cluster) is an error condition - and will fail during clusterIP assignment. - type: string - loadBalancerIP: - description: 'Only applies to Service Type: LoadBalancer - LoadBalancer will get created with the IP specified in - this field. This feature depends on whether the underlying - cloud-provider supports specifying the loadBalancerIP - when a load balancer is created. This field will be ignored - if the cloud-provider does not support the feature.' - type: string - loadBalancerSourceRanges: - description: 'If specified and supported by the platform, - this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client - IPs. This field will be ignored if the cloud-provider - does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' - items: - type: string - type: array - ports: - description: 'The list of ports that are exposed by this - service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - items: - description: ServicePort contains information on service's - port. - properties: - name: - description: The name of this port within the service. - This must be a DNS_LABEL. All ports within a ServiceSpec - must have unique names. When considering the endpoints - for a Service, this must match the 'name' field - in the EndpointPort. Optional if only one ServicePort - is defined on this service. - type: string - nodePort: - description: 'The port on each node on which this - service is exposed when type=NodePort or LoadBalancer. - Usually assigned by the system. If specified, it - will be allocated to the service if unused or else - creation of the service will fail. Default is to - auto-allocate a port if the ServiceType of this - Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' - format: int32 - type: integer - port: - description: The port that will be exposed by this - service. - format: int32 - type: integer - protocol: - description: The IP protocol for this port. Supports - "TCP", "UDP", and "SCTP". Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: 'Number or name of the port to access - on the pods targeted by the service. Number must - be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named - port in the target Pod''s container ports. If this - is not specified, the value of the ''port'' field - is used (an identity map). This field is ignored - for services with clusterIP=None, and should be - omitted or set equal to the ''port'' field. More - info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' - required: - - port - type: object - type: array - publishNotReadyAddresses: - description: publishNotReadyAddresses, when set to true, - indicates that DNS implementations must publish the notReadyAddresses - of subsets for the Endpoints associated with the Service. - The default value is false. The primary use case for setting - this field is to use a StatefulSet's Headless Service - to propagate SRV records for its Pods without respect - to their readiness for purpose of peer discovery. - type: boolean - selector: - additionalProperties: - type: string - description: 'Route service traffic to pods with label keys - and values matching this selector. If empty or not present, - the service is assumed to have an external process managing - its endpoints, which Kubernetes will not modify. Only - applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' - type: object - sessionAffinity: - description: 'Supports "ClientIP" and "None". Used to maintain - session affinity. Enable client IP based session affinity. - Must be ClientIP or None. Defaults to None. More info: - https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations - of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of - Client IP based session affinity. - properties: - timeoutSeconds: - description: timeoutSeconds specifies the seconds - of ClientIP type session sticky time. The value - must be >0 && <=86400(for 1 day) if ServiceAffinity - == "ClientIP". Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - topologyKeys: - description: topologyKeys is a preference-order list of - topology keys which implementations of services should - use to preferentially sort endpoints when accessing this - Service, it can not be used at the same time as externalTrafficPolicy=Local. - Topology keys must be valid label keys and at most 16 - keys may be specified. Endpoints are chosen based on the - first topology key with available backends. If this field - is specified and all entries have no backends that match - the topology of the client, the service has no backends - for that client and connections should fail. The special - value "*" may be used to mean "any topology". This catch-all - value, if used, only makes sense as the last value in - the list. If this is not specified or empty, no topology - constraints will be applied. - items: - type: string - type: array - type: - description: 'type determines how the Service is exposed. - Defaults to ClusterIP. Valid options are ExternalName, - ClusterIP, NodePort, and LoadBalancer. "ExternalName" - maps to the specified externalName. "ClusterIP" allocates - a cluster-internal IP address for load-balancing to endpoints. - Endpoints are determined by the selector or if that is - not specified, by manual construction of an Endpoints - object. If clusterIP is "None", no virtual IP is allocated - and the endpoints are published as a set of endpoints - rather than a stable IP. "NodePort" builds on ClusterIP - and allocates a port on every node which routes to the - clusterIP. "LoadBalancer" builds on NodePort and creates - an external load-balancer (if supported in the current - cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: "Certificate is a reference to a Kubernetes secret - that contains the certificate and private key for enabling - TLS. The referenced secret should contain the following: \n - - `ca.crt`: The certificate authority (optional). - `tls.crt`: - The certificate (or a chain). - `tls.key`: The private key - to the first certificate in the certificate chain." - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed - certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of - the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to - include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry - in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, - affinity rules, resource requests, and so on) for the Kibana pods - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets - containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes - Secret. - properties: - entries: - description: Entries define how to project each key-value pair - in the secret to filesystem paths. If not defined, all keys - will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the - corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret - object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: Path is the relative file path to map the key - to. Path must not be an absolute file path and must not - contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: ServiceAccountName is used to check access from the current - resource to a resource (eg. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - - name: v1alpha1 - served: false - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: elastic-webhook.k8s.elastic.co -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-apm-k8s-elastic-co-v1beta1-apmserver - failurePolicy: Ignore - name: elastic-apm-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - apm.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - apmservers -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-beat-k8s-elastic-co-v1beta1-beat - failurePolicy: Ignore - name: elastic-beat-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - beat.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - beats -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch - failurePolicy: Ignore - name: elastic-es-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - elasticsearch.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - elasticsearches -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - kibanas -- clientConfig: - caBundle: Cg== - service: - name: elastic-webhook-server - namespace: elastic-system - path: /validate-kibana-k8s-elastic-co-v1beta1-kibana - failurePolicy: Ignore - name: elastic-kb-validation-v1beta1.k8s.elastic.co - rules: - - apiGroups: - - kibana.k8s.elastic.co - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - kibanas ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: elastic-operator - namespace: elastic-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: elastic-operator-edit -rules: -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - verbs: - - create - - delete - - deletecollection - - patch - - update -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: elastic-operator-view -rules: -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - verbs: - - get - - list - - watch -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - verbs: - - get - - list - - watch -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - verbs: - - get - - list - - watch -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - verbs: - - get - - list - - watch -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-operator -rules: -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - "" - resources: - - pods - - endpoints - - events - - persistentvolumeclaims - - secrets - - services - - configmaps - - serviceaccounts - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apps - resources: - - deployments - - statefulsets - - daemonsets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - elasticsearch.k8s.elastic.co - resources: - - elasticsearches - - elasticsearches/status - - elasticsearches/finalizers - - enterpriselicenses - - enterpriselicenses/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - kibana.k8s.elastic.co - resources: - - kibanas - - kibanas/status - - kibanas/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - apm.k8s.elastic.co - resources: - - apmservers - - apmservers/status - - apmservers/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - enterprisesearch.k8s.elastic.co - resources: - - enterprisesearches - - enterprisesearches/status - - enterprisesearches/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - beat.k8s.elastic.co - resources: - - beats - - beats/status - - beats/finalizers - verbs: - - get - - list - - watch - - create - - update - - patch - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: elastic-operator - namespace: elastic-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: elastic-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: elastic-operator -subjects: -- kind: ServiceAccount - name: elastic-operator - namespace: elastic-system ---- -apiVersion: v1 -kind: Secret -metadata: - name: elastic-webhook-server-cert - namespace: elastic-system ---- -apiVersion: v1 -kind: Service -metadata: - name: elastic-webhook-server - namespace: elastic-system -spec: - ports: - - name: https - port: 443 - targetPort: 9443 - selector: - control-plane: elastic-operator ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - control-plane: elastic-operator - name: elastic-operator - namespace: elastic-system -spec: - selector: - matchLabels: - control-plane: elastic-operator - serviceName: elastic-operator - template: - metadata: - annotations: - co.elastic.logs/raw: '[{"type":"container","json.keys_under_root":true,"paths":["/var/log/containers/*${data.kubernetes.container.id}.log"],"processors":[{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"error","to":"_error"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"_error","to":"error.message"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"source","to":"_source"}]}},{"convert":{"mode":"rename","ignore_missing":true,"fields":[{"from":"_source","to":"event.source"}]}}]}]' - labels: - control-plane: elastic-operator - spec: - containers: - - args: - - manager - - --log-verbosity=0 - - --metrics-port=0 - - --container-registry=docker.elastic.co - - --max-concurrent-reconciles=3 - - --ca-cert-validity=8760h - - --ca-cert-rotate-before=24h - - --cert-validity=8760h - - --cert-rotate-before=24h - - --enable-webhook - env: - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_IMAGE - value: docker.elastic.co/eck/eck-operator:1.2.1 - - name: WEBHOOK_SECRET - value: elastic-webhook-server-cert - image: docker.elastic.co/eck/eck-operator:1.2.1 - imagePullPolicy: IfNotPresent - name: manager - ports: - - containerPort: 9443 - name: https-webhook - protocol: TCP - resources: - limits: - cpu: 1 - memory: 512Mi - requests: - cpu: 100m - memory: 150Mi - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - nodeSelector: - node-role.kubernetes.io/master: "" - serviceAccountName: elastic-operator - terminationGracePeriodSeconds: 10 - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: elastic-webhook-server-cert -{{- end }} diff --git a/charts/kubezero-logging/values-all.yaml b/charts/kubezero-logging/values-all.yaml index e5997b7..c016628 100644 --- a/charts/kubezero-logging/values-all.yaml +++ b/charts/kubezero-logging/values-all.yaml @@ -5,11 +5,11 @@ # This is for backwards compatibility with older zdt-logging setup fullnameOverride: logging -# Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.6.0 - elastic_password: "dsfsfs" # super_secret_elastic_password +eck-operator: + enabled: true + es: nodeSets: - name: default-zone-0 diff --git a/charts/kubezero-logging/values-remote-es.yaml b/charts/kubezero-logging/values-remote-es.yaml deleted file mode 100644 index e69de29..0000000 diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index caf9fde..5b76faa 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -1,8 +1,16 @@ # use this for backwards compatability # fullnameOverride: "" +eck-operator: + enabled: false + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + # Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.8.1 +version: 7.10.0 elastic_password: "" # super_secret_elastic_password @@ -67,7 +75,7 @@ fluentd: enabled: true additionalLabels: release: metrics - namespace: monitoring + # namespace: monitoring output: # Default should be "logging-kubezero-logging-es-http" if fullnameOverride is NOT used diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index 77bcd5f..a6e19e6 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-metrics description: KubeZero Umbrella Chart for prometheus-operator type: application -version: 0.2.1 +version: 0.3.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,10 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kube-prometheus-stack - version: 10.1.3 + version: 11.1.1 repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter - version: 2.7.0 + version: 2.7.1 repository: https://prometheus-community.github.io/helm-charts + condition: prometheus-adapter.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 26b48bd..89d5f9e 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for prometheus-operator @@ -18,8 +18,8 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 10.0.1 | -| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.0 | +| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 11.1.1 | +| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -41,6 +41,9 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.grafana.plugins[0] | string | `"grafana-piechart-panel"` | | | kube-prometheus-stack.grafana.service.portName | string | `"http-grafana"` | | | kube-prometheus-stack.grafana.testFramework.enabled | bool | `false` | | +| kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | | @@ -69,7 +72,6 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | | kube-prometheus-stack.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | -| kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` | | @@ -77,17 +79,17 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | | -| kube-prometheus-stack.prometheusOperator.admissionWebhooks.enabled | bool | `false` | | -| kube-prometheus-stack.prometheusOperator.createCustomResource | bool | `true` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | | -| kube-prometheus-stack.prometheusOperator.manageCrds | bool | `false` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[1] | string | `"logging"` | | | kube-prometheus-stack.prometheusOperator.namespaces.releaseNamespace | bool | `true` | | | kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| kube-prometheus-stack.prometheusOperator.tlsProxy.enabled | bool | `false` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| prometheus-adapter.enabled | bool | `true` | | | prometheus-adapter.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | prometheus-adapter.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus"` | | | prometheus-adapter.rules.default | bool | `false` | | diff --git a/charts/kubezero-metrics/templates/istio-service.yaml b/charts/kubezero-metrics/templates/istio-service.yaml index 0184988..09c75fa 100644 --- a/charts/kubezero-metrics/templates/istio-service.yaml +++ b/charts/kubezero-metrics/templates/istio-service.yaml @@ -3,6 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: grafana + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -21,6 +22,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: prometheus + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index e04470a..2f20d6a 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -59,10 +59,6 @@ kube-prometheus-stack: prometheusOperator: enabled: true - #image: - # tag: v0.42.1 - #prometheusConfigReloaderImage: - # tag: v0.42.1 # Run on controller nodes tolerations: @@ -71,24 +67,20 @@ kube-prometheus-stack: nodeSelector: node-role.kubernetes.io/master: "" - # Argo takes care of CRDs - manageCrds: false - createCustomResource: true - - # Operator has TLS support starting 0.39, but chart does not support CAConfig and operator flags yet - # see: https://github.com/coreos/prometheus-operator/blob/master/Documentation/user-guides/webhook.md#deploying-the-admission-webhook - # Until then we disable them as the patching interferes with Argo anyways - tlsProxy: - enabled: false - admissionWebhooks: - enabled: false - namespaces: releaseNamespace: true additional: - kube-system - logging + admissionWebhooks: + patch: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + nodeExporter: enabled: true serviceMonitor: @@ -141,12 +133,21 @@ kube-prometheus-stack: testFramework: enabled: false + # Assign state metrics to control plane + kube-state-metrics: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" + # Todo alertmanager: enabled: false # Metrics adapter prometheus-adapter: + enabled: true prometheus: url: http://metrics-kube-prometheus-st-prometheus tolerations: diff --git a/charts/kubezero-redis/.helmignore b/charts/kubezero-redis/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/kubezero-redis/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kubezero-redis/Chart.yaml b/charts/kubezero-redis/Chart.yaml new file mode 100644 index 0000000..d538fcb --- /dev/null +++ b/charts/kubezero-redis/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: kubezero-redis +description: KubeZero Umbrella Chart for Redis HA +type: application +version: 0.1.0 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - redis +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ + - name: redis + version: 12.0.0 + repository: https://charts.bitnami.com/bitnami +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md new file mode 100644 index 0000000..0f975d2 --- /dev/null +++ b/charts/kubezero-redis/README.md @@ -0,0 +1,44 @@ +# kubezero-redis + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +KubeZero Umbrella Chart for Redis HA + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.16.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | redis | 12.0.0 | +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| istio.enabled | bool | `false` | | +| redis.cluster.slaveCount | int | `0` | | +| redis.master.persistence.enabled | bool | `false` | | +| redis.metrics.enabled | bool | `false` | | +| redis.metrics.serviceMonitor.enabled | bool | `false` | | +| redis.metrics.serviceMonitor.namespace | string | `"monitoring"` | | +| redis.metrics.serviceMonitor.selector.release | string | `"metrics"` | | +| redis.usePassword | bool | `false` | | + +# Dashboards + +## Redis + +# Resources +- https://github.com/helm/charts/tree/master/stable/redis +- https://github.com/rustudorcalin/deploying-redis-cluster +- diff --git a/charts/kubezero-redis/README.md.gotmpl b/charts/kubezero-redis/README.md.gotmpl new file mode 100644 index 0000000..bda5861 --- /dev/null +++ b/charts/kubezero-redis/README.md.gotmpl @@ -0,0 +1,26 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +# Dashboards +https://grafana.com/grafana/dashboards/11835 + +## Redis + +# Resources +- https://github.com/helm/charts/tree/master/stable/redis +- https://github.com/rustudorcalin/deploying-redis-cluster +- diff --git a/charts/kubezero-redis/templates/istio-authorization-policy.yaml b/charts/kubezero-redis/templates/istio-authorization-policy.yaml new file mode 100644 index 0000000..97a2a7f --- /dev/null +++ b/charts/kubezero-redis/templates/istio-authorization-policy.yaml @@ -0,0 +1,26 @@ +{{- if .Values.istio.enabled }} +{{- if .Values.istio.ipBlocks }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Namespace }}-redis-deny-not-in-ipblocks + namespace: istio-system + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app: istio-private-ingressgateway + action: DENY + rules: + - from: + - source: + notIpBlocks: + {{- with .Values.istio.ipBlocks }} + {{- . | toYaml | nindent 8 }} + {{- end }} + to: + - operation: + ports: ["{{ default 6379 .Values.redis.redisPort }}"] +{{- end }} +{{- end }} diff --git a/charts/kubezero-redis/templates/istio-service.yaml b/charts/kubezero-redis/templates/istio-service.yaml new file mode 100644 index 0000000..edb8823 --- /dev/null +++ b/charts/kubezero-redis/templates/istio-service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: redis + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + hosts: + - {{ .Values.istio.url }} + gateways: + - {{ .Values.istio.gateway }} + tcp: + - match: + - port: {{ default 6379 .Values.redis.redisPort }} + route: + - destination: + host: redis-headless + port: + number: {{ default 6379 .Values.redis.redisPort }} +{{- end }} diff --git a/charts/kubezero-redis/values.yaml b/charts/kubezero-redis/values.yaml new file mode 100644 index 0000000..1c1319e --- /dev/null +++ b/charts/kubezero-redis/values.yaml @@ -0,0 +1,27 @@ +redis: + redisPort: 6379 + + cluster: + slaveCount: 0 + + usePassword: false + + master: + persistence: + enabled: false +# resources: +# requests: +# memory: 256Mi +# cpu: 100m + + metrics: + enabled: false + serviceMonitor: + enabled: false + selector: + release: metrics +# extraArgs: +# redis.addr: "redis://localhost:6379" + +istio: + enabled: false diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index 93a898f..ab65a73 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -44,4 +44,4 @@ Kubernetes: `>= 1.16.0` | platform | string | `"aws"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0) +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/deploy/bootstrap.sh b/deploy/bootstrap.sh index c78e425..d55324d 100755 --- a/deploy/bootstrap.sh +++ b/deploy/bootstrap.sh @@ -1,7 +1,22 @@ #!/bin/bash set -ex -LOCATION=${1-""} +ACTION=$1 +ARTIFACTS=("$2") +LOCATION=${3:-""} + +DEPLOY_DIR=$( dirname $( realpath $0 )) +which yq || { echo "yq not found!"; exit 1; } + +TMPDIR=$(mktemp -d kubezero.XXX) + +# First lets generate kubezero.yaml +# This will be stored as secret during the initial kubezero chart install +helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml + +if [ ${ARTIFACTS[0]} == "all" ]; then + ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "kubezero.*.enabled" | awk -F "." '{print $2}')) +fi # Update only if we use upstream if [ -z "$LOCATION" ]; then @@ -9,20 +24,27 @@ if [ -z "$LOCATION" ]; then helm repo update fi -DEPLOY_DIR=$( dirname $( realpath $0 )) -which yq || { echo "yq not found!"; exit 1; } - # Waits for max 300s and retries function wait_for() { local TRIES=0 while true; do - $@ && break - [ $TRIES -eq 200 ] && return 1 + eval " $@" && break + [ $TRIES -eq 100 ] && return 1 let TRIES=$TRIES+1 sleep 3 done } + +function chart_location() { + if [ -z "$LOCATION" ]; then + echo "$1 --repo https://zero-down-time.github.io/kubezero" + else + echo "$LOCATION/$1" + fi +} + + function _helm() { local action=$1 local chart=$2 @@ -30,89 +52,257 @@ function _helm() { local namespace=$4 shift 4 - local location + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds $@ > $TMPDIR/helm.yaml - if [ -z "$LOCATION" ]; then - location="$chart --repo https://zero-down-time.github.io/kubezero" - else - location="$LOCATION/$chart" + if [ $action == "apply" ]; then + # make sure namespace exists prior to calling helm as the create-namespace options doesn't work + kubectl get ns $namespace || kubectl create ns $namespace + fi + + # If resources are out of the single $namespace, apply without restrictions + nr_ns=$(grep -e '^ namespace:' $TMPDIR/helm.yaml | sed "s/\"//g" | sort | uniq | wc -l) + if [ $nr_ns -gt 1 ]; then + kubectl $action -f $TMPDIR/helm.yaml + else + kubectl $action --namespace $namespace -f $TMPDIR/helm.yaml fi - - [ -n "$namespace" ] && kubectl get ns $namespace || kubectl create ns $namespace - helm template $location --namespace $namespace --name-template $release $@ | kubectl $action -f - } + function deploy() { _helm apply $@ } + function delete() { _helm delete $@ } + +function is_enabled() { + local chart=$1 + + enabled=$(yq r $TMPDIR/kubezero.yaml kubezero.${chart}.enabled) + if [ "$enabled" == "true" ]; then + yq r $TMPDIR/kubezero.yaml kubezero.${chart}.values > $TMPDIR/values.yaml + return 0 + fi + return 1 +} + + +########## +# Calico # +########## +function calico() { + local chart="kubezero-calico" + local release="calico" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? + kubectl apply -f $TMPDIR/helm.yaml + # Don't delete the only CNI + #elif [ $task == "delete" ]; then + # delete $chart $release $namespace -f $TMPDIR/values.yaml + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + ################ # cert-manager # ################ +function cert-manager() { + local chart="kubezero-cert-manager" + local release="cert-manager" + local namespace="cert-manager" -# Let's start with minimal cert-manager to get the webhook in place -deploy kubezero-cert-manager cert-manager cert-manager + local task=$1 -echo "Waiting for cert-manager to be ready..." -wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2 -kubectl rollout status deployment -n cert-manager cert-manager-webhook -wait_for kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0" 2>/dev/null 1>&2 + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? -# Either inject cert-manager backup or bootstrap -if [ -f cert-manager-backup.yaml ]; then - kubectl apply -f cert-manager-backup.yaml -else - deploy kubezero-cert-manager cert-manager cert-manager --set localCA.enabled=true - wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 - kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer + # If any error occurs, wait for initial webhook deployment and try again + # see: https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation + if [ $rc -ne 0 ]; then + wait_for "kubectl get deployment -n $namespace cert-manager-webhook" + kubectl rollout status deployment -n $namespace cert-manager-webhook + wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"' + deploy $chart $release $namespace -f $TMPDIR/values.yaml + fi + + wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer" + kubectl wait --timeout=180s --for=condition=Ready -n $namespace ClusterIssuer/kubezero-local-ca-issuer + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns $namespace + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set cert-manager.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set cert-manager.installCRDs=true > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +######## +# Kiam # +######## +function kiam() { + local chart="kubezero-kiam" + local release="kiam" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + # Certs only first + deploy $chart $release $namespace --set kiam.enabled=false + kubectl wait --timeout=120s --for=condition=Ready -n kube-system Certificate/kiam-server + + # Make sure kube-system and cert-manager are allowed to kiam + kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' + kubectl annotate --overwrite namespace cert-manager 'iam.amazonaws.com/permitted=.*CertManagerRole.*' + + # Get kiam rolled out and make sure it is working + deploy $chart $release $namespace -f $TMPDIR/values.yaml + wait_for 'kubectl get daemonset -n kube-system kiam-agent' + kubectl rollout status daemonset -n kube-system kiam-agent + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + fi +} + + +####### +# EBS # +####### +function aws-ebs-csi-driver() { + local chart="kubezero-aws-ebs-csi-driver" + local release="aws-ebs-csi-driver" + local namespace="kube-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + fi +} + + +######### +# Istio # +######### +function istio() { + local chart="kubezero-istio" + local release="istio" + local namespace="istio-system" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + elif [ $task == "delete" ]; then + for i in $(kubectl get istiooperators -A -o name); do + kubectl delete $i -n istio-system + done + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns istio-system + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +########### +# Metrics # +########### +function metrics() { + local chart="kubezero-metrics" + local release="metrics" + local namespace="monitoring" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns monitoring + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +########### +# Logging # +########### +function logging() { + local chart="kubezero-logging" + local release="logging" + local namespace="logging" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns logging + + # Doesnt work right now due to V2 Helm implementation of the eck-operator-crd chart + #elif [ $task == "crds" ]; then + # helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + # helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + # diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + # kubectl apply -f $TMPDIR/crds.yaml + fi +} + + +## MAIN ## +if [ $1 == "deploy" ]; then + for t in ${ARTIFACTS[@]}; do + is_enabled $t && $t deploy + done + +elif [ $1 == "crds" ]; then + for t in ${ARTIFACTS[@]}; do + is_enabled $t && $t crds + done + +# Delete in reverse order, continue even if errors +elif [ $1 == "delete" ]; then + set +e + for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do + is_enabled ${ARTIFACTS[idx]} && ${ARTIFACTS[idx]} delete + done fi -echo "KubeZero installed successfully." -read - -# Remove all kubezero -delete kubezero-cert-manager cert-manager cert-manager - -exit 0 - -# Determine if we bootstrap or update -helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$? -if [ $rc -eq 0 ]; then - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml -else - - - # Make sure kube-system is allowed to kiam - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' - - # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server - - # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 - kubectl rollout status daemonset -n kube-system kiam-agent - - # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 - kubectl rollout status deployment -n istio-operator istio-operator - - # Metrics - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2 - - # Finally we could enable the actual config and deploy all - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml -fi +[ "$DEBUG" == "" ] && rm -rf $TMPDIR diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 2ac91f7..4bc914e 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -2,18 +2,6 @@ set -e DEPLOY_DIR=$( dirname $( realpath $0 )) -which yq || { echo "yq not found!"; exit 1; } - -# Waits for max 300s and retries -function wait_for() { - local TRIES=0 - while true; do - $@ && break - [ $TRIES -eq 200 ] && return 1 - let TRIES=$TRIES+1 - sleep 3 - done -} helm repo add kubezero https://zero-down-time.github.io/kubezero helm repo update @@ -24,72 +12,6 @@ if [ $rc -eq 0 ]; then helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml else - # During bootstrap we first generate a minimal values.yaml to prevent various deadlocks - - # Generate ArgoCD password if not in values.yaml yet and add it - grep -q argocdServerAdminPassword values.yaml && rc=$? || rc=$? - if [ $rc -ne 0 ]; then - _argo_date="$(date -u --iso-8601=seconds)" - _argo_passwd="$($DEPLOY_DIR/argocd_password.py)" - - cat < _argocd_values.yaml -argo-cd: - configs: - secret: - # ArgoCD password: ${_argo_passwd%%:*} Please move to secure location ! - argocdServerAdminPassword: "${_argo_passwd##*:}" - argocdServerAdminPasswordMtime: "$_argo_date" -EOF - yq merge -i --overwrite values.yaml _argocd_values.yaml && rm -f _argocd_values.yaml - fi - - # Deploy initial argocd - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml - helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml - # Wait for argocd-server to be running - kubectl rollout status deployment -n argocd kubezero-argocd-server - - # Now wait for cert-manager and the local CA to be bootstrapped - echo "Waiting for cert-manager to be deployed..." - wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2 - kubectl rollout status deployment -n cert-manager cert-manager-webhook - - # Either inject cert-manager backup or bootstrap - if [ -f cert-manager-backup.yaml ]; then - kubectl apply -f cert-manager-backup.yaml - else - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2 - kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer - fi - - # Make sure kube-system is allowed to kiam - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' - - # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server - - # Now lets make sure kiam is working - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2 - kubectl rollout status daemonset -n kube-system kiam-agent - - # Install Istio if enabled, but keep ArgoCD istio support disabled for now in case - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2 - kubectl rollout status deployment -n istio-operator istio-operator - - # Metrics - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml - wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2 - - # Finally we could enable the actual config and deploy all - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml + echo "To bootstrap clusters please use bootstrap.sh !" + exit 1 fi diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index 074e876..fb5e85b 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -134,6 +134,11 @@ kubezero: logging: enabled: {{ .Values.logging.enabled }} values: + {{- with index .Values "logging" "eck-operator" }} + eck-operator: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.logging.elastic_password }} elastic_password: {{ .Values.logging.elastic_password }} {{- end }} diff --git a/deploy/values-step-1.yaml b/deploy/values-step-1.yaml deleted file mode 100644 index 4a78cef..0000000 --- a/deploy/values-step-1.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - enabled: false - ready: false - -cert-manager: - ready: false - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-2.yaml b/deploy/values-step-2.yaml deleted file mode 100644 index 23ee941..0000000 --- a/deploy/values-step-2.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - enabled: false - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-3.yaml b/deploy/values-step-3.yaml deleted file mode 100644 index c552249..0000000 --- a/deploy/values-step-3.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kiam: - certsOnly: true - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-4.yaml b/deploy/values-step-4.yaml deleted file mode 100644 index 4091229..0000000 --- a/deploy/values-step-4.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kiam: - ready: false - -cert-manager: - ready: true - -istio: - enabled: false - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-5.yaml b/deploy/values-step-5.yaml deleted file mode 100644 index f1bfe0c..0000000 --- a/deploy/values-step-5.yaml +++ /dev/null @@ -1,9 +0,0 @@ -istio: - ready: false - -metrics: - enabled: false - ready: false - -logging: - enabled: false diff --git a/deploy/values-step-6.yaml b/deploy/values-step-6.yaml deleted file mode 100644 index 5b08cd7..0000000 --- a/deploy/values-step-6.yaml +++ /dev/null @@ -1,6 +0,0 @@ -metrics: - enabled: true - ready: false - -logging: - enabled: false diff --git a/deploy/values.yaml b/deploy/values.yaml index 8fa526f..720ecff 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -39,12 +39,15 @@ metrics: logging: enabled: false + eck-operator: + enabled: false fluentd: - enabled: false + enabled: false fluent-bit: - enabled: false + enabled: false argo-cd: + enabled: false server: {} istio: enabled: true -- 2.40.1 From 33bf724618875445cc130d1dfa0694bd1e289165 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 24 Nov 2020 06:44:57 -0800 Subject: [PATCH 03/48] First try adding argoCD day 2 --- charts/kubezero-argo-cd/README.md | 15 +- charts/kubezero-argo-cd/templates/app.yaml | 26 - .../templates/istio-authorization-policy.yaml | 6 +- .../templates/istio-service.yaml | 8 +- charts/kubezero-argo-cd/values.yaml | 15 +- charts/kubezero-aws-ebs-csi-driver/Chart.yaml | 2 +- charts/kubezero-aws-ebs-csi-driver/README.md | 2 +- .../charts/aws-ebs-csi-driver/Chart.yaml | 4 +- .../charts/aws-ebs-csi-driver/values.yaml | 2 +- charts/kubezero-cert-manager/README.md | 3 +- charts/kubezero-istio-ingress/Chart.yaml | 24 + charts/kubezero-istio-ingress/README.md | 96 + .../kubezero-istio-ingress/README.md.gotmpl | 24 + .../charts/istio-ingress/Chart.yaml | 13 + .../charts/istio-ingress/NOTES.txt | 43 + .../charts/istio-ingress/README.md | 112 + .../istio-ingress/templates/_affinity.tpl | 93 + .../istio-ingress/templates/autoscale.yaml | 27 + .../istio-ingress/templates/deployment.yaml | 345 + .../templates/meshexpansion.yaml | 79 + .../templates/poddisruptionbudget.yaml | 19 + .../templates/preconfigured.yaml | 78 + .../charts/istio-ingress/templates/role.yaml | 16 + .../istio-ingress/templates/rolebindings.yaml | 19 + .../istio-ingress/templates/service.yaml | 55 + .../templates/serviceaccount.yaml | 18 + .../charts/istio-ingress/values.yaml | 336 + .../charts/istio-private-ingress/Chart.yaml | 13 + .../charts/istio-private-ingress/NOTES.txt | 43 + .../charts/istio-private-ingress/README.md | 112 + .../templates/_affinity.tpl | 93 + .../templates/autoscale.yaml | 27 + .../templates/deployment.yaml | 345 + .../templates/meshexpansion.yaml | 79 + .../templates/poddisruptionbudget.yaml | 19 + .../templates/preconfigured.yaml | 78 + .../istio-private-ingress/templates/role.yaml | 16 + .../templates/rolebindings.yaml | 19 + .../templates/service.yaml | 55 + .../templates/serviceaccount.yaml | 18 + .../charts/istio-private-ingress/values.yaml | 336 + .../templates/envoyfilter.yaml | 8 +- .../templates/ingress-certificate.yaml | 6 +- .../templates/ingress-gateway.yaml | 27 +- .../templates/namespace.yaml | 5 +- charts/kubezero-istio-ingress/values.yaml | 120 + charts/kubezero-istio/.gitignore | 2 +- charts/kubezero-istio/Chart.yaml | 8 +- charts/kubezero-istio/README.md | 40 +- charts/kubezero-istio/README.md.gotmpl | 5 +- charts/kubezero-istio/charts/base/Chart.yaml | 11 + charts/kubezero-istio/charts/base/NOTES.txt | 1 + charts/kubezero-istio/charts/base/README.md | 23 + .../charts/base/crds/crd-all.gen.yaml | 3426 +++++++++ .../charts/base/crds/crd-operator.yaml | 66 + .../charts/base/files/gen-istio-cluster.yaml | 3751 ++++++++++ .../charts/base/kustomization.yaml | 5 + .../charts/base/templates/clusterrole.yaml | 146 + .../base/templates/clusterrolebinding.yaml | 32 + .../charts/base/templates/crds.yaml | 4 + .../charts/base/templates/endpoints.yaml | 30 + .../charts/base/templates/role.yaml | 20 + .../charts/base/templates/rolebinding.yaml | 16 + .../charts/base/templates/serviceaccount.yaml | 30 + .../charts/base/templates/services.yaml | 37 + .../validatingwebhookconfiguration.yaml | 42 + charts/kubezero-istio/charts/base/values.yaml | 22 + .../charts/istio-discovery/Chart.yaml | 14 + .../charts/istio-discovery/NOTES.txt | 5 + .../charts/istio-discovery/README.md | 133 + .../istio-discovery/files/gen-istio.yaml | 1983 +++++ .../files/injection-template.yaml | 463 ++ .../charts/istio-discovery/kustomization.yaml | 5 + .../istio-discovery/templates/autoscale.yaml | 26 + .../templates/configmap-jwks.yaml | 14 + .../istio-discovery/templates/configmap.yaml | 92 + .../istio-discovery/templates/deployment.yaml | 245 + .../templates/istiod-injector-configmap.yaml | 35 + .../templates/mutatingwebhook.yaml | 85 + .../templates/poddisruptionbudget.yaml | 25 + .../istio-discovery/templates/service.yaml | 37 + .../templates/telemetryv2_1.8.yaml | 792 ++ .../charts/istio-discovery/values.yaml | 485 ++ .../charts/istio-operator/Chart.yaml | 12 - .../istio-operator/crds/crd-operator.yaml | 74 - .../istio-operator/templates/clusterrole.yaml | 109 - .../templates/clusterrole_binding.yaml | 13 - .../charts/istio-operator/templates/crds.yaml | 6 - .../istio-operator/templates/deployment.yaml | 57 - .../istio-operator/templates/service.yaml | 15 - .../templates/service_account.yaml | 6 - .../charts/istio-operator/values.yaml | 25 - charts/kubezero-istio/crds/crd-all.gen.yaml | 6612 ----------------- charts/kubezero-istio/crds/crd-mixer.yaml | 82 - charts/kubezero-istio/crds/crd-operator.yaml | 74 - charts/kubezero-istio/istio-discovery.patch | 16 + charts/kubezero-istio/istio-operator.patch | 15 - .../templates/istio-private-ingress.yaml | 140 - charts/kubezero-istio/templates/istio.yaml | 152 - charts/kubezero-istio/update.sh | 35 +- charts/kubezero-istio/values.yaml | 61 +- charts/kubezero-logging/README.md | 10 +- charts/kubezero-redis/README.md | 3 +- charts/kubezero/README.md | 5 + charts/kubezero/templates/istio-ingress.yaml | 8 + charts/kubezero/templates/istio.yaml | 5 + charts/kubezero/values.yaml | 13 +- deploy/argocd.sh | 30 + deploy/argocd/app.yaml | 26 + .../templates => deploy/argocd}/project.yaml | 4 +- deploy/bootstrap.sh | 57 +- deploy/deploy.sh | 17 - deploy/templates/values.yaml | 447 +- deploy/values.yaml | 15 +- 114 files changed, 15422 insertions(+), 7777 deletions(-) delete mode 100644 charts/kubezero-argo-cd/templates/app.yaml create mode 100644 charts/kubezero-istio-ingress/Chart.yaml create mode 100644 charts/kubezero-istio-ingress/README.md create mode 100644 charts/kubezero-istio-ingress/README.md.gotmpl create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/README.md create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml create mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml rename charts/{kubezero-istio => kubezero-istio-ingress}/templates/envoyfilter.yaml (89%) rename charts/{kubezero-istio => kubezero-istio-ingress}/templates/ingress-certificate.yaml (63%) rename charts/{kubezero-istio => kubezero-istio-ingress}/templates/ingress-gateway.yaml (64%) rename charts/{kubezero-istio/charts/istio-operator => kubezero-istio-ingress}/templates/namespace.yaml (50%) create mode 100644 charts/kubezero-istio-ingress/values.yaml create mode 100644 charts/kubezero-istio/charts/base/Chart.yaml create mode 100644 charts/kubezero-istio/charts/base/NOTES.txt create mode 100644 charts/kubezero-istio/charts/base/README.md create mode 100644 charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml create mode 100644 charts/kubezero-istio/charts/base/crds/crd-operator.yaml create mode 100644 charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml create mode 100644 charts/kubezero-istio/charts/base/kustomization.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/clusterrole.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/crds.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/endpoints.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/role.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/rolebinding.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/serviceaccount.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/services.yaml create mode 100644 charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml create mode 100644 charts/kubezero-istio/charts/base/values.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/Chart.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/NOTES.txt create mode 100644 charts/kubezero-istio/charts/istio-discovery/README.md create mode 100644 charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/kustomization.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/service.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/values.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/Chart.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/crds.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/service.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml delete mode 100644 charts/kubezero-istio/charts/istio-operator/values.yaml delete mode 100644 charts/kubezero-istio/crds/crd-all.gen.yaml delete mode 100644 charts/kubezero-istio/crds/crd-mixer.yaml delete mode 100644 charts/kubezero-istio/crds/crd-operator.yaml create mode 100644 charts/kubezero-istio/istio-discovery.patch delete mode 100644 charts/kubezero-istio/istio-operator.patch delete mode 100644 charts/kubezero-istio/templates/istio-private-ingress.yaml delete mode 100644 charts/kubezero-istio/templates/istio.yaml create mode 100644 charts/kubezero/templates/istio-ingress.yaml create mode 100755 deploy/argocd.sh create mode 100644 deploy/argocd/app.yaml rename {charts/kubezero-argo-cd/templates => deploy/argocd}/project.yaml (96%) delete mode 100755 deploy/deploy.sh diff --git a/charts/kubezero-argo-cd/README.md b/charts/kubezero-argo-cd/README.md index abe476e..43b4c4b 100644 --- a/charts/kubezero-argo-cd/README.md +++ b/charts/kubezero-argo-cd/README.md @@ -1,6 +1,6 @@ # kubezero-argo-cd -![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) +![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application @@ -18,7 +18,7 @@ Kubernetes: `>= 1.17.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 2.9.3 | +| https://argoproj.github.io/argo-helm | argo-cd | 2.9.5 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -32,20 +32,15 @@ Kubernetes: `>= 1.17.0` | argo-cd.controller.metrics.enabled | bool | `false` | | | argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.dex.enabled | bool | `false` | | -| argo-cd.global.image.tag | string | `"v1.7.8"` | | +| argo-cd.global.image.tag | string | `"v1.7.10"` | | | argo-cd.installCRDs | bool | `false` | | -| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | -| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | -| argo-cd.istio.ipBlocks | list | `[]` | | | argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | | argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | | argo-cd.server.extraArgs[0] | string | `"--insecure"` | | @@ -53,8 +48,10 @@ Kubernetes: `>= 1.17.0` | argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | +| istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | +| istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | +| istio.ipBlocks | list | `[]` | | | kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster | | kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees | | kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications | diff --git a/charts/kubezero-argo-cd/templates/app.yaml b/charts/kubezero-argo-cd/templates/app.yaml deleted file mode 100644 index 4bbff87..0000000 --- a/charts/kubezero-argo-cd/templates/app.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubezero - namespace: argocd - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - project: kubezero - source: - repoURL: {{ .Values.kubezero.global.defaultSource.repoURL }} - targetRevision: {{ .Values.kubezero.global.defaultSource.targetRevision }} - path: {{ .Values.kubezero.global.defaultSource.pathPrefix}}charts/kubezero - - helm: - values: | - {{- toYaml .Values.kubezero | nindent 8 }} - - destination: - server: {{ .Values.kubezero.global.defaultDestination.server }} - namespace: argocd - - {{- if .Values.kubezero.global.syncPolicy }} - syncPolicy: - {{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml index d757cd6..1b8ad97 100644 --- a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml @@ -1,5 +1,5 @@ -{{- if index .Values "argo-cd" "istio" "enabled" }} -{{- if index .Values "argo-cd" "istio" "ipBlocks" }} +{{- if .Values.istio.enabled }} +{{- if .Values.istio.ipBlocks }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: @@ -16,7 +16,7 @@ spec: - from: - source: notIpBlocks: - {{- with index .Values "argo-cd" "istio" "ipBlocks" }} + {{- with .Values.istio.ipBlocks }} {{- . | toYaml | nindent 8 }} {{- end }} to: diff --git a/charts/kubezero-argo-cd/templates/istio-service.yaml b/charts/kubezero-argo-cd/templates/istio-service.yaml index 03d889c..16ae10a 100644 --- a/charts/kubezero-argo-cd/templates/istio-service.yaml +++ b/charts/kubezero-argo-cd/templates/istio-service.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "argo-cd" "istio" "enabled" }} +{{- if .Values.istio.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -7,7 +7,7 @@ metadata: {{ include "kubezero-lib.labels" . | indent 4 }} spec: gateways: - - {{ index .Values "argo-cd" "istio" "gateway" }} + - {{ .Values.istio.gateway }} hosts: - {{ index .Values "argo-cd" "server" "config" "url" }} http: @@ -18,13 +18,13 @@ spec: prefix: argocd-client route: - destination: - host: {{ .Release.Name }}-argocd-server + host: argocd-server port: number: 443 - name: http route: - destination: - host: {{ .Release.Name }}-argocd-server + host: argocd-server port: number: 80 {{- end }} diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml index 5191c63..e128ece 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argo-cd/values.yaml @@ -44,7 +44,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -62,7 +61,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -105,7 +103,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - namespace: monitoring additionalLabels: release: metrics @@ -119,9 +116,9 @@ argo-cd: dex: enabled: false - istio: - # argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD - enabled: false - # argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to - gateway: istio-system/ingressgateway - ipBlocks: [] +istio: + # istio.enabled -- Deploy Istio VirtualService to expose ArgoCD + enabled: false + # istio.gateway -- Name of the Istio gateway to add the VirtualService to + gateway: istio-ingress/ingressgateway + ipBlocks: [] diff --git a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml index 0b29e7f..4d37b08 100644 --- a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml @@ -3,7 +3,7 @@ name: kubezero-aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver type: application version: 0.3.2 -appVersion: 0.7.0 +appVersion: 0.7.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png sources: diff --git a/charts/kubezero-aws-ebs-csi-driver/README.md b/charts/kubezero-aws-ebs-csi-driver/README.md index 50a76cb..95110d4 100644 --- a/charts/kubezero-aws-ebs-csi-driver/README.md +++ b/charts/kubezero-aws-ebs-csi-driver/README.md @@ -1,6 +1,6 @@ # kubezero-aws-ebs-csi-driver -![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.0](https://img.shields.io/badge/AppVersion-0.7.0-informational?style=flat-square) +![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square) KubeZero Umbrella Chart for aws-ebs-csi-driver diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml index 856db95..1199067 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: "0.7.0" +appVersion: "0.7.1" name: aws-ebs-csi-driver description: A Helm chart for AWS EBS CSI Driver -version: 0.6.0 +version: 0.6.1 kubeVersion: ">=1.13.0-0" home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver sources: diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml index 8084d62..8967cc2 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml @@ -6,7 +6,7 @@ replicaCount: 2 image: repository: amazon/aws-ebs-csi-driver - tag: "v0.7.0" + tag: "v0.7.1" pullPolicy: IfNotPresent sidecars: diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index 2559b10..c48dfa7 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -40,10 +40,11 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | cert-manager.enabled | bool | `true` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | +| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | | | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" | +| cert-manager.podAnnotations | object | `{}` | | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml new file mode 100644 index 0000000..9380362 --- /dev/null +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: kubezero-istio-ingress +description: KubeZero Umbrella Chart for Istio based Ingress +type: application +version: 0.1.0 +appVersion: 1.8.0 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - istio +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ + - name: istio-ingress + version: 1.1.0 + condition: istio-ingress.enabled + - name: istio-private-ingress + version: 1.1.0 + condition: istio-private-ingress.enabled +kubeVersion: ">= 1.17.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md new file mode 100644 index 0000000..0f29ec0 --- /dev/null +++ b/charts/kubezero-istio-ingress/README.md @@ -0,0 +1,96 @@ +# kubezero-istio-ingress + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square) + +KubeZero Umbrella Chart for Istio based Ingress + +Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.17.0` + +| Repository | Name | Version | +|------------|------|---------| +| | istio-ingress | 1.1.0 | +| | istio-private-ingress | 1.1.0 | +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.defaultPodDisruptionBudget.enabled | bool | `false` | | +| global.hub | string | `"docker.io/istio"` | | +| global.jwtPolicy | string | `"first-party-jwt"` | | +| global.logAsJson | bool | `true` | | +| global.priorityClassName | string | `"system-cluster-critical"` | | +| global.tag | string | `"1.8.0"` | | +| istio-ingress.dnsNames | list | `[]` | | +| istio-ingress.enabled | bool | `false` | | +| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | | +| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | +| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"30080_30443"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | +| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | | +| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | +| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | | +| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | +| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | +| istio-private-ingress.dnsNames | list | `[]` | | +| istio-private-ingress.enabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.env.TERMINATION_DRAIN_DURATION_SECONDS | string | `"\"60\""` | | +| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | +| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"31080_31443"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | +| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"http-status"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"256Mi"` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | +| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | +| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | + +## Resources + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml +- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/README.md.gotmpl b/charts/kubezero-istio-ingress/README.md.gotmpl new file mode 100644 index 0000000..fcd0864 --- /dev/null +++ b/charts/kubezero-istio-ingress/README.md.gotmpl @@ -0,0 +1,24 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## Resources + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml +- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml new file mode 100644 index 0000000..108c8f2 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-ingress +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt new file mode 100644 index 0000000..221ee56 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-ingress/README.md new file mode 100644 index 0000000..708ce7b --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/README.md @@ -0,0 +1,112 @@ +# istio-ingress + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) + +Helm chart for deploying Istio gateways + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | +| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | +| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | +| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | +| gateways.istio-ingressgateway.configVolumes | list | `[]` | | +| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | +| gateways.istio-ingressgateway.customService | bool | `false` | | +| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | +| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | +| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | +| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | +| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | +| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | +| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | +| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | +| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | +| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | +| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | +| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | +| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | +| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | +| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | +| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | +| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | +| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | +| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | +| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | +| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | +| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | +| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | +| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | +| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | +| gateways.istio-ingressgateway.tolerations | list | `[]` | | +| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | +| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | +| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | +| global.arch.amd64 | int | `2` | | +| global.arch.ppc64le | int | `2` | | +| global.arch.s390x | int | `2` | | +| global.caAddress | string | `""` | | +| global.defaultConfigVisibilitySettings | list | `[]` | | +| global.defaultPodDisruptionBudget.enabled | bool | `true` | | +| global.defaultResources.requests.cpu | string | `"10m"` | | +| global.defaultTolerations | list | `[]` | | +| global.hub | string | `"gcr.io/istio-testing"` | | +| global.imagePullPolicy | string | `""` | | +| global.imagePullSecrets | list | `[]` | | +| global.istioNamespace | string | `"istio-system"` | | +| global.jwtPolicy | string | `"third-party-jwt"` | | +| global.logAsJson | bool | `false` | | +| global.logging.level | string | `"default:info"` | | +| global.meshExpansion.enabled | bool | `false` | | +| global.meshExpansion.useILB | bool | `false` | | +| global.meshID | string | `""` | | +| global.mountMtlsCerts | bool | `false` | | +| global.multiCluster.clusterName | string | `""` | | +| global.multiCluster.enabled | bool | `false` | | +| global.multiCluster.globalDomainSuffix | string | `"global"` | | +| global.multiCluster.includeEnvoyFilter | bool | `true` | | +| global.network | string | `""` | | +| global.pilotCertProvider | string | `"istiod"` | | +| global.priorityClassName | string | `""` | | +| global.proxy.clusterDomain | string | `"cluster.local"` | | +| global.proxy.componentLogLevel | string | `"misc:error"` | | +| global.proxy.enableCoreDump | bool | `false` | | +| global.proxy.image | string | `"proxyv2"` | | +| global.proxy.logLevel | string | `"warning"` | | +| global.sds.token.aud | string | `"istio-ca"` | | +| global.sts.servicePort | int | `0` | | +| global.tag | string | `"latest"` | | +| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | +| meshConfig.defaultConfig.tracing | string | `nil` | | +| meshConfig.enablePrometheusMerge | bool | `true` | | +| ownerName | string | `""` | | +| revision | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl new file mode 100644 index 0000000..400ff54 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml new file mode 100644 index 0000000..0b339dc --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name | default "istio-ingressgateway" }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml new file mode 100644 index 0000000..b69da65 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -0,0 +1,345 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + - --serviceCluster + - {{ $gateway.name | default "istio-ingressgateway" }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name | default "istio-ingressgateway" }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: TRUST_DOMAIN + value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: {{ .Values.global.network }} + {{- end }} +{{- if $gateway.podAnnotations }} + - name: "ISTIO_METAJSON_ANNOTATIONS" + value: | +{{ toJson $gateway.podAnnotations | indent 16}} +{{ end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + - name: gatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: gatewaysdsudspath + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml new file mode 100644 index 0000000..67c164b --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/meshexpansion.yaml @@ -0,0 +1,79 @@ +{{- if .Values.global.meshExpansion.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15012 + protocol: TCP + name: tcp-istiod + hosts: + - "*" + - port: + number: 15017 + protocol: TCP + name: tcp-istiodwebhook + hosts: + - "*" +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15012 + route: + - destination: + host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15012 + - match: + - port: 15017 + route: + - destination: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 443 +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15012 + tls: + mode: DISABLE + - port: + number: 15017 + tls: + mode: DISABLE + +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..d0b480d --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml new file mode 100644 index 0000000..230e344 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml @@ -0,0 +1,78 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +{{- if .Values.global.multiCluster.includeEnvoyFilter }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + portNumber: 15443 + filterChain: + filter: + name: "envoy.filters.network.sni_cluster" + patch: + operation: INSERT_AFTER + value: + name: "envoy.filters.network.tcp_cluster_rewrite" + typed_config: + "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" + cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +{{- end }} +## To ensure all traffic to globalDomainSuffix is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml new file mode 100644 index 0000000..7d93172 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml new file mode 100644 index 0000000..81625cb --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml new file mode 100644 index 0000000..237be95 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml @@ -0,0 +1,55 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml new file mode 100644 index 0000000..4b0ab1a --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml new file mode 100644 index 0000000..9f4dee6 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -0,0 +1,336 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + protocol: TCP + + # Scalability tunning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # Enable cross-cluster access using SNI matching + zvpn: + enabled: false + suffix: global + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15012 + targetPort: 15012 + name: tcp-istiod + ####### end MESH EXPANSION PORTS ###### + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Deprecated, use meshConfig.trustDomain +# trustDomain: "" + +meshConfig: + enablePrometheusMerge: true +# trustDomain: "" + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml new file mode 100644 index 0000000..2cd775d --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-private-ingress +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt new file mode 100644 index 0000000..221ee56 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md new file mode 100644 index 0000000..708ce7b --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md @@ -0,0 +1,112 @@ +# istio-ingress + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) + +Helm chart for deploying Istio gateways + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | +| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | +| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | +| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | +| gateways.istio-ingressgateway.configVolumes | list | `[]` | | +| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | +| gateways.istio-ingressgateway.customService | bool | `false` | | +| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | +| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | +| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | +| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | +| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | +| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | +| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | +| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | +| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | +| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | +| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | +| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | +| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | +| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | +| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | +| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | +| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | +| gateways.istio-ingressgateway.ports[1].port | int | `80` | | +| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | +| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | +| gateways.istio-ingressgateway.ports[2].port | int | `443` | | +| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | +| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | +| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | +| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | +| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | +| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | +| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | +| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | +| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | +| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | +| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | +| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | +| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | +| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | +| gateways.istio-ingressgateway.tolerations | list | `[]` | | +| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | +| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | +| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | +| global.arch.amd64 | int | `2` | | +| global.arch.ppc64le | int | `2` | | +| global.arch.s390x | int | `2` | | +| global.caAddress | string | `""` | | +| global.defaultConfigVisibilitySettings | list | `[]` | | +| global.defaultPodDisruptionBudget.enabled | bool | `true` | | +| global.defaultResources.requests.cpu | string | `"10m"` | | +| global.defaultTolerations | list | `[]` | | +| global.hub | string | `"gcr.io/istio-testing"` | | +| global.imagePullPolicy | string | `""` | | +| global.imagePullSecrets | list | `[]` | | +| global.istioNamespace | string | `"istio-system"` | | +| global.jwtPolicy | string | `"third-party-jwt"` | | +| global.logAsJson | bool | `false` | | +| global.logging.level | string | `"default:info"` | | +| global.meshExpansion.enabled | bool | `false` | | +| global.meshExpansion.useILB | bool | `false` | | +| global.meshID | string | `""` | | +| global.mountMtlsCerts | bool | `false` | | +| global.multiCluster.clusterName | string | `""` | | +| global.multiCluster.enabled | bool | `false` | | +| global.multiCluster.globalDomainSuffix | string | `"global"` | | +| global.multiCluster.includeEnvoyFilter | bool | `true` | | +| global.network | string | `""` | | +| global.pilotCertProvider | string | `"istiod"` | | +| global.priorityClassName | string | `""` | | +| global.proxy.clusterDomain | string | `"cluster.local"` | | +| global.proxy.componentLogLevel | string | `"misc:error"` | | +| global.proxy.enableCoreDump | bool | `false` | | +| global.proxy.image | string | `"proxyv2"` | | +| global.proxy.logLevel | string | `"warning"` | | +| global.sds.token.aud | string | `"istio-ca"` | | +| global.sts.servicePort | int | `0` | | +| global.tag | string | `"latest"` | | +| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | +| meshConfig.defaultConfig.tracing | string | `nil` | | +| meshConfig.enablePrometheusMerge | bool | `true` | | +| ownerName | string | `""` | | +| revision | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl new file mode 100644 index 0000000..400ff54 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl @@ -0,0 +1,93 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml new file mode 100644 index 0000000..0b339dc --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name | default "istio-ingressgateway" }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml new file mode 100644 index 0000000..b69da65 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -0,0 +1,345 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + - --serviceCluster + - {{ $gateway.name | default "istio-ingressgateway" }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name | default "istio-ingressgateway" }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + - name: TRUST_DOMAIN + value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{ $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: {{ .Values.global.network }} + {{- end }} +{{- if $gateway.podAnnotations }} + - name: "ISTIO_METAJSON_ANNOTATIONS" + value: | +{{ toJson $gateway.podAnnotations | indent 16}} +{{ end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + - name: gatewaysdsudspath + mountPath: /var/run/ingress_gateway + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: gatewaysdsudspath + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | indent 6 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml new file mode 100644 index 0000000..67c164b --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/meshexpansion.yaml @@ -0,0 +1,79 @@ +{{- if .Values.global.meshExpansion.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15012 + protocol: TCP + name: tcp-istiod + hosts: + - "*" + - port: + number: 15017 + protocol: TCP + name: tcp-istiodwebhook + hosts: + - "*" +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-vs-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + hosts: + - istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15012 + route: + - destination: + host: istiod.{{ .Values.global.istioNamespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 15012 + - match: + - port: 15017 + route: + - destination: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + port: + number: 443 +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: meshexpansion-dr-istiod + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} +spec: + host: istiod.{{ .Release.Namespace }}.svc.{{ .Values.global.proxy.clusterDomain }} + trafficPolicy: + portLevelSettings: + - port: + number: 15012 + tls: + mode: DISABLE + - port: + number: 15017 + tls: + mode: DISABLE + +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..d0b480d --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml new file mode 100644 index 0000000..230e344 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml @@ -0,0 +1,78 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if .Values.global.multiCluster.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + port: + name: tls + number: 15443 + protocol: TLS + tls: + mode: AUTO_PASSTHROUGH +--- +{{- if .Values.global.multiCluster.includeEnvoyFilter }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + portNumber: 15443 + filterChain: + filter: + name: "envoy.filters.network.sni_cluster" + patch: + operation: INSERT_AFTER + value: + name: "envoy.filters.network.tcp_cluster_rewrite" + typed_config: + "@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite" + cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$" + cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}" +--- +{{- end }} +## To ensure all traffic to globalDomainSuffix is using mTLS +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-multicluster-ingressgateway + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} +spec: + host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}" + {{- if .Values.global.defaultConfigVisibilitySettings }} + exportTo: + - '*' + {{- end }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml new file mode 100644 index 0000000..7d93172 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml new file mode 100644 index 0000000..81625cb --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name | default "istio-ingressgateway" }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +--- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml new file mode 100644 index 0000000..237be95 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml @@ -0,0 +1,55 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{- if $.Values.global.meshExpansion.enabled }} + {{- range $key, $val := $gateway.meshExpansionPorts }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml new file mode 100644 index 0000000..4b0ab1a --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml new file mode 100644 index 0000000..9f4dee6 --- /dev/null +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -0,0 +1,336 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + protocol: TCP + + # Scalability tunning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # Enable cross-cluster access using SNI matching + zvpn: + enabled: false + suffix: global + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + #### MESH EXPANSION PORTS ######## + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + # Delete these ports if mesh expansion is not enabled, to avoid + # exposing unnecessary ports on the web. + # You can remove these ports if you are not using mesh expansion + meshExpansionPorts: + - port: 15012 + targetPort: 15012 + name: tcp-istiod + ####### end MESH EXPANSION PORTS ###### + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "sni-dnat" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: + enabled: false + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + useILB: false + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Deprecated, use meshConfig.trustDomain +# trustDomain: "" + +meshConfig: + enablePrometheusMerge: true +# trustDomain: "" + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/charts/kubezero-istio/templates/envoyfilter.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml similarity index 89% rename from charts/kubezero-istio/templates/envoyfilter.yaml rename to charts/kubezero-istio-ingress/templates/envoyfilter.yaml index ef12ebd..f11e290 100644 --- a/charts/kubezero-istio/templates/envoyfilter.yaml +++ b/charts/kubezero-istio-ingress/templates/envoyfilter.yaml @@ -1,9 +1,9 @@ -{{- if .Values.ingress.public.enabled }} +{{- if index .Values "istio-ingress" "enabled" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: ingressgateway-listener-tcp-keepalive - namespace: istio-system + namespace: {{ .Release.Namespace }} spec: workloadSelector: labels: @@ -33,13 +33,13 @@ spec: state: STATE_LISTENING {{- end }} -{{- if .Values.ingress.private.enabled }} +{{- if index .Values "istio-private-ingress" "enabled" }} --- apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: private-ingressgateway-listener-tcp-keepalive - namespace: istio-system + namespace: {{ .Release.Namespace }} spec: workloadSelector: labels: diff --git a/charts/kubezero-istio/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml similarity index 63% rename from charts/kubezero-istio/templates/ingress-certificate.yaml rename to charts/kubezero-istio-ingress/templates/ingress-certificate.yaml index b8a3277..5ea0ad0 100644 --- a/charts/kubezero-istio/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml @@ -1,9 +1,9 @@ -{{- if .Values.ingress.dnsNames }} +{{- if index .Values "istio-ingress" "dnsNames" }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: public-ingress-cert - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -12,5 +12,5 @@ spec: name: letsencrypt-dns-prod kind: ClusterIssuer dnsNames: -{{ toYaml .Values.ingress.dnsNames | indent 4 }} +{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} {{- end }} diff --git a/charts/kubezero-istio/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml similarity index 64% rename from charts/kubezero-istio/templates/ingress-gateway.yaml rename to charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index c2b64b6..319ead6 100644 --- a/charts/kubezero-istio/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -1,9 +1,9 @@ -{{- if .Values.ingress.public.enabled }} +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }} apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: ingressgateway - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -15,7 +15,7 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} tls: httpsRedirect: true - port: @@ -23,20 +23,21 @@ spec: name: https protocol: HTTPS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt credentialName: public-ingress-cert {{- end }} -{{- if .Values.ingress.private.enabled }} + +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: private-ingressgateway - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: @@ -48,7 +49,7 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: httpsRedirect: true - port: @@ -56,7 +57,7 @@ spec: name: https protocol: HTTPS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key @@ -67,19 +68,19 @@ spec: name: amqp protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - port: number: 5671 name: amqps protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - port: number: 24224 name: fluentd-forward protocol: TLS hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key @@ -90,11 +91,11 @@ spec: name: redis protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - port: number: 6380 name: redis-1 protocol: TCP hosts: - {{- toYaml .Values.ingress.dnsNames | nindent 4 }} + {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} {{- end }} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml b/charts/kubezero-istio-ingress/templates/namespace.yaml similarity index 50% rename from charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml rename to charts/kubezero-istio-ingress/templates/namespace.yaml index 31dc5aa..00d40d7 100644 --- a/charts/kubezero-istio/charts/istio-operator/templates/namespace.yaml +++ b/charts/kubezero-istio-ingress/templates/namespace.yaml @@ -1,8 +1,7 @@ apiVersion: v1 kind: Namespace metadata: - name: {{.Values.operatorNamespace}} + name: istio-ingress labels: - istio-operator-managed: Reconcile istio-injection: disabled ---- +{{ include "kubezero-lib.labels" . | indent 4 }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml new file mode 100644 index 0000000..0129098 --- /dev/null +++ b/charts/kubezero-istio-ingress/values.yaml @@ -0,0 +1,120 @@ +# Make sure these values match kuberzero-istio !!! +global: + hub: docker.io/istio + tag: 1.8.0 + + logAsJson: true + jwtPolicy: first-party-jwt + + priorityClassName: "system-cluster-critical" + + defaultPodDisruptionBudget: + enabled: false + + +istio-ingress: + enabled: false + + gateways: + istio-ingressgateway: + autoscaleEnabled: false + replicaCount: 1 + resources: + requests: + memory: 64Mi + limits: + # cpu: 100m + memory: 256Mi + externalTrafficPolicy: Local + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-ingressgateway + type: NodePort + env: + TERMINATION_DRAIN_DURATION_SECONDS: '"60"' + # ISTIO_META_HTTP10: '"1"' + + # The node selector is normally the list of nodeports, see CloudBender + nodeSelector: + node.kubernetes.io/ingress.public: "30080_30443" + ports: + - name: http-status + port: 15021 + nodePort: 30021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 30080 + - name: https + port: 443 + targetPort: 8443 + nodePort: 30443 + + dnsNames: [] +# - '*.example.com' + +istio-private-ingress: + enabled: false + + gateways: + istio-ingressgateway: + # name and labels make the ingress private + name: istio-private-ingressgateway + labels: + app: istio-private-ingressgateway + istio: private-ingressgateway + + autoscaleEnabled: false + replicaCount: 1 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + # cpu: 100m + memory: 256Mi + externalTrafficPolicy: Local + podAntiAffinityLabelSelector: + - key: app + operator: In + topologyKey: kubernetes.io/hostname + values: istio-private-ingressgateway + type: NodePort + env: + TERMINATION_DRAIN_DURATION_SECONDS: '"60"' + # ISTIO_META_HTTP10: '"1"' + + nodeSelector: + node.kubernetes.io/ingress.private: "31080_31443" + #nodeSelector: "31080_31443_31671_31672_31224" + + ports: + - name: http-status + port: 15021 + nodePort: 31021 + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31080 + - name: https + port: 443 + targetPort: 8443 + nodePort: 31443 + #- name: fluentd-forward + # port: 24224 + # nodePort: 31224 + #- name: amqps + # port: 5671 + # nodePort: 31671 + #- name: amqp + # port: 5672 + # nodePort: 31672 + #- name: redis + # port: 6379 + # nodePort: 31379 + + dnsNames: [] +# - '*.example.com' + diff --git a/charts/kubezero-istio/.gitignore b/charts/kubezero-istio/.gitignore index 56f8b3d..b4a6b6b 100644 --- a/charts/kubezero-istio/.gitignore +++ b/charts/kubezero-istio/.gitignore @@ -1,2 +1,2 @@ istioctl -istio-* +istio-?.?.? diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index c88751d..183d4cb 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -15,6 +15,8 @@ dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - - name: istio-operator - version: ">= 1.7" -kubeVersion: ">= 1.16.0" + - name: base + version: 1.1.0 + - name: istio-discovery + version: 1.2.0 +kubeVersion: ">= 1.17.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 3fd2b38..5bcbce4 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -4,7 +4,7 @@ KubeZero Umbrella Chart for Istio -Installs Istio Operator and KubeZero Istio profile +Installs the Istio control plane **Homepage:** @@ -16,31 +16,37 @@ Installs Istio Operator and KubeZero Istio profile ## Requirements -Kubernetes: `>= 1.16.0` +Kubernetes: `>= 1.17.0` | Repository | Name | Version | |------------|------|---------| -| | istio-operator | >= 1.7 | +| | base | 1.1.0 | +| | istio-discovery | 1.2.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | -## KubeZero default configuration -- mapped istio-operator to run on the controller nodes only - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| ingress.autoscaleEnabled | bool | `false` | | -| ingress.dnsNames[0] | string | `"*"` | | -| ingress.private.enabled | bool | `true` | | -| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | | -| ingress.public.enabled | bool | `true` | | -| ingress.replicaCount | int | `2` | | -| ingress.type | string | `"NodePort"` | | -| istio-operator.hub | string | `"docker.io/istio"` | | -| istio-operator.tag | string | `"1.7.4"` | | -| istiod.autoscaleEnabled | bool | `false` | | -| istiod.replicaCount | int | `1` | | +| global.defaultPodDisruptionBudget.enabled | bool | `false` | | +| global.hub | string | `"docker.io/istio"` | | +| global.jwtPolicy | string | `"first-party-jwt"` | | +| global.logAsJson | bool | `true` | | +| global.priorityClassName | string | `"system-cluster-critical"` | | +| global.tag | string | `"1.8.0"` | | +| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | +| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | | +| istio-discovery.meshConfig.h2UpgradePolicy | string | `"DO_NOT_UPGRADE"` | | +| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"30s"` | | +| istio-discovery.meshConfig.tcpKeepalive.time | string | `"60s"` | | +| istio-discovery.pilot.autoscaleEnabled | bool | `false` | | +| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| istio-discovery.pilot.replicaCount | int | `1` | | +| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | | +| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | | +| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | | +| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| istio-discovery.telemetry.enabled | bool | `false` | | ## Resources diff --git a/charts/kubezero-istio/README.md.gotmpl b/charts/kubezero-istio/README.md.gotmpl index d7f368f..1b4d30f 100644 --- a/charts/kubezero-istio/README.md.gotmpl +++ b/charts/kubezero-istio/README.md.gotmpl @@ -5,7 +5,7 @@ {{ template "chart.description" . }} -Installs Istio Operator and KubeZero Istio profile +Installs the Istio control plane {{ template "chart.homepageLine" . }} @@ -15,9 +15,6 @@ Installs Istio Operator and KubeZero Istio profile {{ template "chart.requirementsSection" . }} -## KubeZero default configuration -- mapped istio-operator to run on the controller nodes only - {{ template "chart.valuesSection" . }} ## Resources diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml new file mode 100644 index 0000000..e012727 --- /dev/null +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: base +version: 1.1.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/base/NOTES.txt b/charts/kubezero-istio/charts/base/NOTES.txt new file mode 100644 index 0000000..7cdd440 --- /dev/null +++ b/charts/kubezero-istio/charts/base/NOTES.txt @@ -0,0 +1 @@ +Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts. diff --git a/charts/kubezero-istio/charts/base/README.md b/charts/kubezero-istio/charts/base/README.md new file mode 100644 index 0000000..5fd1ccf --- /dev/null +++ b/charts/kubezero-istio/charts/base/README.md @@ -0,0 +1,23 @@ +# base + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) + +Helm chart for deploying Istio cluster resources and CRDs + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| base.enableCRDTemplates | bool | `false` | | +| base.validationURL | string | `""` | | +| global.configValidation | bool | `true` | | +| global.imagePullSecrets | list | `[]` | | +| global.istioNamespace | string | `"istio-system"` | | +| global.istiod.enableAnalysis | bool | `false` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 0000000..deea651 --- /dev/null +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,3426 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from + the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + preserveUnknownFields: true + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate + VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry + to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + - JSONPath: .spec.address + description: Address associated with the network endpoint. + name: Address + type: string + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more + details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workloadgroups.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: health is determined by how the command that is executed + exited. + properties: + command: + description: command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before + readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. + format: int32 + type: integer + tcpSocket: + description: health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication methods + are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected + workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for + the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding + the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- diff --git a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml new file mode 100644 index 0000000..d0be4c3 --- /dev/null +++ b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml @@ -0,0 +1,66 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .status.status + description: IOP current state + type: string + name: Status + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml new file mode 100644 index 0000000..541ff8a --- /dev/null +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -0,0 +1,3751 @@ +--- +# Source: crds/crd-all.gen.yaml +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a + backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP + upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on + the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to + the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to + a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from + the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is + ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + preserveUnknownFields: true + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more + details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was + generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL + or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these + routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate + VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at + the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should + be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` + field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per retry attempt for a given request. + type: string + retryOn: + description: Specifies the conditions under which retry takes + place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry + to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with + optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should be + forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + - JSONPath: .spec.address + description: Address associated with the network endpoint. + name: Address + type: string + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more + details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + - name: v1beta1 + served: true + storage: false + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workloadgroups.networking.istio.io +spec: + additionalPrinterColumns: + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: health is determined by how the command that is executed + exited. + properties: + command: + description: command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered + failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before + readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered + successful after having failed. + format: int32 + type: integer + tcpSocket: + description: health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1alpha3 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more details + at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + preserveUnknownFields: false + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication methods + are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected + workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for + the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding + the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + versions: + - name: v1beta1 + served: true + storage: true + +--- + +--- +# Source: crds/crd-operator.yaml +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + additionalPrinterColumns: + - JSONPath: .spec.revision + description: Istio control plane revision + name: Revision + type: string + - JSONPath: .status.status + description: IOP current state + type: string + name: Status + - JSONPath: .metadata.creationTimestamp + description: 'CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + name: Age + type: date + group: install.istio.io + names: + kind: IstioOperator + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + spec: + description: 'Specification of the desired state of the istio control plane resource. + More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + status: + description: 'Status describes each of istio control plane component status at the current time. + 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. + More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & + https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + versions: + - name: v1alpha1 + served: true + storage: true +--- + +--- +# Source: base/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- +# Source: base/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod-service-account + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: base/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/validatingwebhookconfiguration.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio + istio: istiod +webhooks: + - name: validation.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + - security.istio.io + - authentication.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] diff --git a/charts/kubezero-istio/charts/base/kustomization.yaml b/charts/kubezero-istio/charts/base/kustomization.yaml new file mode 100644 index 0000000..dbde62f --- /dev/null +++ b/charts/kubezero-istio/charts/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio-cluster.yaml diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml new file mode 100644 index 0000000..521c24b --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -0,0 +1,146 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if or .Values.global.externalIstiod .Values.global.centralIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +--- diff --git a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..ff24868 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} +--- diff --git a/charts/kubezero-istio/charts/base/templates/crds.yaml b/charts/kubezero-istio/charts/base/templates/crds.yaml new file mode 100644 index 0000000..871ee2a --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/crds.yaml @@ -0,0 +1,4 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{ .Files.Get "crds/crd-operator.yaml" }} +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/endpoints.yaml b/charts/kubezero-istio/charts/base/templates/endpoints.yaml new file mode 100644 index 0000000..fb4dd5e --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/endpoints.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/role.yaml b/charts/kubezero-istio/charts/base/templates/role.yaml new file mode 100644 index 0000000..557af5a --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml new file mode 100644 index 0000000..aabc0c3 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml new file mode 100644 index 0000000..36e0e08 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +--- +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/charts/kubezero-istio/charts/base/templates/services.yaml b/charts/kubezero-istio/charts/base/templates/services.yaml new file mode 100644 index 0000000..f654508 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if .Values.pilot.enabled }} +# when istiod is enabled in remote cluster, we can't use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + clusterIP: None + {{- else }} +# when istiod isn't enabled in remote cluster, we can use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + # if the remotePilotAddress is IP addr, we use clusterIP: None. + # else, we use externalName + {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} + clusterIP: None + {{- else }} + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000..2bc52b8 --- /dev/null +++ b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + - security.istio.io + - authentication.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +--- +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-istio/charts/base/values.yaml b/charts/kubezero-istio/charts/base/values.yaml new file mode 100644 index 0000000..af16510 --- /dev/null +++ b/charts/kubezero-istio/charts/base/values.yaml @@ -0,0 +1,22 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" \ No newline at end of file diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml new file mode 100644 index 0000000..daed6bd --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: istio-discovery +version: 1.2.0 +appVersion: 1.2.0 +tillerVersion: ">=2.7.2" +description: Helm chart for istio control plane +keywords: + - istio + - istiod + - istio-discovery +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt new file mode 100644 index 0000000..997f4ac --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt @@ -0,0 +1,5 @@ +Minimal control plane for Istio. Pilot and mesh config are included. + +MCP and injector should optionally be installed in the same namespace. Alternatively remote +address of an MCP server can be set. + diff --git a/charts/kubezero-istio/charts/istio-discovery/README.md b/charts/kubezero-istio/charts/istio-discovery/README.md new file mode 100644 index 0000000..5d91ddb --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/README.md @@ -0,0 +1,133 @@ +# istio-discovery + +![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) + +Helm chart for istio control plane + +## Source Code + +* + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.caAddress | string | `""` | | +| global.centralIstiod | bool | `false` | | +| global.defaultPodDisruptionBudget.enabled | bool | `true` | | +| global.defaultResources.requests.cpu | string | `"10m"` | | +| global.externalIstiod | bool | `false` | | +| global.hub | string | `"gcr.io/istio-testing"` | | +| global.imagePullPolicy | string | `""` | | +| global.imagePullSecrets | list | `[]` | | +| global.istioNamespace | string | `"istio-system"` | | +| global.istiod.enableAnalysis | bool | `false` | | +| global.jwtPolicy | string | `"third-party-jwt"` | | +| global.logAsJson | bool | `false` | | +| global.logging.level | string | `"default:info"` | | +| global.meshID | string | `""` | | +| global.meshNetworks | object | `{}` | | +| global.mountMtlsCerts | bool | `false` | | +| global.multiCluster.clusterName | string | `""` | | +| global.multiCluster.enabled | bool | `false` | | +| global.network | string | `""` | | +| global.omitSidecarInjectorConfigMap | bool | `false` | | +| global.oneNamespace | bool | `false` | | +| global.operatorManageWebhooks | bool | `false` | | +| global.pilotCertProvider | string | `"istiod"` | | +| global.priorityClassName | string | `""` | | +| global.proxy.autoInject | string | `"enabled"` | | +| global.proxy.clusterDomain | string | `"cluster.local"` | | +| global.proxy.componentLogLevel | string | `"misc:error"` | | +| global.proxy.enableCoreDump | bool | `false` | | +| global.proxy.excludeIPRanges | string | `""` | | +| global.proxy.excludeInboundPorts | string | `""` | | +| global.proxy.excludeOutboundPorts | string | `""` | | +| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | | +| global.proxy.image | string | `"proxyv2"` | | +| global.proxy.includeIPRanges | string | `"*"` | | +| global.proxy.logLevel | string | `"warning"` | | +| global.proxy.privileged | bool | `false` | | +| global.proxy.readinessFailureThreshold | int | `30` | | +| global.proxy.readinessInitialDelaySeconds | int | `1` | | +| global.proxy.readinessPeriodSeconds | int | `2` | | +| global.proxy.resources.limits.cpu | string | `"2000m"` | | +| global.proxy.resources.limits.memory | string | `"1024Mi"` | | +| global.proxy.resources.requests.cpu | string | `"100m"` | | +| global.proxy.resources.requests.memory | string | `"128Mi"` | | +| global.proxy.statusPort | int | `15020` | | +| global.proxy.tracer | string | `"zipkin"` | | +| global.proxy_init.image | string | `"proxyv2"` | | +| global.proxy_init.resources.limits.cpu | string | `"2000m"` | | +| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | | +| global.proxy_init.resources.requests.cpu | string | `"10m"` | | +| global.proxy_init.resources.requests.memory | string | `"10Mi"` | | +| global.remotePilotAddress | string | `""` | | +| global.sds.token.aud | string | `"istio-ca"` | | +| global.sts.servicePort | int | `0` | | +| global.tag | string | `"latest"` | | +| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | | +| global.tracer.lightstep.accessToken | string | `""` | | +| global.tracer.lightstep.address | string | `""` | | +| global.tracer.stackdriver.debug | bool | `false` | | +| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | | +| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | | +| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | | +| global.tracer.zipkin.address | string | `""` | | +| global.trustDomain | string | `""` | | +| global.useMCP | bool | `false` | | +| istiodRemote.injectionURL | string | `""` | | +| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | | +| meshConfig.rootNamespace | string | `"istio-system"` | | +| ownerName | string | `""` | | +| pilot.autoscaleEnabled | bool | `true` | | +| pilot.autoscaleMax | int | `5` | | +| pilot.autoscaleMin | int | `1` | | +| pilot.configMap | bool | `true` | | +| pilot.configSource.subscribedResources | list | `[]` | | +| pilot.cpu.targetAverageUtilization | int | `80` | | +| pilot.deploymentLabels | object | `{}` | | +| pilot.enableProtocolSniffingForInbound | bool | `true` | | +| pilot.enableProtocolSniffingForOutbound | bool | `true` | | +| pilot.env | object | `{}` | | +| pilot.hub | string | `""` | | +| pilot.image | string | `"pilot"` | | +| pilot.jwksResolverExtraRootCA | string | `""` | | +| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | | +| pilot.nodeSelector | object | `{}` | | +| pilot.plugins | list | `[]` | | +| pilot.podAnnotations | object | `{}` | | +| pilot.replicaCount | int | `1` | | +| pilot.resources.requests.cpu | string | `"500m"` | | +| pilot.resources.requests.memory | string | `"2048Mi"` | | +| pilot.rollingMaxSurge | string | `"100%"` | | +| pilot.rollingMaxUnavailable | string | `"25%"` | | +| pilot.tag | string | `""` | | +| pilot.traceSampling | float | `1` | | +| revision | string | `""` | | +| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | | +| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | | +| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | | +| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | | +| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | | +| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | | +| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | | +| telemetry.enabled | bool | `true` | | +| telemetry.v2.accessLogPolicy.enabled | bool | `false` | | +| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | | +| telemetry.v2.enabled | bool | `true` | | +| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | | +| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | | +| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | | +| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | | +| telemetry.v2.prometheus.enabled | bool | `true` | | +| telemetry.v2.prometheus.wasmEnabled | bool | `false` | | +| telemetry.v2.stackdriver.configOverride | object | `{}` | | +| telemetry.v2.stackdriver.disableOutbound | bool | `false` | | +| telemetry.v2.stackdriver.enabled | bool | `false` | | +| telemetry.v2.stackdriver.logging | bool | `false` | | +| telemetry.v2.stackdriver.monitoring | bool | `false` | | +| telemetry.v2.stackdriver.topology | bool | `false` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml new file mode 100644 index 0000000..da98e33 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -0,0 +1,1983 @@ +--- +# Source: istio-discovery/templates/poddisruptionbudget.yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +# Source: istio-discovery/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + proxyMetadata: + DNS_AGENT: "" + tracing: + zipkin: + address: zipkin.istio-system:9411 + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local +--- +# Source: istio-discovery/templates/istiod-injector-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + values: |- + { + "global": { + "arch": { + "amd64": 2, + "ppc64le": 2, + "s390x": 2 + }, + "caAddress": "", + "centralIstiod": false, + "configValidation": true, + "defaultConfigVisibilitySettings": [], + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "defaultTolerations": [], + "externalIstiod": false, + "hub": "gcr.io/istio-testing", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshExpansion": { + "enabled": false, + "useILB": false + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false, + "globalDomainSuffix": "global", + "includeEnvoyFilter": true + }, + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "latest", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "trustDomain": "", + "useMCP": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "objectSelector": { + "autoInject": true, + "enabled": false + }, + "rewriteAppHTTPProbe": true + } + } + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + + template: | + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + podRedirectAnnot: + {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +# Source: istio-discovery/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: istio +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot +--- +# Source: istio-discovery/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + release: istio +spec: + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiod-service-account + securityContext: + fsGroup: 1337 + containers: + - name: discovery + image: "gcr.io/istio-testing/pilot:latest" + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15053 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "default" + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "true" + - name: INJECTION_WEBHOOK_CONFIG_NAME + value: istio-sidecar-injector + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "false" + - name: CLUSTER_ID + value: "Kubernetes" + - name: EXTERNAL_ISTIOD + value: "false" + - name: CENTRAL_ISTIOD + value: "false" + - name: PILOT_ENDPOINT_TELEMETRY_LABEL + value: "true" + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + - name: inject + mountPath: /var/lib/istio/inject + readOnly: true + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional - image should have + - name: inject + configMap: + name: istio-sidecar-injector + - name: config-volume + configMap: + name: istio +--- +# Source: istio-discovery/templates/autoscale.yaml +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: ANY # inbound, outbound, and gateway + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.6.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.7.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.8 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.8 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/mutatingwebhook.yaml +# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchLabels: + istio-injection: enabled diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml new file mode 100644 index 0000000..10dfbbe --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -0,0 +1,463 @@ +template: | + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + podRedirectAnnot: + {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}' + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml b/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml new file mode 100644 index 0000000..7f9bbc3 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio.yaml diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml new file mode 100644 index 0000000..b8b14ad --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml new file mode 100644 index 0000000..7b719ac --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml new file mode 100644 index 0000000..17174f1 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -0,0 +1,92 @@ + +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- else if .Values.global.trustDomain }} + meshId: {{ .Values.global.trustDomain }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} + {{ toYaml $.Values.meshConfig.defaultConfig.tracing }} + {{- end }} + + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml new file mode 100644 index 0000000..ba586de --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -0,0 +1,245 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision ""}} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + {{- if eq .Values.revision ""}} + istio: pilot + {{- else }} + istio: istiod + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: istiod-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + securityContext: + fsGroup: 1337 + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15053 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" +{{- if not (hasKey .Values.pilot.env "INJECTION_WEBHOOK_CONFIG_NAME") }} + - name: INJECTION_WEBHOOK_CONFIG_NAME + {{- if eq .Release.Namespace "istio-system" }} + value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- else }} + value: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + {{- end }} +{{- end }} + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: EXTERNAL_ISTIOD + value: "{{ $.Values.global.externalIstiod | default "false" }}" + - name: CENTRAL_ISTIOD + value: "{{ $.Values.global.centralIstiod | default "false" }}" +{{- if .Values.telemetry.v2.enabled }} + - name: PILOT_ENDPOINT_TELEMETRY_LABEL + value: "true" +{{- end }} + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + - name: inject + mountPath: /var/lib/istio/inject + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional - image should have + - name: inject + configMap: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} +--- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000..8e660e9 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml @@ -0,0 +1,35 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + +{{ .Files.Get "files/injection-template.yaml" | trim | indent 4 }} + +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml new file mode 100644 index 0000000..ca11b4f --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -0,0 +1,85 @@ +# Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{ else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} + matchExpressions: + - key: name + operator: NotIn + values: + - {{ .Release.Namespace }} + - key: istio-injection + operator: NotIn + values: + - disabled + - key: istio-env + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- else if .Values.revision }} + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} +{{- else }} + matchLabels: + istio-injection: enabled +{{- end }} +{{- if .Values.sidecarInjectorWebhook.objectSelector.enabled }} + objectSelector: +{{- if .Values.sidecarInjectorWebhook.objectSelector.autoInject }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: NotIn + values: + - "false" +{{- else if .Values.revision }} + matchExpressions: + - key: "sidecar.istio.io/inject" + operator: DoesNotExist + - key: istio.io/rev + operator: In + values: + - {{ .Values.revision }} +{{- else }} + matchLabels: + "sidecar.istio.io/inject": "true" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..fef641a --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision ""}} + istio.io/rev: {{ .Values.revision }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml new file mode 100644 index 0000000..1fe1b5a --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision ""}} + istio.io/rev: {{ .Values.revision }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} +--- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml new file mode 100644 index 0000000..f878321 --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.8.yaml @@ -0,0 +1,792 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "downstream_peer.cluster_id", + "destination_cluster": "node.metadata['CLUSTER_ID']" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "disable_host_header_fallback": true{{- if .Values.global.multiCluster.clusterName }}, + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "downstream_peer.cluster_id", + "destination_cluster": "node.metadata['CLUSTER_ID']" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + {{- if .Values.global.multiCluster.clusterName }} + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + {{- end }} + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- + +{{- end }} + +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.8.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.8{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.8.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml new file mode 100644 index 0000000..ac59dbd --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -0,0 +1,485 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + env: {} + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector. + # It is disabled by default since this function will only work after k8s v1.15. + objectSelector: + enabled: false + autoInject: true + + rewriteAppHTTPProbe: true +istiodRemote: + # Sidecar injector mutating webhook configuration url + # For example: https://$remotePilotAddress:15017/inject + injectionURL: "" +telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # enable_mesh_edges_reporting: true + # disable_server_access_logging: false + # meshEdgesReportingDuration: 500s + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + defaultConfig: + proxyMetadata: + # If empty, agent will not start :15013 DNS listener and will not attempt + # to connect to Istiod DNS-TLS. This will also disable the core dns sidecar in + # istiod and the dns-over-tls listener. + # DNS_AGENT: DNS-TLS + DNS_AGENT: "" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: "istio-system" + + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. + + # What we may configure in mesh config is the ".global" - and use of other suffixes. + # No hurry to do this in 1.6, we're trying to prove the code. + +global: + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Used to locate istiod. + istioNamespace: istio-system + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + # Default tag for Istio images. + tag: latest + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # External istiod controls all remote clusters: disabled by default + externalIstiod: false + # Central istiod controls all remote clusters: disabled by default + centralIstiod: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + + # Deprecated, use meshConfig.trustDomain + trustDomain: "" diff --git a/charts/kubezero-istio/charts/istio-operator/Chart.yaml b/charts/kubezero-istio/charts/istio-operator/Chart.yaml deleted file mode 100644 index 807caae..0000000 --- a/charts/kubezero-istio/charts/istio-operator/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -name: istio-operator -version: 1.7.0 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio operator -keywords: - - istio - - operator -sources: - - https://github.com/istio/istio/tree/master/operator -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml b/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml deleted file mode 100644 index 05fb86a..0000000 --- a/charts/kubezero-istio/charts/istio-operator/crds/crd-operator.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# SYNC WITH manifests/charts/base/files -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - type: string - name: Status - - jsonPath: .metadata.creationTimestamp - description: - "CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - spec: - description: - "Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: - "Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- - diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml deleted file mode 100644 index ef92c5e..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole.yaml +++ /dev/null @@ -1,109 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -rules: -# istio groups -- apiGroups: - - authentication.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - config.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - install.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' -- apiGroups: - - security.istio.io - resources: - - '*' - verbs: - - '*' -# k8s groups -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - '*' -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions.apiextensions.k8s.io - - customresourcedefinitions - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - daemonsets - - deployments - - deployments/finalizers - - ingresses - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - '*' -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - update -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - '*' -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - - roles - - rolebindings - verbs: - - '*' -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - pods/proxy - - persistentvolumeclaims - - secrets - - services - - serviceaccounts - verbs: - - '*' ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml b/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml deleted file mode 100644 index 9b9df7d..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/clusterrole_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -subjects: -- kind: ServiceAccount - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{.Values.operatorNamespace}} -roleRef: - kind: ClusterRole - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - apiGroup: rbac.authorization.k8s.io ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml b/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml deleted file mode 100644 index a370365..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/crds.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.enableCRDTemplates -}} -{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} ---- -{{ $.Files.Get $path }} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml deleted file mode 100644 index 73b5d66..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/deployment.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: {{.Values.operatorNamespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - replicas: 1 - selector: - matchLabels: - name: istio-operator - template: - metadata: - labels: - name: istio-operator - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - nodeSelector: - kubernetes.io/os: linux - node-role.kubernetes.io/master: "" - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} - command: - - operator - - server - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - imagePullPolicy: IfNotPresent - resources: -{{ toYaml .Values.operator.resources | trim | indent 12 }} - env: - - name: WATCH_NAMESPACE - value: {{.Values.watchedNamespaces | quote}} - - name: LEADER_ELECTION_NAMESPACE - value: {{.Values.operatorNamespace | quote}} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: {{.Values.operatorNamespace | quote}} - - name: WAIT_FOR_RESOURCES_TIMEOUT - value: {{.Values.waitForResourcesTimeout | quote}} - - name: REVISION - value: {{.Values.revision | quote}} ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service.yaml deleted file mode 100644 index e7967a7..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: {{.Values.operatorNamespace}} - labels: - name: istio-operator - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -spec: - ports: - - name: http-metrics - port: 8383 - targetPort: 8383 - selector: - name: istio-operator ---- diff --git a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml b/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml deleted file mode 100644 index cb708ee..0000000 --- a/charts/kubezero-istio/charts/istio-operator/templates/service_account.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: {{.Values.operatorNamespace}} - name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} ---- diff --git a/charts/kubezero-istio/charts/istio-operator/values.yaml b/charts/kubezero-istio/charts/istio-operator/values.yaml deleted file mode 100644 index 45c5c96..0000000 --- a/charts/kubezero-istio/charts/istio-operator/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -hub: gcr.io/istio-testing -tag: latest - -operatorNamespace: istio-operator - -# Used to replace istioNamespace to support operator watch multiple namespaces. -watchedNamespaces: istio-system -waitForResourcesTimeout: 300s - -# Used for helm2 to add the CRDs to templates. -enableCRDTemplates: false - -# revision for the operator resources -revision: "" - -# Operator resource defaults -operator: - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 128Mi - diff --git a/charts/kubezero-istio/crds/crd-all.gen.yaml b/charts/kubezero-istio/crds/crd-all.gen.yaml deleted file mode 100644 index be68f83..0000000 --- a/charts/kubezero-istio/crds/crd-all.gen.yaml +++ /dev/null @@ -1,6612 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpec - listKind: HTTPAPISpecList - plural: httpapispecs - singular: httpapispec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_keys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - apiKeys: - items: - oneOf: - - not: - anyOf: - - required: - - query - - required: - - header - - required: - - cookie - - required: - - query - - required: - - header - - required: - - cookie - properties: - cookie: - format: string - type: string - header: - description: API key is sent in a request header. - format: string - type: string - query: - description: API Key is sent as a query parameter. - format: string - type: string - type: object - type: array - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - patterns: - description: List of HTTP patterns to match. - items: - oneOf: - - not: - anyOf: - - required: - - uriTemplate - - required: - - regex - - required: - - uriTemplate - - required: - - regex - properties: - attributes: - properties: - attributes: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - - required: - - stringValue - - required: - - int64Value - - required: - - doubleValue - - required: - - boolValue - - required: - - bytesValue - - required: - - timestampValue - - required: - - durationValue - - required: - - stringMapValue - properties: - boolValue: - type: boolean - bytesValue: - format: binary - type: string - doubleValue: - format: double - type: number - durationValue: - type: string - int64Value: - format: int64 - type: integer - stringMapValue: - properties: - entries: - additionalProperties: - format: string - type: string - description: Holds a set of name/value pairs. - type: object - type: object - stringValue: - format: string - type: string - timestampValue: - format: dateTime - type: string - type: object - description: A map of attribute name to its value. - type: object - type: object - httpMethod: - format: string - type: string - regex: - format: string - type: string - uriTemplate: - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: httpapispecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: HTTPAPISpecBinding - listKind: HTTPAPISpecBindingList - plural: httpapispecbindings - singular: httpapispecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - api_specs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - apiSpecs: - items: - properties: - name: - description: The short name of the HTTPAPISpec. - format: string - type: string - namespace: - description: Optional namespace of the HTTPAPISpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed HTTPAPISpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecs.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpec - listKind: QuotaSpecList - plural: quotaspecs - singular: quotaspec - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Determines the quotas used for individual requests. - properties: - rules: - description: A list of Quota rules. - items: - properties: - match: - description: If empty, match all request. - items: - properties: - clause: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Map of attribute names to StringMatch type. - type: object - type: object - type: array - quotas: - description: The list of quotas to charge. - items: - properties: - charge: - format: int32 - type: integer - quota: - format: string - type: string - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-mixer - chart: istio - heritage: Tiller - release: istio - name: quotaspecbindings.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - apim-istio-io - kind: QuotaSpecBinding - listKind: QuotaSpecBindingList - plural: quotaspecbindings - singular: quotaspecbinding - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - quotaSpecs: - items: - properties: - name: - description: The short name of the QuotaSpec. - format: string - type: string - namespace: - description: Optional namespace of the QuotaSpec. - format: string - type: string - type: object - type: array - services: - description: One or more services to map the listed QuotaSpec onto. - items: - properties: - domain: - description: Domain suffix used to construct the service FQDN - in implementations that support such specification. - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: Optional one or more labels that uniquely identify - the service version. - type: object - name: - description: The short name of the service such as "foo". - format: string - type: string - namespace: - description: Optional namespace of the service. - format: string - type: string - service: - description: The service FQDN. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to SIDECAR_INBOUND context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per retry attempt for a given request. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: attributemanifests.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: attributemanifest - listKind: attributemanifestList - plural: attributemanifests - singular: attributemanifest - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - attributes: - additionalProperties: - properties: - description: - description: A human-readable description of the attribute's - purpose. - format: string - type: string - valueType: - description: The type of data carried by this attribute. - enum: - - VALUE_TYPE_UNSPECIFIED - - STRING - - INT64 - - DOUBLE - - BOOL - - TIMESTAMP - - IP_ADDRESS - - EMAIL_ADDRESS - - URI - - DNS_NAME - - DURATION - - STRING_MAP - type: string - type: object - description: The set of attributes this Istio component will be responsible - for producing at runtime. - type: object - name: - description: Name of the component producing these attributes. - format: string - type: string - revision: - description: The revision of this document. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-handler - package: handler - release: istio - name: handlers.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: handler - listKind: handlerList - plural: handlers - singular: handler - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: Handler allows the operator to configure a specific adapter - implementation. - properties: - adapter: - description: The name of a specific adapter implementation. - format: string - type: string - compiledAdapter: - description: The name of the compiled in adapter this handler instantiates. - format: string - type: string - connection: - description: Information on how to connect to the out-of-process adapter. - properties: - address: - description: The address of the backend. - format: string - type: string - authentication: - description: Auth config for the connection to the backend. - oneOf: - - not: - anyOf: - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - - properties: - tls: - allOf: - - oneOf: - - not: - anyOf: - - required: - - tokenPath - - required: - - oauth - - required: - - tokenPath - - required: - - oauth - - oneOf: - - not: - anyOf: - - required: - - authHeader - - required: - - customHeader - - required: - - authHeader - - required: - - customHeader - required: - - tls - - required: - - mutual - properties: - mutual: - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: The path to the file holding client certificate - for mutual TLS. - format: string - type: string - privateKey: - description: The path to the file holding the private - key for mutual TLS. - format: string - type: string - serverName: - description: Used to configure mixer mutual TLS client - to supply server name for SNI. - format: string - type: string - type: object - tls: - properties: - authHeader: - description: Access token is passed as authorization header. - enum: - - PLAIN - - BEARER - type: string - caCertificates: - format: string - type: string - customHeader: - description: Customized header key to hold access token, - e.g. - format: string - type: string - oauth: - description: Oauth config to fetch access token from auth - provider. - properties: - clientId: - description: OAuth client id for mixer. - format: string - type: string - clientSecret: - description: The path to the file holding the client - secret for oauth. - format: string - type: string - endpointParams: - additionalProperties: - format: string - type: string - description: Additional parameters for requests to - the token endpoint. - type: object - scopes: - description: List of requested permissions. - items: - format: string - type: string - type: array - tokenUrl: - description: The Resource server's token endpoint - URL. - format: string - type: string - type: object - serverName: - format: string - type: string - tokenPath: - format: string - type: string - type: object - type: object - timeout: - description: Timeout for remote calls to the backend. - type: string - type: object - name: - description: Must be unique in the entire Mixer configuration. - format: string - type: string - params: - description: Depends on adapter implementation. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: mixer-instance - package: instance - release: istio - name: instances.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: instance - listKind: instanceList - plural: instances - singular: instance - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: An Instance tells Mixer how to create instances for particular - template. - properties: - attributeBindings: - additionalProperties: - format: string - type: string - type: object - compiledTemplate: - description: The name of the compiled in template this instance creates - instances for. - format: string - type: string - name: - format: string - type: string - params: - description: Depends on referenced template. - type: object - x-kubernetes-preserve-unknown-fields: true - template: - description: The name of the template this instance creates instances - for. - format: string - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: core - package: istio.io.mixer - release: istio - name: rules.config.istio.io -spec: - group: config.istio.io - names: - categories: - - istio-io - - policy-istio-io - kind: rule - listKind: ruleList - plural: rules - singular: rule - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes the rules used to configure Mixer''s policy and - telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' - properties: - actions: - description: The actions that will be executed when match evaluates - to `true`. - items: - properties: - handler: - description: Fully qualified name of the handler to invoke. - format: string - type: string - instances: - items: - format: string - type: string - type: array - name: - description: A handle to refer to the results of the action. - format: string - type: string - type: object - type: array - match: - description: Match is an attribute based predicate. - format: string - type: string - requestHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - responseHeaderOperations: - items: - properties: - name: - description: Header name literal value. - format: string - type: string - operation: - description: Header operation type. - enum: - - REPLACE - - REMOVE - - APPEND - type: string - values: - description: Header value expressions. - items: - format: string - type: string - type: array - type: object - type: array - sampling: - properties: - random: - description: Provides filtering of actions based on random selection - per request. - properties: - attributeExpression: - description: Specifies an attribute expression to use to override - the numerator in the `percent_sampled` field. - format: string - type: string - percentSampled: - description: The default sampling rate, expressed as a percentage. - properties: - denominator: - description: Specifies the denominator. - enum: - - HUNDRED - - TEN_THOUSAND - type: string - numerator: - description: Specifies the numerator. - type: integer - type: object - useIndependentRandomness: - description: By default sampling will be based on the value - of the request header `x-request-id`. - type: boolean - type: object - rateLimit: - properties: - maxUnsampledEntries: - description: Number of entries to allow during the `sampling_duration` - before sampling is enforced. - format: int64 - type: integer - samplingDuration: - description: Window in which to enforce the sampling rate. - type: string - samplingRate: - description: The rate at which to sample entries once the - unsampled limit has been reached. - format: int64 - type: integer - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - type: string - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- diff --git a/charts/kubezero-istio/crds/crd-mixer.yaml b/charts/kubezero-istio/crds/crd-mixer.yaml deleted file mode 100644 index eba26fa..0000000 --- a/charts/kubezero-istio/crds/crd-mixer.yaml +++ /dev/null @@ -1,82 +0,0 @@ -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: adapters.config.istio.io - labels: - app: mixer - package: adapter - istio: mixer-adapter - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: adapter - plural: adapters - singular: adapter - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} - ---- -kind: CustomResourceDefinition -apiVersion: apiextensions.k8s.io/v1 -metadata: - name: templates.config.istio.io - labels: - app: mixer - package: template - istio: mixer-template - chart: istio - heritage: Tiller - release: istio - annotations: - "helm.sh/resource-policy": keep -spec: - group: config.istio.io - names: - kind: template - plural: templates - singular: template - categories: - - istio-io - - policy-istio-io - scope: Namespaced - versions: - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - x-kubernetes-preserve-unknown-fields: true - type: object - status: - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- - diff --git a/charts/kubezero-istio/crds/crd-operator.yaml b/charts/kubezero-istio/crds/crd-operator.yaml deleted file mode 100644 index 6ed970d..0000000 --- a/charts/kubezero-istio/crds/crd-operator.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - group: install.istio.io - names: - kind: IstioOperator - plural: istiooperators - singular: istiooperator - shortNames: - - iop - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - type: string - name: Status - - jsonPath: .metadata.creationTimestamp - description: - "CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata" - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: - "APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources" - type: string - kind: - description: - "Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds" - type: string - spec: - description: - "Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: - "Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: - status: {} ---- - diff --git a/charts/kubezero-istio/istio-discovery.patch b/charts/kubezero-istio/istio-discovery.patch new file mode 100644 index 0000000..9a1940c --- /dev/null +++ b/charts/kubezero-istio/istio-discovery.patch @@ -0,0 +1,16 @@ +diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +index e4a983a..ba586de 100644 +--- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml ++++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +@@ -59,6 +59,11 @@ spec: + {{- end }} + securityContext: + fsGroup: 1337 ++ nodeSelector: ++ node-role.kubernetes.io/master: "" ++ tolerations: ++ - effect: NoSchedule ++ key: node-role.kubernetes.io/master + containers: + - name: discovery + {{- if contains "/" .Values.pilot.image }} diff --git a/charts/kubezero-istio/istio-operator.patch b/charts/kubezero-istio/istio-operator.patch deleted file mode 100644 index bf36436..0000000 --- a/charts/kubezero-istio/istio-operator.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- charts/istio-operator/templates/deployment.yaml 2020-09-11 14:57:25.007439918 +0100 -+++ charts/istio-operator/templates/deployment.yaml 2020-09-11 14:59:57.998019251 +0100 -@@ -14,6 +14,12 @@ - name: istio-operator - spec: - serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -+ nodeSelector: -+ kubernetes.io/os: linux -+ node-role.kubernetes.io/master: "" -+ tolerations: -+ - key: node-role.kubernetes.io/master -+ effect: NoSchedule - containers: - - name: istio-operator - image: {{.Values.hub}}/operator:{{.Values.tag}} diff --git a/charts/kubezero-istio/templates/istio-private-ingress.yaml b/charts/kubezero-istio/templates/istio-private-ingress.yaml deleted file mode 100644 index 634b58e..0000000 --- a/charts/kubezero-istio/templates/istio-private-ingress.yaml +++ /dev/null @@ -1,140 +0,0 @@ -{{- if .Values.ingress.private.enabled }} -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: kubezero-istio-private-ingress - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - profile: empty - components: - ingressGateways: - - name: istio-private-ingressgateway - enabled: true - namespace: istio-system - k8s: - replicaCount: {{ .Values.ingress.replicaCount }} - {{- if .Values.ingress.autoscaleEnabled }} - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-private-ingressgateway - {{- end }} - env: - {{- if .Values.ingress.private.http10 }} - - name: ISTIO_META_HTTP10 - value: '"1"' - {{- end }} - # https://github.com/istio/istio/issues/26524, not in 1.7 either - #- name: TERMINATION_DRAIN_DURATION_SECONDS - # value: "60" - #- name: ISTIO_META_IDLE_TIMEOUT - # value: "3600s" - {{- if eq .Values.ingress.type "NodePort" }} - nodeSelector: - node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}" - {{- end }} - resources: - limits: - # cpu: 2000m - memory: 256Mi - requests: - cpu: 100m - memory: 64Mi - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-private-ingressgateway - patches: - - path: spec.template.spec.containers.[name:istio-proxy].lifecycle - value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}} - - path: spec.template.spec.terminationGracePeriodSeconds - value: 90 - - meshConfig: - accessLogFile: /dev/stdout - accessLogEncoding: 'JSON' - h2UpgradePolicy: 'DO_NOT_UPGRADE' - tcpKeepalive: - interval: 30s - time: 60s - - values: - gateways: - istio-ingressgateway: - autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} - externalTrafficPolicy: Local - labels: - app: istio-private-ingressgateway - istio: private-ingressgateway - meshExpansionPorts: [] - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-private-ingressgateway - type: {{ default "NodePort" .Values.ingress.type }} - ports: - - name: http-status - port: 15021 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31021 - {{- end }} - - name: http2 - port: 80 - targetPort: 8080 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31080 - {{- end }} - - name: https - port: 443 - targetPort: 8443 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31443 - {{- end }} - - name: fluentd-forward - port: 24224 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31224 - {{- end }} - - name: amqps - port: 5671 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31671 - {{- end }} - - name: amqp - port: 5672 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31672 - {{- end }} - - name: redis - port: 6379 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31379 - {{- end }} - - name: redis-1 - port: 6380 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 31380 - {{- end }} - - global: - jwtPolicy: first-party-jwt - logAsJson: true - defaultPodDisruptionBudget: - enabled: false - -{{- end }} diff --git a/charts/kubezero-istio/templates/istio.yaml b/charts/kubezero-istio/templates/istio.yaml deleted file mode 100644 index 195eed9..0000000 --- a/charts/kubezero-istio/templates/istio.yaml +++ /dev/null @@ -1,152 +0,0 @@ -apiVersion: install.istio.io/v1alpha1 -kind: IstioOperator -metadata: - name: kubezero-istio - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - profile: empty - components: - base: - enabled: true - {{- if .Values.ingress.public.enabled }} - ingressGateways: - - enabled: true - k8s: - replicaCount: {{ .Values.ingress.replicaCount }} - {{- if .Values.ingress.autoscaleEnabled }} - hpaSpec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - targetAverageUtilization: 80 - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - {{- end }} - env: - {{- if .Values.ingress.http10 }} - - name: ISTIO_META_HTTP10 - value: '"1"' - {{- end }} - # https://github.com/istio/istio/issues/26524, not in 1.7 ! - #- name: TERMINATION_DRAIN_DURATION_SECONDS - # value: "60" - #- name: ISTIO_META_IDLE_TIMEOUT - # value: "3600s" - {{- if eq .Values.ingress.type "NodePort" }} - nodeSelector: - node.kubernetes.io/ingress.public: "30080_30443" - {{- end }} - resources: - limits: - #cpu: 2000m - memory: 256Mi - requests: - cpu: 100m - memory: 64Mi - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - overlays: - - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway - patches: - - path: spec.template.spec.containers.[name:istio-proxy].lifecycle - value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}} - - path: spec.template.spec.terminationGracePeriodSeconds - value: 90 - - name: istio-ingressgateway - {{- end }} - pilot: - enabled: true - k8s: - replicaCount: {{ .Values.istiod.replicaCount }} - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - resources: - requests: - cpu: 100m - memory: 128Mi - env: - - name: PILOT_ENABLE_MYSQL_FILTER - value: "true" - - name: PILOT_ENABLE_REDIS_FILTER - value: "true" - - name: PILOT_HTTP10 - value: "true" - policy: - enabled: true - k8s: - replicaCount: {{ .Values.istiod.replicaCount }} - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - telemetry: - enabled: false - meshConfig: - accessLogFile: /dev/stdout - accessLogEncoding: 'JSON' - h2UpgradePolicy: 'DO_NOT_UPGRADE' - tcpKeepalive: - interval: 30s - time: 60s - values: - {{- if .Values.ingress.public.enabled }} - gateways: - istio-ingressgateway: - autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }} - externalTrafficPolicy: Local - labels: - app: istio-ingressgateway - istio: ingressgateway - meshExpansionPorts: [] - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-ingressgateway - type: {{ default "NodePort" .Values.ingress.type }} - ports: - - name: http-status - port: 15021 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30021 - {{- end }} - - name: http2 - port: 80 - targetPort: 8080 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30080 - {{- end }} - - name: https - port: 443 - targetPort: 8443 - {{- if eq .Values.ingress.type "NodePort" }} - nodePort: 30443 - {{- end }} - {{- end }} - global: - jwtPolicy: first-party-jwt - logAsJson: true - defaultPodDisruptionBudget: - enabled: false - pilot: - autoscaleEnabled: false - mixer: - policy: - autoscaleEnabled: false diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 0a5a153..dee4b6a 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,7 +1,7 @@ #!/bin/bash set -ex -export ISTIO_VERSION=1.7.4 +export ISTIO_VERSION=1.8.0 if [ ! -d istio-$ISTIO_VERSION ]; then NAME="istio-$ISTIO_VERSION" @@ -10,17 +10,24 @@ if [ ! -d istio-$ISTIO_VERSION ]; then curl -sL "$URL" | tar xz fi +# Extract control plane charts +rm -rf charts/base charts/istio-* +cp -r istio-${ISTIO_VERSION}/manifests/charts/base charts/ +cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-control/istio-discovery charts/ + +# Patch for istiod to control plane +patch -p3 -i istio-discovery.patch + +# Minor tweaks +rm -f charts/istio-discovery/templates/telemetryv2_1.[67].yaml + +# Ingress charts +rm -rf ../kubezero-istio-ingress/charts/istio-* +cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/ +cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress + +# Rename private chart +sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml + # Get matching istioctl -[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } - -# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs -# Now lets extract istio-operator chart -rm -rf charts/istio-operator -cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts - -# Apply our patch -patch -i istio-operator.patch -p0 - -# Extract crds -rm -rf crds -cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds . +# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 9f1658d..2b58c92 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,20 +1,43 @@ -istiod: - autoscaleEnabled: false - replicaCount: 1 - -ingress: - autoscaleEnabled: false - replicaCount: 2 - type: NodePort - public: - enabled: true - private: - enabled: true - nodeSelector: "31080_31443_31671_31672_31224" - dnsNames: - - "*" - -istio-operator: - operatorNamespace: istio-system +global: hub: docker.io/istio - tag: 1.7.4 + tag: 1.8.0 + + logAsJson: true + jwtPolicy: first-party-jwt + + defaultPodDisruptionBudget: + enabled: false + + priorityClassName: "system-cluster-critical" + +istio-discovery: + pilot: + autoscaleEnabled: false + replicaCount: 1 + + # Not implemented, monkey patched in the chart itself + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + + resources: + requests: + cpu: 100m + memory: 128Mi +# env: +# PILOT_ENABLE_MYSQL_FILTER: true +# PILOT_ENABLE_REDIS_FILTER: true +# PILOT_HTTP10: true + + telemetry: + enabled: false + + meshConfig: + accessLogFile: /dev/stdout + accessLogEncoding: 'JSON' + h2UpgradePolicy: 'DO_NOT_UPGRADE' + tcpKeepalive: + interval: 30s + time: 60s diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index ae34a20..8788a32 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square) +![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -18,6 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| +| https://helm.elastic.co | eck-operator | 1.3.0 | | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | | https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | @@ -56,6 +57,10 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| eck-operator.enabled | bool | `false` | | +| eck-operator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | +| eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | elastic_password | string | `""` | | | es.nodeSets | list | `[]` | | | es.prometheus | bool | `false` | | @@ -93,7 +98,6 @@ Kubernetes: `>= 1.16.0` | fluentd.metrics.enabled | bool | `false` | | | fluentd.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | fluentd.metrics.serviceMonitor.enabled | bool | `true` | | -| fluentd.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | fluentd.output.host | string | `"logging-es-http"` | | | fluentd.plugins.enabled | bool | `false` | | | fluentd.plugins.pluginsList | string | `nil` | | @@ -109,7 +113,7 @@ Kubernetes: `>= 1.16.0` | kibana.istio.enabled | bool | `false` | | | kibana.istio.gateway | string | `"istio-system/ingressgateway"` | | | kibana.istio.url | string | `""` | | -| version | string | `"7.8.1"` | | +| version | string | `"7.10.0"` | | ## Resources: diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md index 0f975d2..2fd3f16 100644 --- a/charts/kubezero-redis/README.md +++ b/charts/kubezero-redis/README.md @@ -30,11 +30,12 @@ Kubernetes: `>= 1.16.0` | redis.master.persistence.enabled | bool | `false` | | | redis.metrics.enabled | bool | `false` | | | redis.metrics.serviceMonitor.enabled | bool | `false` | | -| redis.metrics.serviceMonitor.namespace | string | `"monitoring"` | | | redis.metrics.serviceMonitor.selector.release | string | `"metrics"` | | +| redis.redisPort | int | `6379` | | | redis.usePassword | bool | `false` | | # Dashboards +https://grafana.com/grafana/dashboards/11835 ## Redis diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index ab65a73..4e6d150 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -24,6 +24,8 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| argo-cd.enabled | bool | `false` | | +| argo-cd.namespace | string | `"argocd"` | | | aws-ebs-csi-driver.enabled | bool | `false` | | | aws-efs-csi-driver.enabled | bool | `false` | | | calico.enabled | bool | `false` | | @@ -34,7 +36,10 @@ Kubernetes: `>= 1.16.0` | global.defaultSource.pathPrefix | string | `""` | | | global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | | | global.defaultSource.targetRevision | string | `"HEAD"` | | +| istio-ingress.enabled | bool | `false` | | +| istio-ingress.namespace | string | `"istio-ingress"` | | | istio.enabled | bool | `false` | | +| istio.namespace | string | `"istio-system"` | | | kiam.enabled | bool | `false` | | | local-volume-provisioner.enabled | bool | `false` | | | logging.enabled | bool | `false` | | diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml new file mode 100644 index 0000000..c385e10 --- /dev/null +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -0,0 +1,8 @@ +{{- if index .Values "istio-ingress" "enabled" }} +{{ include "kubezero-app.app" . }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: istio-ingress +{{- end }} diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index f2cc09a..d1cdf8c 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -12,4 +12,9 @@ jsonPointers: - /webhooks/0/clientConfig/caBundle - /webhooks/0/failurePolicy +--- +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system {{- end }} diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index be2b3ec..297b28a 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -23,10 +23,10 @@ cert-manager: enabled: false namespace: cert-manager -local-volume-provisioner: +kiam: enabled: false -kiam: +local-volume-provisioner: enabled: false aws-ebs-csi-driver: @@ -37,6 +37,11 @@ aws-efs-csi-driver: istio: enabled: false + namespace: istio-system + +istio-ingress: + enabled: false + namespace: istio-ingress metrics: enabled: false @@ -45,3 +50,7 @@ metrics: logging: enabled: false namespace: logging + +argo-cd: + enabled: false + namespace: argocd diff --git a/deploy/argocd.sh b/deploy/argocd.sh new file mode 100755 index 0000000..0441710 --- /dev/null +++ b/deploy/argocd.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -ex + +LOCATION=${1:-""} + +DEPLOY_DIR=$( dirname $( realpath $0 )) + +function chart_location() { + if [ -z "$LOCATION" ]; then + echo "$1 --repo https://zero-down-time.github.io/kubezero" + else + echo "$LOCATION/$1" + fi +} + +# Update only if we use upstream +if [ -z "$LOCATION" ]; then + helm repo add kubezero https://zero-down-time.github.io/kubezero + helm repo update +fi + +TMPDIR=$(mktemp -d kubezero.XXX) + +# This will be stored as secret during the initial kubezero chart install +helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml + +helm template $(chart_location kubezero) --namespace argocd --name-template kubezero --skip-crds -f $TMPDIR/kubezero.yaml > $TMPDIR/helm.yaml +kubectl apply --namespace argocd -f $TMPDIR/helm.yaml + +[ "$DEBUG" == "" ] && rm -rf $TMPDIR diff --git a/deploy/argocd/app.yaml b/deploy/argocd/app.yaml new file mode 100644 index 0000000..b2ccd8c --- /dev/null +++ b/deploy/argocd/app.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubezero + namespace: argocd + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + project: kubezero + source: + repoURL: {{ .Values.global.defaultSource.repoURL }} + targetRevision: {{ .Values.global.defaultSource.targetRevision }} + path: {{ .Values.global.defaultSource.pathPrefix}}charts/kubezero + + helm: + values: | + {{- toYaml .Values | nindent 8 }} + + destination: + server: {{ .Values.global.defaultDestination.server }} + namespace: argocd + + {{- if .Values.global.syncPolicy }} + syncPolicy: + {{- toYaml .Values.global.syncPolicy | nindent 4 }} + {{- end }} diff --git a/charts/kubezero-argo-cd/templates/project.yaml b/deploy/argocd/project.yaml similarity index 96% rename from charts/kubezero-argo-cd/templates/project.yaml rename to deploy/argocd/project.yaml index c033525..9d992f2 100644 --- a/charts/kubezero-argo-cd/templates/project.yaml +++ b/deploy/argocd/project.yaml @@ -19,10 +19,10 @@ spec: server: https://kubernetes.default.svc - namespace: cert-manager server: https://kubernetes.default.svc - - namespace: istio-operator - server: https://kubernetes.default.svc - namespace: istio-system server: https://kubernetes.default.svc + - namespace: istio-ingress + server: https://kubernetes.default.svc - namespace: monitoring server: https://kubernetes.default.svc - namespace: elastic-system diff --git a/deploy/bootstrap.sh b/deploy/bootstrap.sh index d55324d..f80d653 100755 --- a/deploy/bootstrap.sh +++ b/deploy/bootstrap.sh @@ -15,7 +15,7 @@ TMPDIR=$(mktemp -d kubezero.XXX) helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml if [ ${ARTIFACTS[0]} == "all" ]; then - ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "kubezero.*.enabled" | awk -F "." '{print $2}')) + ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "*.enabled" | awk -F "." '{print $1}')) fi # Update only if we use upstream @@ -82,9 +82,9 @@ function delete() { function is_enabled() { local chart=$1 - enabled=$(yq r $TMPDIR/kubezero.yaml kubezero.${chart}.enabled) + enabled=$(yq r $TMPDIR/kubezero.yaml ${chart}.enabled) if [ "$enabled" == "true" ]; then - yq r $TMPDIR/kubezero.yaml kubezero.${chart}.values > $TMPDIR/values.yaml + yq r $TMPDIR/kubezero.yaml ${chart}.values > $TMPDIR/values.yaml return 0 fi return 1 @@ -216,9 +216,6 @@ function istio() { deploy $chart $release $namespace -f $TMPDIR/values.yaml elif [ $task == "delete" ]; then - for i in $(kubectl get istiooperators -A -o name); do - kubectl delete $i -n istio-system - done delete $chart $release $namespace -f $TMPDIR/values.yaml kubectl delete ns istio-system @@ -230,6 +227,25 @@ function istio() { fi } +################# +# Istio Ingress # +################# +function istio-ingress() { + local chart="kubezero-istio-ingress" + local release="istio" + local namespace="istio-ingress" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns istio-ingress + fi +} + ########### # Metrics # @@ -286,6 +302,35 @@ function logging() { } +########## +# ArgoCD # +########## +function argo-cd() { + local chart="kubezero-argo-cd" + local release="argocd" + local namespace="argocd" + + local task=$1 + + if [ $task == "deploy" ]; then + deploy $chart $release $namespace -f $TMPDIR/values.yaml + + # Install the kubezero app of apps + deploy kubezero kubezero argocd -f $TMPDIR/kubezero.yaml + + elif [ $task == "delete" ]; then + delete $chart $release $namespace -f $TMPDIR/values.yaml + kubectl delete ns argocd + + elif [ $task == "crds" ]; then + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml + fi +} + + ## MAIN ## if [ $1 == "deploy" ]; then for t in ${ARTIFACTS[@]}; do diff --git a/deploy/deploy.sh b/deploy/deploy.sh deleted file mode 100755 index 4bc914e..0000000 --- a/deploy/deploy.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -e - -DEPLOY_DIR=$( dirname $( realpath $0 )) - -helm repo add kubezero https://zero-down-time.github.io/kubezero -helm repo update - -# Determine if we bootstrap or update -helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$? -if [ $rc -eq 0 ]; then - helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml - helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml -else - echo "To bootstrap clusters please use bootstrap.sh !" - exit 1 -fi diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index fb5e85b..4c1e90e 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -1,232 +1,259 @@ -kubezero: - {{- if .Values.global }} - global: - {{- toYaml .Values.global | nindent 4 }} - {{- end }} - calico: - enabled: {{ .Values.calico.enabled }} - values: - network: {{ default "vxlan" .Values.calico.network }} - mtu: {{ default "8941" .Values.calico.mtu }} - prometheus: {{ and .Values.metrics.enabled .Values.metrics.ready }} - cert-manager: - enabled: {{ index .Values "cert-manager" "enabled" }} - values: - # Disable all until webhook is in place - localCA: - enabled: {{ index .Values "cert-manager" "ready" }} - {{- if eq .Values.platform "aws" }} - cert-manager: - podAnnotations: - iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" - {{- end }} +{{- if .Values.global }} +global: + {{- toYaml .Values.global | nindent 2 }} +{{- end }} +calico: + enabled: {{ .Values.calico.enabled }} + values: + network: {{ default "vxlan" .Values.calico.network }} + mtu: {{ default "8941" .Values.calico.mtu }} + prometheus: {{ .Values.metrics.enabled }} +cert-manager: + enabled: {{ index .Values "cert-manager" "enabled" }} + values: + localCA: + enabled: true + {{- if eq .Values.platform "aws" }} + cert-manager: + podAnnotations: + iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" + {{- end }} - {{- if and .Values.kiam.enabled .Values.kiam.ready }} - clusterIssuer: - name: letsencrypt-dns-prod - server: https://acme-v02.api.letsencrypt.org/directory - email: {{ index .Values "cert-manager" "email" }} - solvers: - - selector: - dnsZones: - {{- with index .Values "cert-manager" "dnsZones" }} - {{- . | toYaml | nindent 14 }} - {{- end }} - dns01: - {{- if eq .Values.platform "aws" }} - route53: - region: {{ .Values.region }} - {{- else }} - {{- with index .Values "cert-manager" "solvers" }} - {{- . | toYaml | nindent 14 }} - {{- end }} - {{- end }} - {{- end }} + {{- if .Values.kiam.enabled }} + clusterIssuer: + name: letsencrypt-dns-prod + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ index .Values "cert-manager" "email" }} + solvers: + - selector: + dnsZones: + {{- with index .Values "cert-manager" "dnsZones" }} + {{- . | toYaml | nindent 12 }} + {{- end }} + dns01: + {{- if eq .Values.platform "aws" }} + route53: + region: {{ .Values.region }} + {{- else }} + {{- with index .Values "cert-manager" "solvers" }} + {{- . | toYaml | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} - {{- if eq .Values.platform "aws" }} - kiam: - enabled: {{ .Values.kiam.enabled }} - values: - kiam: - enabled: {{ not .Values.kiam.certsOnly }} - server: - assumeRoleArn: "{{ .Values.kiam.IamArn }}" - deployment: - replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} - prometheus: - servicemonitor: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - agent: - prometheus: - servicemonitor: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} +{{- if eq .Values.platform "aws" }} +kiam: + enabled: {{ .Values.kiam.enabled }} + values: + kiam: + enabled: {{ not .Values.kiam.certsOnly }} + server: + assumeRoleArn: "{{ .Values.kiam.IamArn }}" + deployment: + replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} + prometheus: + servicemonitor: + enabled: {{ .Values.metrics.enabled }} + agent: + prometheus: + servicemonitor: + enabled: {{ .Values.metrics.enabled }} - {{- if and .Values.kiam.enabled .Values.kiam.ready }} - # AWS only components - aws-ebs-csi-driver: - enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} - values: - aws-ebs-csi-driver: - replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - podAnnotations: - iam.amazonaws.com/role: "{{ index .Values "aws-ebs-csi-driver" "IamArn" }}" - extraVolumeTags: - Name: {{ .Values.ClusterName }} - {{- end }} +{{- if .Values.kiam.enabled }} +# AWS only components +aws-ebs-csi-driver: + enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} + values: + aws-ebs-csi-driver: + replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} + podAnnotations: + iam.amazonaws.com/role: "{{ index .Values "aws-ebs-csi-driver" "IamArn" }}" + extraVolumeTags: + Name: {{ .Values.ClusterName }} +{{- end }} - aws-efs-csi-driver: - enabled: {{ index .Values "aws-efs-csi-driver" "enabled" }} - values: - {{- with index .Values "aws-efs-csi-driver" "nodeSelector" }} - aws-efs-csi-driver: - nodeSelector: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }} - PersistentVolumes: +aws-efs-csi-driver: + enabled: {{ index .Values "aws-efs-csi-driver" "enabled" }} + values: + {{- with index .Values "aws-efs-csi-driver" "nodeSelector" }} + aws-efs-csi-driver: + nodeSelector: {{- toYaml . | nindent 8 }} - {{- end }} - {{- if index .Values "aws-efs-csi-driver" "EfsId" }} - PersistentVolume: - create: true - EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }} - Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }} - {{- end }} - {{- end }} + {{- end }} + {{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }} + PersistentVolumes: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if index .Values "aws-efs-csi-driver" "EfsId" }} + PersistentVolume: + create: true + EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }} + Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }} + {{- end }} +{{- end }} - istio: - enabled: {{ .Values.istio.enabled }} - values: - istiod: +istio: + enabled: {{ .Values.istio.enabled }} + values: + istio-discovery: + pilot: replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - {{- if index .Values "cert-manager" "ready" }} - {{- if .Values.istio.ingress }} - ingress: - {{- toYaml .Values.istio.ingress | nindent 8 }} - {{- end }} - {{- end }} - metrics: - enabled: {{ .Values.metrics.enabled }} - values: - {{- if and .Values.metrics.istio.grafana.enabled .Values.istio.ready }} - grafana: - istio: - {{- with .Values.metrics.istio.grafana }} +istio-ingress: + enabled: {{ index .Values "istio-ingress" "enabled" }} + values: + {{- if index .Values "istio-ingress" "public" "enabled" }} + istio-ingress: + enabled: true + {{- with index .Values "istio-ingress" "public" "gateway" }} + gateways: + istio-ingressgateway: {{- toYaml . | nindent 10 }} - {{- end }} {{- end }} - {{- if and .Values.metrics.istio.prometheus.enabled .Values.istio.ready }} - prometheus: - istio: - {{- with .Values.metrics.istio.prometheus }} + {{- with index .Values "istio-ingress" "public" "dnsNames" }} + dnsNames: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + + {{- if index .Values "istio-ingress" "private" "enabled" }} + istio-private-ingress: + enabled: true + {{- with index .Values "istio-ingress" "private" "gateway" }} + gateways: + istio-ingressgateway: {{- toYaml . | nindent 10 }} - {{- end }} {{- end }} - {{- if index .Values "metrics" "kube-prometheus-stack" }} - kube-prometheus-stack: - {{- with index .Values "metrics" "kube-prometheus-stack" }} + {{- with index .Values "istio-ingress" "private" "dnsNames" }} + dnsNames: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + +metrics: + enabled: {{ .Values.metrics.enabled }} + values: + {{- if .Values.metrics.istio.grafana.enabled }} + grafana: + istio: + {{- with .Values.metrics.istio.grafana }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.metrics.istio.prometheus.enabled }} + prometheus: + istio: + {{- with .Values.metrics.istio.prometheus }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if index .Values "metrics" "kube-prometheus-stack" }} + kube-prometheus-stack: + {{- with index .Values "metrics" "kube-prometheus-stack" }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + +logging: + enabled: {{ .Values.logging.enabled }} + values: + {{- with index .Values "logging" "eck-operator" }} + eck-operator: + {{- toYaml . | nindent 6 }} + {{- end }} + + {{- if .Values.logging.elastic_password }} + elastic_password: {{ .Values.logging.elastic_password }} + {{- end }} + + {{- if .Values.logging.version }} + version: {{ .Values.logging.version }} + {{- end }} + + {{- if .Values.logging.fullnameOverride }} + fullnameOverride: {{ .Values.logging.fullnameOverride }} + {{- end }} + + {{- if .Values.logging.es }} + es: + {{- if .Values.logging.es.nodeSets }} + nodeSets: + {{- with .Values.logging.es.nodeSets }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + prometheus: {{ .Values.metrics.enabled }} + + {{- if .Values.logging.es.s3Snapshot }} + s3Snapshot: + {{- with .Values.logging.es.s3Snapshot }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.logging.kibana }} + kibana: + {{- with .Values.logging.kibana }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + + fluentd: + enabled: {{ .Values.logging.fluentd.enabled }} + metrics: + enabled: {{ .Values.metrics.enabled }} + url: {{ .Values.logging.fluentd.url }} + {{- if .Values.logging.fluentd.output }} + output: + host: {{ .Values.logging.fluentd.output.host }} + {{- end }} + {{- if .Values.logging.fluentd.extraEnvVars }} + extraEnvVars: + {{- toYaml .Values.logging.fluentd.extraEnvVars | nindent 8 }} + {{- end }} + {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }} + istio: + {{- with .Values.logging.fluentd.istio }} {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - logging: - enabled: {{ .Values.logging.enabled }} - values: - {{- with index .Values "logging" "eck-operator" }} - eck-operator: - {{- toYaml . | nindent 8 }} - {{- end }} - - {{- if .Values.logging.elastic_password }} - elastic_password: {{ .Values.logging.elastic_password }} - {{- end }} - - {{- if .Values.logging.version }} - version: {{ .Values.logging.version }} - {{- end }} - - {{- if .Values.logging.fullnameOverride }} - fullnameOverride: {{ .Values.logging.fullnameOverride }} - {{- end }} - - {{- if .Values.logging.es }} - es: - {{- if .Values.logging.es.nodeSets }} - nodeSets: - {{- with .Values.logging.es.nodeSets }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - prometheus: {{ and .Values.metrics.enabled .Values.metrics.ready }} - - {{- if .Values.logging.es.s3Snapshot }} - s3Snapshot: - {{- with .Values.logging.es.s3Snapshot }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.logging.kibana }} - kibana: - {{- with .Values.logging.kibana }} + fluent-bit: + enabled: {{ index .Values.logging "fluent-bit" "enabled" }} + metrics: + enabled: {{ .Values.metrics.enabled }} + {{- if index .Values.logging "fluent-bit" "config" }} + config: + {{- with index .Values.logging "fluent-bit" "config" }} {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - - fluentd: - enabled: {{ .Values.logging.fluentd.enabled }} - metrics: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - url: {{ .Values.logging.fluentd.url }} - {{- if .Values.logging.fluentd.output }} - output: - host: {{ .Values.logging.fluentd.output.host }} - {{- end }} - {{- if .Values.logging.fluentd.extraEnvVars }} - extraEnvVars: - {{- toYaml .Values.logging.fluentd.extraEnvVars | nindent 10 }} - {{- end }} - {{- if and .Values.logging.fluentd.istio .Values.istio.enabled .Values.istio.ready }} - istio: - {{- with .Values.logging.fluentd.istio }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - - fluent-bit: - enabled: {{ index .Values.logging "fluent-bit" "enabled" }} - metrics: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - {{- if index .Values.logging "fluent-bit" "config" }} - config: - {{- with index .Values.logging "fluent-bit" "config" }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - + argo-cd: - controller: - metrics: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - repoServer: - metrics: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - server: - metrics: - enabled: {{ and .Values.metrics.enabled .Values.metrics.ready }} - {{- with index .Values "argo-cd" "server" }} - {{- toYaml . | nindent 4 }} + enabled: {{ index .Values "argo-cd" "enabled" }} + values: + argo-cd: + controller: + metrics: + enabled: {{ .Values.metrics.enabled }} + repoServer: + metrics: + enabled: {{ .Values.metrics.enabled }} + server: + metrics: + enabled: {{ .Values.metrics.enabled }} + {{- with index .Values "argo-cd" "server" }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with index .Values "argo-cd" "configs" }} + configs: + {{- toYaml . | nindent 8}} + {{- end }} + {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} + istio: + {{- with index .Values "argo-cd" "istio" }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} - {{- with index .Values "argo-cd" "configs" }} - configs: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled .Values.istio.ready }} - istio: - {{- with index .Values "argo-cd" "istio" }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} diff --git a/deploy/values.yaml b/deploy/values.yaml index 720ecff..09ab224 100644 --- a/deploy/values.yaml +++ b/deploy/values.yaml @@ -9,7 +9,6 @@ calico: cert-manager: enabled: true - ready: true IamArn: "" aws-ebs-csi-driver: @@ -21,16 +20,20 @@ aws-efs-csi-driver: kiam: enabled: true - ready: true IamArn: "" istio: - ready: true enabled: false +istio-ingress: + enabled: false + public: + enabled: false + private: + enabled: false + metrics: enabled: false - ready: true istio: grafana: enabled: false @@ -50,5 +53,5 @@ argo-cd: enabled: false server: {} istio: - enabled: true - gateway: istio-system/private-ingressgateway + enabled: false + gateway: istio-ingress/private-ingressgateway -- 2.40.1 From 0a1cb7a07a87f571ca1a2bbf4e55c93992c85a60 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 24 Nov 2020 06:51:48 -0800 Subject: [PATCH 04/48] Revert Kube version check to make argo work --- charts/kubezero-argo-cd/Chart.yaml | 2 +- charts/kubezero-istio-ingress/Chart.yaml | 2 +- charts/kubezero-istio/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argo-cd/Chart.yaml index 0f6a372..5182dc4 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argo-cd/Chart.yaml @@ -17,4 +17,4 @@ dependencies: - name: argo-cd version: 2.9.5 repository: https://argoproj.github.io/argo-helm -kubeVersion: ">= 1.17.0" +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index 9380362..943b2c8 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -21,4 +21,4 @@ dependencies: - name: istio-private-ingress version: 1.1.0 condition: istio-private-ingress.enabled -kubeVersion: ">= 1.17.0" +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 183d4cb..2321650 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -19,4 +19,4 @@ dependencies: version: 1.1.0 - name: istio-discovery version: 1.2.0 -kubeVersion: ">= 1.17.0" +kubeVersion: ">= 1.16.0" -- 2.40.1 From 486ea0fa56eec59f9fc53a3966beb7536a347236 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 24 Nov 2020 07:18:14 -0800 Subject: [PATCH 05/48] Bug fixes and argo tweaks --- charts/kubezero-logging/values.yaml | 1 - charts/kubezero/templates/istio.yaml | 6 ++++++ deploy/bootstrap.sh | 4 ++-- deploy/templates/values.yaml | 2 +- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 5b76faa..d3fa2e3 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -295,7 +295,6 @@ fluent-bit: serviceMonitor: enabled: true - namespace: monitoring selector: release: metrics diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index d1cdf8c..00233d0 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -12,6 +12,12 @@ jsonPointers: - /webhooks/0/clientConfig/caBundle - /webhooks/0/failurePolicy + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jsonPointers: + - /webhooks/0/clientConfig/caBundle + - /webhooks/0/failurePolicy + --- apiVersion: v1 kind: Namespace diff --git a/deploy/bootstrap.sh b/deploy/bootstrap.sh index f80d653..370a16c 100755 --- a/deploy/bootstrap.sh +++ b/deploy/bootstrap.sh @@ -232,7 +232,7 @@ function istio() { ################# function istio-ingress() { local chart="kubezero-istio-ingress" - local release="istio" + local release="istio-ingress" local namespace="istio-ingress" local task=$1 @@ -284,7 +284,7 @@ function logging() { local task=$1 if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml + deploy $chart $release $namespace -a "monitoring.coreos.com/v1" -f $TMPDIR/values.yaml kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml index 4c1e90e..718ecf4 100644 --- a/deploy/templates/values.yaml +++ b/deploy/templates/values.yaml @@ -222,7 +222,7 @@ logging: fluent-bit: enabled: {{ index .Values.logging "fluent-bit" "enabled" }} - metrics: + serviceMonitor: enabled: {{ .Values.metrics.enabled }} {{- if index .Values.logging "fluent-bit" "config" }} config: -- 2.40.1 From 8b4a2bd92009500ff2b91f93aea455278c4b1175 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 24 Nov 2020 07:29:38 -0800 Subject: [PATCH 06/48] Another argo tweak --- charts/kubezero/templates/metrics.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/kubezero/templates/metrics.yaml b/charts/kubezero/templates/metrics.yaml index 2bef83f..428f8d4 100644 --- a/charts/kubezero/templates/metrics.yaml +++ b/charts/kubezero/templates/metrics.yaml @@ -1,5 +1,18 @@ {{- if index .Values "metrics" "enabled" }} {{ include "kubezero-app.app" . }} + + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jsonPointers: + - /webhooks/0/clientConfig/caBundle + - /webhooks/0/failurePolicy + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jsonPointers: + - /webhooks/0/clientConfig/caBundle + - /webhooks/0/failurePolicy + --- apiVersion: v1 kind: Namespace -- 2.40.1 From 74e07acf13e77a6f6bf40e97d5e56544c0faf824 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 26 Nov 2020 05:21:10 -0800 Subject: [PATCH 07/48] More fixes now adding ArgoCD --- charts/kubezero-argo-cd/README.md | 12 +- .../kubezero-argo-cd/templates/kubezero.yaml | 30 ++ charts/kubezero-argo-cd/values.yaml | 57 ++-- charts/kubezero-istio-ingress/README.md | 2 +- .../templates/namespace.yaml | 7 - charts/kubezero-istio/README.md | 2 +- .../kubezero-istio/templates/namespace.yaml | 7 - charts/kubezero-logging/README.md | 1 - charts/kubezero/.gitignore | 3 + charts/kubezero/.helmignore | 1 + charts/kubezero/Chart.yaml | 4 +- charts/kubezero/README.md | 3 +- {deploy => charts/kubezero}/bootstrap.sh | 7 +- .../kubezero/scripts}/argocd_password.py | 0 charts/kubezero/templates/_app.tpl | 22 +- charts/kubezero/templates/argo.yaml | 31 +++ charts/kubezero/templates/argoless.yaml | 19 ++ .../templates/aws-ebs-csi-driver.yaml | 15 +- .../templates/aws-efs-csi-driver.yaml | 25 +- charts/kubezero/templates/calico.yaml | 12 +- charts/kubezero/templates/cert-manager.yaml | 30 +- charts/kubezero/templates/istio-ingress.yaml | 42 ++- charts/kubezero/templates/istio.yaml | 18 +- charts/kubezero/templates/kiam.yaml | 21 +- .../templates/local-volume-provisioner.yaml | 8 +- charts/kubezero/templates/logging.yaml | 94 ++++++- charts/kubezero/templates/metrics.yaml | 39 ++- charts/kubezero/values-all.yaml | 41 --- charts/kubezero/values-calico.yaml | 17 -- charts/kubezero/values.yaml | 14 +- deploy/.gitignore | 1 - deploy/.helmignore | 23 -- deploy/Chart.yaml | 6 - deploy/argocd.sh | 30 -- deploy/argocd/app.yaml | 26 -- deploy/templates/values.yaml | 259 ------------------ deploy/values.yaml | 57 ---- 37 files changed, 398 insertions(+), 588 deletions(-) rename deploy/argocd/project.yaml => charts/kubezero-argo-cd/templates/kubezero.yaml (58%) delete mode 100644 charts/kubezero-istio-ingress/templates/namespace.yaml delete mode 100644 charts/kubezero-istio/templates/namespace.yaml create mode 100644 charts/kubezero/.gitignore rename {deploy => charts/kubezero}/bootstrap.sh (98%) rename {deploy => charts/kubezero/scripts}/argocd_password.py (100%) create mode 100644 charts/kubezero/templates/argo.yaml create mode 100644 charts/kubezero/templates/argoless.yaml delete mode 100644 charts/kubezero/values-all.yaml delete mode 100644 charts/kubezero/values-calico.yaml delete mode 100644 deploy/.gitignore delete mode 100644 deploy/.helmignore delete mode 100644 deploy/Chart.yaml delete mode 100755 deploy/argocd.sh delete mode 100644 deploy/argocd/app.yaml delete mode 100644 deploy/templates/values.yaml delete mode 100644 deploy/values.yaml diff --git a/charts/kubezero-argo-cd/README.md b/charts/kubezero-argo-cd/README.md index 43b4c4b..41222fa 100644 --- a/charts/kubezero-argo-cd/README.md +++ b/charts/kubezero-argo-cd/README.md @@ -14,7 +14,7 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl ## Requirements -Kubernetes: `>= 1.17.0` +Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| @@ -52,10 +52,12 @@ Kubernetes: `>= 1.17.0` | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | | istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | | istio.ipBlocks | list | `[]` | | -| kubezero.global.defaultDestination | object | `{"server":"https://kubernetes.default.svc"}` | Destination cluster | -| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees | -| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications | -| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL | +| kubezero.enabled | bool | `false` | | +| kubezero.path | string | `"charts/kubezero"` | path within repoURL | +| kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | repository for kubezero argo applications | +| kubezero.server | string | `"https://kubernetes.default.svc"` | destination cluster | +| kubezero.targetRevision | string | `"HEAD"` | git branch to track | +| kubezero.valuesFiles[0] | string | `"values.yaml"` | | ## Resources - https://argoproj.github.io/argo-cd/operator-manual/metrics/ diff --git a/deploy/argocd/project.yaml b/charts/kubezero-argo-cd/templates/kubezero.yaml similarity index 58% rename from deploy/argocd/project.yaml rename to charts/kubezero-argo-cd/templates/kubezero.yaml index 9d992f2..36808fd 100644 --- a/deploy/argocd/project.yaml +++ b/charts/kubezero-argo-cd/templates/kubezero.yaml @@ -1,3 +1,4 @@ +{{- if .Values.kubezero.enabled }} apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: @@ -33,3 +34,32 @@ spec: clusterResourceWhitelist: - group: '*' kind: '*' + +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kubezero + namespace: argocd + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + project: kubezero + source: + repoURL: {{ .Values.kubezero.repoURL }} + targetRevision: {{ .Values.kubezero.targetRevision }} + path: {{ .Values.kubezero.path }} + + helm: + valueFiles: + {{- toYaml .Values.kubezero.valuesFiles | nindent 6 }} + + destination: + server: {{ .Values.kubezero.server }} + namespace: argocd + + {{- with .Values.kubezero.syncPolicy }} + syncPolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argo-cd/values.yaml index e128ece..481fd85 100644 --- a/charts/kubezero-argo-cd/values.yaml +++ b/charts/kubezero-argo-cd/values.yaml @@ -1,24 +1,35 @@ +# Configure app of apps kubezero: - global: - # kubezero.global.defaultDestination -- Destination cluster - defaultDestination: - server: https://kubernetes.default.svc + enabled: false - # This repoURL is used a base for all the repoURLs applications - # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be - # integrated into any repository as a git subtree if for example public internet access is unavailable - defaultSource: - # kubezero.global.defaultSource.repoURL -- default repository for argocd applications - repoURL: https://github.com/zero-down-time/kubezero - # kubezero.global.defaultSource.targetRevision -- default tracking of repoURL - targetRevision: HEAD - # kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees - pathPrefix: '' + # kubezero.server -- destination cluster + server: https://kubernetes.default.svc - # syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync - #syncPolicy: - # automated: - # prune: true + # This repoURL is used a base for all the repoURLs applications + # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be + # integrated into any repository as a git subtree if for example public internet access is unavailable + # kubezero.repoURL -- repository for kubezero argo applications + repoURL: https://github.com/zero-down-time/kubezero + # kubezero.targetRevision -- git branch to track + targetRevision: HEAD + # kubezero.path -- path within repoURL + path: 'charts/kubezero' + + # syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync + #syncPolicy: + # automated: + # prune: true + + valuesFiles: + - values.yaml + +# Support for Istio Ingress for ArgoCD +istio: + # istio.enabled -- Deploy Istio VirtualService to expose ArgoCD + enabled: false + # istio.gateway -- Name of the Istio gateway to add the VirtualService to + gateway: istio-ingress/ingressgateway + ipBlocks: [] argo-cd: installCRDs: false @@ -70,6 +81,9 @@ argo-cd: # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio url: argocd.example.com + #repositories: | + # - url: https://zero-down-time.github.io/kubezero.git + resource.customizations: | cert-manager.io/Certificate: # Lua script for customizing the health status assessment @@ -115,10 +129,3 @@ argo-cd: dex: enabled: false - -istio: - # istio.enabled -- Deploy Istio VirtualService to expose ArgoCD - enabled: false - # istio.gateway -- Name of the Istio gateway to add the VirtualService to - gateway: istio-ingress/ingressgateway - ipBlocks: [] diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md index 0f29ec0..f865751 100644 --- a/charts/kubezero-istio-ingress/README.md +++ b/charts/kubezero-istio-ingress/README.md @@ -16,7 +16,7 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! ## Requirements -Kubernetes: `>= 1.17.0` +Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| diff --git a/charts/kubezero-istio-ingress/templates/namespace.yaml b/charts/kubezero-istio-ingress/templates/namespace.yaml deleted file mode 100644 index 00d40d7..0000000 --- a/charts/kubezero-istio-ingress/templates/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: istio-ingress - labels: - istio-injection: disabled -{{ include "kubezero-lib.labels" . | indent 4 }} diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 5bcbce4..ed991a0 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -16,7 +16,7 @@ Installs the Istio control plane ## Requirements -Kubernetes: `>= 1.17.0` +Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| diff --git a/charts/kubezero-istio/templates/namespace.yaml b/charts/kubezero-istio/templates/namespace.yaml deleted file mode 100644 index 92cf7fe..0000000 --- a/charts/kubezero-istio/templates/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - istio-injection: disabled -{{ include "kubezero-lib.labels" . | indent 4 }} diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 8788a32..e83b7fc 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -74,7 +74,6 @@ Kubernetes: `>= 1.16.0` | fluent-bit.config.service | string | `"[SERVICE]\n Flush 1\n Daemon Off\n Log_Level warn\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port 2020\n"` | | | fluent-bit.enabled | bool | `false` | | | fluent-bit.serviceMonitor.enabled | bool | `true` | | -| fluent-bit.serviceMonitor.namespace | string | `"monitoring"` | | | fluent-bit.serviceMonitor.selector.release | string | `"metrics"` | | | fluent-bit.test.enabled | bool | `false` | | | fluent-bit.tolerations[0].effect | string | `"NoSchedule"` | | diff --git a/charts/kubezero/.gitignore b/charts/kubezero/.gitignore new file mode 100644 index 0000000..9466e0c --- /dev/null +++ b/charts/kubezero/.gitignore @@ -0,0 +1,3 @@ +kubezero.??? +charts/*.tgz +Chart.lock diff --git a/charts/kubezero/.helmignore b/charts/kubezero/.helmignore index 0e8a0eb..4a84d83 100644 --- a/charts/kubezero/.helmignore +++ b/charts/kubezero/.helmignore @@ -21,3 +21,4 @@ .idea/ *.tmproj .vscode/ +Chart.lock diff --git a/charts/kubezero/Chart.yaml b/charts/kubezero/Chart.yaml index a39534d..5266f58 100644 --- a/charts/kubezero/Chart.yaml +++ b/charts/kubezero/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: kubezero -description: KubeZero ArgoCD Application - Root App of Apps chart of KubeZero +description: KubeZero - Bootstrap and ArgoCD Root App of Apps chart type: application -version: 0.4.5 +version: 0.5.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index 4e6d150..0a6deb8 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -1,6 +1,6 @@ # kubezero -![Version: 0.4.5](https://img.shields.io/badge/Version-0.4.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero ArgoCD Application - Root App of Apps chart of KubeZero @@ -46,7 +46,6 @@ Kubernetes: `>= 1.16.0` | logging.namespace | string | `"logging"` | | | metrics.enabled | bool | `false` | | | metrics.namespace | string | `"monitoring"` | | -| platform | string | `"aws"` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/deploy/bootstrap.sh b/charts/kubezero/bootstrap.sh similarity index 98% rename from deploy/bootstrap.sh rename to charts/kubezero/bootstrap.sh index 370a16c..7a5bdbd 100755 --- a/deploy/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -3,7 +3,8 @@ set -ex ACTION=$1 ARTIFACTS=("$2") -LOCATION=${3:-""} +VALUES=$3 +LOCATION=${4:-""} DEPLOY_DIR=$( dirname $( realpath $0 )) which yq || { echo "yq not found!"; exit 1; } @@ -12,7 +13,7 @@ TMPDIR=$(mktemp -d kubezero.XXX) # First lets generate kubezero.yaml # This will be stored as secret during the initial kubezero chart install -helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml +helm template $DEPLOY_DIR -f $VALUES -f cloudbender.yaml --set argo=false > $TMPDIR/kubezero.yaml if [ ${ARTIFACTS[0]} == "all" ]; then ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "*.enabled" | awk -F "." '{print $1}')) @@ -316,7 +317,7 @@ function argo-cd() { deploy $chart $release $namespace -f $TMPDIR/values.yaml # Install the kubezero app of apps - deploy kubezero kubezero argocd -f $TMPDIR/kubezero.yaml + # deploy kubezero kubezero $namespace -f $TMPDIR/kubezero.yaml elif [ $task == "delete" ]; then delete $chart $release $namespace -f $TMPDIR/values.yaml diff --git a/deploy/argocd_password.py b/charts/kubezero/scripts/argocd_password.py similarity index 100% rename from deploy/argocd_password.py rename to charts/kubezero/scripts/argocd_password.py diff --git a/charts/kubezero/templates/_app.tpl b/charts/kubezero/templates/_app.tpl index 166550d..3404a9e 100644 --- a/charts/kubezero/templates/_app.tpl +++ b/charts/kubezero/templates/_app.tpl @@ -1,7 +1,7 @@ {{- define "kubezero-app.app" }} {{- $name := regexReplaceAll "kubezero/templates/([a-z-]*)..*" .Template.Name "${1}" }} -{{- $my_values := index .Values $name "values" }} +{{- if and .Values.argo ( index .Values $name "enabled" ) }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -17,21 +17,23 @@ spec: project: kubezero source: - repoURL: {{ .Values.global.defaultSource.repoURL }} - targetRevision: {{ .Values.global.defaultSource.targetRevision }} - path: {{ .Values.global.defaultSource.pathPrefix}}charts/kubezero-{{ $name }} - {{- if $my_values }} + repoURL: {{ .Values.global.kubezero.repoURL }} + targetRevision: {{ .Values.global.kubezero.targetRevision }} + path: {{ .Values.global.kubezero.pathPrefix}}charts/kubezero-{{ $name }} helm: values: | -{{- toYaml $my_values | nindent 8 }} - {{- end }} +{{- include (print $name "-values") $ | nindent 8 }} destination: - server: {{ .Values.global.defaultDestination.server }} + server: {{ .Values.global.kubezero.server }} namespace: {{ default "kube-system" ( index .Values $name "namespace" ) }} - {{- if .Values.global.syncPolicy }} + {{- with .Values.global.kubezero.syncPolicy }} syncPolicy: - {{- toYaml .Values.global.syncPolicy | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} + +{{- include (print $name "-argo") $ }} +{{- end }} + {{- end }} diff --git a/charts/kubezero/templates/argo.yaml b/charts/kubezero/templates/argo.yaml new file mode 100644 index 0000000..ab4940b --- /dev/null +++ b/charts/kubezero/templates/argo.yaml @@ -0,0 +1,31 @@ +{{- define "argo-cd-values" }} +argo-cd: + controller: + metrics: + enabled: {{ .Values.metrics.enabled }} + repoServer: + metrics: + enabled: {{ .Values.metrics.enabled }} + server: + metrics: + enabled: {{ .Values.metrics.enabled }} + {{- with index .Values "argo-cd" "server" }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with index .Values "argo-cd" "configs" }} + configs: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} +istio: + {{- with index .Values "argo-cd" "istio" }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} + +{{- with index .Values "argo-cd" "kubezero" }} +kubezero: + {{- toYaml . | nindent 2 }} +{{- end }} + +{{- end }} diff --git a/charts/kubezero/templates/argoless.yaml b/charts/kubezero/templates/argoless.yaml new file mode 100644 index 0000000..00cfb8b --- /dev/null +++ b/charts/kubezero/templates/argoless.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.argo }} + +{{- $artifacts := list "calico" "cert-manager" "kiam" "aws-ebs-csi-driver" "aws-efs-csi-driver" "local-volume-provisioner" "istio" "istio-ingress" "metrics" "logging" "argo-cd" }} + +{{- if .Values.global }} +global: + {{- toYaml .Values.global | nindent 2 }} +{{- end }} + +{{- range $artifacts }} +{{- if index $.Values . }} +{{ . }}: + enabled: {{ index $.Values . "enabled" }} + values: + {{- include (print . "-values") $ | nindent 4 }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/kubezero/templates/aws-ebs-csi-driver.yaml b/charts/kubezero/templates/aws-ebs-csi-driver.yaml index 66d7215..3f404db 100644 --- a/charts/kubezero/templates/aws-ebs-csi-driver.yaml +++ b/charts/kubezero/templates/aws-ebs-csi-driver.yaml @@ -1,3 +1,14 @@ -{{- if index .Values "aws-ebs-csi-driver" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "aws-ebs-csi-driver-values" }} +aws-ebs-csi-driver: + replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} + podAnnotations: + iam.amazonaws.com/role: {{ index .Values "aws-ebs-csi-driver" "IamArn" | quote }} + extraVolumeTags: + Name: {{ .Values.ClusterName }} {{- end }} + + +{{- define "aws-ebs-csi-driver-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/aws-efs-csi-driver.yaml b/charts/kubezero/templates/aws-efs-csi-driver.yaml index f3675d3..a3de0f9 100644 --- a/charts/kubezero/templates/aws-efs-csi-driver.yaml +++ b/charts/kubezero/templates/aws-efs-csi-driver.yaml @@ -1,3 +1,24 @@ -{{- if index .Values "aws-efs-csi-driver" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "aws-efs-csi-driver-values" }} +{{- with index .Values "aws-efs-csi-driver" "nodeSelector" }} +aws-efs-csi-driver: + nodeSelector: + {{- toYaml . | nindent 4 }} {{- end }} +{{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }} +PersistentVolumes: +{{- toYaml . | nindent 2 }} +{{- end }} +{{- if index .Values "aws-efs-csi-driver" "EfsId" }} +PersistentVolume: + create: true + EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }} + Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }} +{{- end }} + +{{- end }} + + +{{- define "aws-efs-csi-driver-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/calico.yaml b/charts/kubezero/templates/calico.yaml index fa61d2a..432da71 100644 --- a/charts/kubezero/templates/calico.yaml +++ b/charts/kubezero/templates/calico.yaml @@ -1,5 +1,11 @@ -{{- if .Values.calico.enabled }} -{{ include "kubezero-app.app" . }} +{{- define "calico-values" }} +network: {{ default "vxlan" .Values.calico.network }} +mtu: {{ default "8941" .Values.calico.mtu }} +prometheus: {{ .Values.metrics.enabled }} +{{- end }} + + +{{- define "calico-argo" }} ignoreDifferences: - group: apiextensions.k8s.io @@ -7,3 +13,5 @@ jsonPointers: - /status {{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/cert-manager.yaml b/charts/kubezero/templates/cert-manager.yaml index d7bd21b..d561363 100644 --- a/charts/kubezero/templates/cert-manager.yaml +++ b/charts/kubezero/templates/cert-manager.yaml @@ -1,13 +1,23 @@ -{{- if index .Values "cert-manager" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "cert-manager-values" }} +localCA: + enabled: true +{{ with index .Values "cert-manager" "IamArn" }} +cert-manager: + podAnnotations: + iam.amazonaws.com/role: "{{ . }}" +{{- end }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager -{{- if index .Values "kiam" "enabled" }} - annotations: - iam.amazonaws.com/permitted: ".*CertManagerRole.*" +{{- with index .Values "cert-manager" "clusterIssuer" }} +clusterIssuer: + {{- . | toYaml | nindent 2 }} {{- end }} + {{- end }} + + +{{- define "cert-manager-argo" }} +{{- end }} + +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml index c385e10..39fa737 100644 --- a/charts/kubezero/templates/istio-ingress.yaml +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -1,8 +1,36 @@ -{{- if index .Values "istio-ingress" "enabled" }} -{{ include "kubezero-app.app" . }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: istio-ingress +{{- define "istio-ingress-values" }} +{{- if index .Values "istio-ingress" "public" }} +istio-ingress: + enabled: {{ index .Values "istio-ingress" "public" "enabled" }} + {{- with index .Values "istio-ingress" "public" "gateway" }} + gateways: + istio-ingressgateway: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with index .Values "istio-ingress" "public" "dnsNames" }} + dnsNames: + {{- toYaml . | nindent 2 }} + {{- end }} {{- end }} + +{{- if index .Values "istio-ingress" "private" }} +istio-private-ingress: + enabled: {{ index .Values "istio-ingress" "private" "enabled" }} + {{- with index .Values "istio-ingress" "private" "gateway" }} + gateways: + istio-ingressgateway: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with index .Values "istio-ingress" "private" "dnsNames" }} + dnsNames: + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} + +{{- end }} + + +{{- define "istio-ingress-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index 00233d0..eae91c7 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -1,5 +1,11 @@ -{{- if .Values.istio.enabled }} -{{ include "kubezero-app.app" . }} +{{- define "istio-values" }} +istio-discovery: + pilot: + replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} +{{- end }} + + +{{- define "istio-argo" }} ignoreDifferences: - group: apiextensions.k8s.io @@ -17,10 +23,6 @@ jsonPointers: - /webhooks/0/clientConfig/caBundle - /webhooks/0/failurePolicy - ---- -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system {{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/kiam.yaml b/charts/kubezero/templates/kiam.yaml index a23ed62..3e4cb12 100644 --- a/charts/kubezero/templates/kiam.yaml +++ b/charts/kubezero/templates/kiam.yaml @@ -1,3 +1,20 @@ -{{- if index .Values "kiam" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "kiam-values" }} +kiam: + server: + assumeRoleArn: "{{ .Values.kiam.IamArn }}" + deployment: + replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} + prometheus: + servicemonitor: + enabled: {{ .Values.metrics.enabled }} + agent: + prometheus: + servicemonitor: + enabled: {{ .Values.metrics.enabled }} {{- end }} + + +{{- define "kiam-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/local-volume-provisioner.yaml b/charts/kubezero/templates/local-volume-provisioner.yaml index 5961f72..0cc9bf8 100644 --- a/charts/kubezero/templates/local-volume-provisioner.yaml +++ b/charts/kubezero/templates/local-volume-provisioner.yaml @@ -1,3 +1,7 @@ -{{- if index .Values "local-volume-provisioner" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "local-volume-provisioner-values" }} {{- end }} + +{{- define "local-volume-provisioner-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/logging.yaml b/charts/kubezero/templates/logging.yaml index ef8f5e4..3bee94e 100644 --- a/charts/kubezero/templates/logging.yaml +++ b/charts/kubezero/templates/logging.yaml @@ -1,5 +1,86 @@ -{{- if index .Values "logging" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "logging-values" }} + +{{- with index .Values "logging" "eck-operator" }} +eck-operator: + {{- toYaml . | nindent 2 }} +{{- end }} + +{{- if .Values.logging.elastic_password }} +elastic_password: {{ .Values.logging.elastic_password }} +{{- end }} + +{{- if .Values.logging.version }} +version: {{ .Values.logging.version }} +{{- end }} + +{{- if .Values.logging.fullnameOverride }} +fullnameOverride: {{ .Values.logging.fullnameOverride }} +{{- end }} + +{{- if .Values.logging.es }} +es: + {{- if .Values.logging.es.nodeSets }} + nodeSets: + {{- with .Values.logging.es.nodeSets }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} + prometheus: {{ .Values.metrics.enabled }} + + {{- if .Values.logging.es.s3Snapshot }} + s3Snapshot: + {{- with .Values.logging.es.s3Snapshot }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} + +{{- if .Values.logging.kibana }} +kibana: + {{- with .Values.logging.kibana }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} + +{{- if .Values.logging.fluentd }} +fluentd: + enabled: {{ .Values.logging.fluentd.enabled }} + metrics: + enabled: {{ .Values.metrics.enabled }} + url: {{ .Values.logging.fluentd.url }} + {{- if .Values.logging.fluentd.output }} + output: + host: {{ .Values.logging.fluentd.output.host }} + {{- end }} + {{- if .Values.logging.fluentd.extraEnvVars }} + extraEnvVars: + {{- toYaml .Values.logging.fluentd.extraEnvVars | nindent 8 }} + {{- end }} + {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }} + istio: + {{- with .Values.logging.fluentd.istio }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} + +{{- if index .Values "logging" "fluent-bit" }} +fluent-bit: + enabled: {{ index .Values.logging "fluent-bit" "enabled" }} + serviceMonitor: + enabled: {{ .Values.metrics.enabled }} + {{- if index .Values.logging "fluent-bit" "config" }} + config: + {{- with index .Values.logging "fluent-bit" "config" }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} + +{{- end }} + + +{{- define "logging-argo" }} ignoreDifferences: - group: admissionregistration.k8s.io @@ -16,11 +97,6 @@ kind: CustomResourceDefinition jsonPointers: - /status ---- -apiVersion: v1 -kind: Namespace -metadata: - name: logging - annotations: - iam.amazonaws.com/permitted: ".*ElasticSearchSnapshots.*" {{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/metrics.yaml b/charts/kubezero/templates/metrics.yaml index 428f8d4..3d7309a 100644 --- a/charts/kubezero/templates/metrics.yaml +++ b/charts/kubezero/templates/metrics.yaml @@ -1,21 +1,42 @@ -{{- if index .Values "metrics" "enabled" }} -{{ include "kubezero-app.app" . }} +{{- define "metrics-values" }} + +{{- if .Values.metrics.istio.grafana.enabled }} +grafana: + istio: + {{- with .Values.metrics.istio.grafana }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- if .Values.metrics.istio.prometheus.enabled }} +prometheus: + istio: + {{- with .Values.metrics.istio.prometheus }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- if index .Values "metrics" "kube-prometheus-stack" }} +kube-prometheus-stack: + {{- with index .Values "metrics" "kube-prometheus-stack" }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} + +{{- end }} + + +{{- define "metrics-argo" }} ignoreDifferences: - group: admissionregistration.k8s.io kind: ValidatingWebhookConfiguration jsonPointers: - - /webhooks/0/clientConfig/caBundle - /webhooks/0/failurePolicy - group: admissionregistration.k8s.io kind: MutatingWebhookConfiguration jsonPointers: - - /webhooks/0/clientConfig/caBundle - /webhooks/0/failurePolicy ---- -apiVersion: v1 -kind: Namespace -metadata: - name: monitoring {{- end }} + + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/values-all.yaml b/charts/kubezero/values-all.yaml deleted file mode 100644 index e99e14c..0000000 --- a/charts/kubezero/values-all.yaml +++ /dev/null @@ -1,41 +0,0 @@ -global: - defaultDestination: - server: https://kubernetes.default.svc - - # This repoURL is used a base for all the repoURLs applications - # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be - # integrated into any repository as a git subtree if for example public internet access is unavailable - defaultSource: - # defaultSource.repoURL -- default repository for argocd applications - repoURL: https://github.com/zero-down-time/kubezero - # defaultSource.targetRevision -- default tracking of repoURL - targetRevision: HEAD - # defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees - pathPrefix: '' - -calico: - enabled: true - -local-volume-provisioner: - enabled: true - -cert-manager: - enabled: true - -kiam: - enabled: true - -aws-ebs-csi-driver: - enabled: true - -aws-efs-csi-driver: - enabled: true - -istio: - enabled: true - -metrics: - enabled: true - -logging: - enabled: true diff --git a/charts/kubezero/values-calico.yaml b/charts/kubezero/values-calico.yaml deleted file mode 100644 index 618c328..0000000 --- a/charts/kubezero/values-calico.yaml +++ /dev/null @@ -1,17 +0,0 @@ -global: - defaultDestination: - server: https://kubernetes.default.svc - - # This repoURL is used a base for all the repoURLs applications - # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be - # integrated into any repository as a git subtree if for example public internet access is unavailable - defaultSource: - # defaultSource.repoURL -- default repository for argocd applications - repoURL: https://github.com/zero-down-time/kubezero - # defaultSource.targetRevision -- default tracking of repoURL - targetRevision: HEAD - # defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees - pathPrefix: '' - -calico: - enabled: true diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 297b28a..3ac9c51 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -1,20 +1,12 @@ +argo: {} + global: - defaultDestination: + argo: server: https://kubernetes.default.svc - - # This repoURL is used a base for all the repoURLs applications - # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be - # integrated into any repository as a git subtree if for example public internet access is unavailable - defaultSource: - # defaultSource.repoURL -- default repository for argocd applications repoURL: https://github.com/zero-down-time/kubezero - # defaultSource.targetRevision -- default tracking of repoURL targetRevision: HEAD - # defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees pathPrefix: '' -platform: aws - calico: enabled: false retain: true diff --git a/deploy/.gitignore b/deploy/.gitignore deleted file mode 100644 index 58d6106..0000000 --- a/deploy/.gitignore +++ /dev/null @@ -1 +0,0 @@ -generated-values.yaml diff --git a/deploy/.helmignore b/deploy/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/deploy/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/deploy/Chart.yaml b/deploy/Chart.yaml deleted file mode 100644 index 6769f33..0000000 --- a/deploy/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: deploy -description: "This chart is only used to generate the values.yaml for KubeZero !! Once something like https://github.com/helm/helm/pull/6876 gets merged this will be removed !" -type: application -version: 0.0.1 -appVersion: 1.16.0 diff --git a/deploy/argocd.sh b/deploy/argocd.sh deleted file mode 100755 index 0441710..0000000 --- a/deploy/argocd.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -set -ex - -LOCATION=${1:-""} - -DEPLOY_DIR=$( dirname $( realpath $0 )) - -function chart_location() { - if [ -z "$LOCATION" ]; then - echo "$1 --repo https://zero-down-time.github.io/kubezero" - else - echo "$LOCATION/$1" - fi -} - -# Update only if we use upstream -if [ -z "$LOCATION" ]; then - helm repo add kubezero https://zero-down-time.github.io/kubezero - helm repo update -fi - -TMPDIR=$(mktemp -d kubezero.XXX) - -# This will be stored as secret during the initial kubezero chart install -helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml - -helm template $(chart_location kubezero) --namespace argocd --name-template kubezero --skip-crds -f $TMPDIR/kubezero.yaml > $TMPDIR/helm.yaml -kubectl apply --namespace argocd -f $TMPDIR/helm.yaml - -[ "$DEBUG" == "" ] && rm -rf $TMPDIR diff --git a/deploy/argocd/app.yaml b/deploy/argocd/app.yaml deleted file mode 100644 index b2ccd8c..0000000 --- a/deploy/argocd/app.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: kubezero - namespace: argocd - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - project: kubezero - source: - repoURL: {{ .Values.global.defaultSource.repoURL }} - targetRevision: {{ .Values.global.defaultSource.targetRevision }} - path: {{ .Values.global.defaultSource.pathPrefix}}charts/kubezero - - helm: - values: | - {{- toYaml .Values | nindent 8 }} - - destination: - server: {{ .Values.global.defaultDestination.server }} - namespace: argocd - - {{- if .Values.global.syncPolicy }} - syncPolicy: - {{- toYaml .Values.global.syncPolicy | nindent 4 }} - {{- end }} diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml deleted file mode 100644 index 718ecf4..0000000 --- a/deploy/templates/values.yaml +++ /dev/null @@ -1,259 +0,0 @@ -{{- if .Values.global }} -global: - {{- toYaml .Values.global | nindent 2 }} -{{- end }} -calico: - enabled: {{ .Values.calico.enabled }} - values: - network: {{ default "vxlan" .Values.calico.network }} - mtu: {{ default "8941" .Values.calico.mtu }} - prometheus: {{ .Values.metrics.enabled }} -cert-manager: - enabled: {{ index .Values "cert-manager" "enabled" }} - values: - localCA: - enabled: true - {{- if eq .Values.platform "aws" }} - cert-manager: - podAnnotations: - iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}" - {{- end }} - - {{- if .Values.kiam.enabled }} - clusterIssuer: - name: letsencrypt-dns-prod - server: https://acme-v02.api.letsencrypt.org/directory - email: {{ index .Values "cert-manager" "email" }} - solvers: - - selector: - dnsZones: - {{- with index .Values "cert-manager" "dnsZones" }} - {{- . | toYaml | nindent 12 }} - {{- end }} - dns01: - {{- if eq .Values.platform "aws" }} - route53: - region: {{ .Values.region }} - {{- else }} - {{- with index .Values "cert-manager" "solvers" }} - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - - -{{- if eq .Values.platform "aws" }} -kiam: - enabled: {{ .Values.kiam.enabled }} - values: - kiam: - enabled: {{ not .Values.kiam.certsOnly }} - server: - assumeRoleArn: "{{ .Values.kiam.IamArn }}" - deployment: - replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }} - prometheus: - servicemonitor: - enabled: {{ .Values.metrics.enabled }} - agent: - prometheus: - servicemonitor: - enabled: {{ .Values.metrics.enabled }} - -{{- if .Values.kiam.enabled }} -# AWS only components -aws-ebs-csi-driver: - enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }} - values: - aws-ebs-csi-driver: - replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - podAnnotations: - iam.amazonaws.com/role: "{{ index .Values "aws-ebs-csi-driver" "IamArn" }}" - extraVolumeTags: - Name: {{ .Values.ClusterName }} -{{- end }} - -aws-efs-csi-driver: - enabled: {{ index .Values "aws-efs-csi-driver" "enabled" }} - values: - {{- with index .Values "aws-efs-csi-driver" "nodeSelector" }} - aws-efs-csi-driver: - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "aws-efs-csi-driver" "PersistentVolumes" }} - PersistentVolumes: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- if index .Values "aws-efs-csi-driver" "EfsId" }} - PersistentVolume: - create: true - EfsId: {{ index .Values "aws-efs-csi-driver" "EfsId" }} - Name: {{ default "kubezero-efs-pv" ( index .Values "aws-efs-csi-driver" "PVName" ) }} - {{- end }} -{{- end }} - -istio: - enabled: {{ .Values.istio.enabled }} - values: - istio-discovery: - pilot: - replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} - -istio-ingress: - enabled: {{ index .Values "istio-ingress" "enabled" }} - values: - {{- if index .Values "istio-ingress" "public" "enabled" }} - istio-ingress: - enabled: true - {{- with index .Values "istio-ingress" "public" "gateway" }} - gateways: - istio-ingressgateway: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- with index .Values "istio-ingress" "public" "dnsNames" }} - dnsNames: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - - {{- if index .Values "istio-ingress" "private" "enabled" }} - istio-private-ingress: - enabled: true - {{- with index .Values "istio-ingress" "private" "gateway" }} - gateways: - istio-ingressgateway: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- with index .Values "istio-ingress" "private" "dnsNames" }} - dnsNames: - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - -metrics: - enabled: {{ .Values.metrics.enabled }} - values: - {{- if .Values.metrics.istio.grafana.enabled }} - grafana: - istio: - {{- with .Values.metrics.istio.grafana }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.metrics.istio.prometheus.enabled }} - prometheus: - istio: - {{- with .Values.metrics.istio.prometheus }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- if index .Values "metrics" "kube-prometheus-stack" }} - kube-prometheus-stack: - {{- with index .Values "metrics" "kube-prometheus-stack" }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - -logging: - enabled: {{ .Values.logging.enabled }} - values: - {{- with index .Values "logging" "eck-operator" }} - eck-operator: - {{- toYaml . | nindent 6 }} - {{- end }} - - {{- if .Values.logging.elastic_password }} - elastic_password: {{ .Values.logging.elastic_password }} - {{- end }} - - {{- if .Values.logging.version }} - version: {{ .Values.logging.version }} - {{- end }} - - {{- if .Values.logging.fullnameOverride }} - fullnameOverride: {{ .Values.logging.fullnameOverride }} - {{- end }} - - {{- if .Values.logging.es }} - es: - {{- if .Values.logging.es.nodeSets }} - nodeSets: - {{- with .Values.logging.es.nodeSets }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - prometheus: {{ .Values.metrics.enabled }} - - {{- if .Values.logging.es.s3Snapshot }} - s3Snapshot: - {{- with .Values.logging.es.s3Snapshot }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- end }} - - {{- if .Values.logging.kibana }} - kibana: - {{- with .Values.logging.kibana }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} - - fluentd: - enabled: {{ .Values.logging.fluentd.enabled }} - metrics: - enabled: {{ .Values.metrics.enabled }} - url: {{ .Values.logging.fluentd.url }} - {{- if .Values.logging.fluentd.output }} - output: - host: {{ .Values.logging.fluentd.output.host }} - {{- end }} - {{- if .Values.logging.fluentd.extraEnvVars }} - extraEnvVars: - {{- toYaml .Values.logging.fluentd.extraEnvVars | nindent 8 }} - {{- end }} - {{- if and .Values.logging.fluentd.istio .Values.istio.enabled }} - istio: - {{- with .Values.logging.fluentd.istio }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - - fluent-bit: - enabled: {{ index .Values.logging "fluent-bit" "enabled" }} - serviceMonitor: - enabled: {{ .Values.metrics.enabled }} - {{- if index .Values.logging "fluent-bit" "config" }} - config: - {{- with index .Values.logging "fluent-bit" "config" }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - -argo-cd: - enabled: {{ index .Values "argo-cd" "enabled" }} - values: - argo-cd: - controller: - metrics: - enabled: {{ .Values.metrics.enabled }} - repoServer: - metrics: - enabled: {{ .Values.metrics.enabled }} - server: - metrics: - enabled: {{ .Values.metrics.enabled }} - {{- with index .Values "argo-cd" "server" }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with index .Values "argo-cd" "configs" }} - configs: - {{- toYaml . | nindent 8}} - {{- end }} - {{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} - istio: - {{- with index .Values "argo-cd" "istio" }} - {{- toYaml . | nindent 6 }} - {{- end }} - {{- end }} diff --git a/deploy/values.yaml b/deploy/values.yaml deleted file mode 100644 index 09ab224..0000000 --- a/deploy/values.yaml +++ /dev/null @@ -1,57 +0,0 @@ -ClusterName: Test-cluster -Domain: example.com - -platform: aws -HighAvailableControlplane: false - -calico: - enabled: true - -cert-manager: - enabled: true - IamArn: "" - -aws-ebs-csi-driver: - enabled: true - IamArn: "" - -aws-efs-csi-driver: - enabled: false - -kiam: - enabled: true - IamArn: "" - -istio: - enabled: false - -istio-ingress: - enabled: false - public: - enabled: false - private: - enabled: false - -metrics: - enabled: false - istio: - grafana: - enabled: false - prometheus: - enabled: false - -logging: - enabled: false - eck-operator: - enabled: false - fluentd: - enabled: false - fluent-bit: - enabled: false - -argo-cd: - enabled: false - server: {} - istio: - enabled: false - gateway: istio-ingress/private-ingressgateway -- 2.40.1 From ca2d2763d349827f9c6c667860b29b6992837c4c Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 26 Nov 2020 09:37:10 -0800 Subject: [PATCH 08/48] Latest fixes, fluent-bit version bump --- charts/fluent-bit | 1 + charts/kubezero-logging/Chart.yaml | 2 +- charts/kubezero/bootstrap.sh | 9 ++-- charts/kubezero/clusters/README.md | 0 charts/kubezero/templates/cert-manager.yaml | 4 +- charts/kubezero/values.yaml | 2 +- docs/Upgrade.md | 47 +++++++++++++++++++++ 7 files changed, 57 insertions(+), 8 deletions(-) create mode 120000 charts/fluent-bit create mode 100644 charts/kubezero/clusters/README.md create mode 100644 docs/Upgrade.md diff --git a/charts/fluent-bit b/charts/fluent-bit new file mode 120000 index 0000000..8f38531 --- /dev/null +++ b/charts/fluent-bit @@ -0,0 +1 @@ +../../fluent-bit-helm/charts/fluent-bit \ No newline at end of file diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index d099831..c6fc86c 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -27,7 +27,7 @@ dependencies: repository: https://kubernetes-charts.storage.googleapis.com/ condition: fluentd.enabled - name: fluent-bit - version: 0.7.2 + version: 0.7.10 repository: https://zero-down-time.github.io/kubezero/ # repository: https://fluent.github.io/helm-charts condition: fluent-bit.enabled diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index 7a5bdbd..87af724 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -3,7 +3,7 @@ set -ex ACTION=$1 ARTIFACTS=("$2") -VALUES=$3 +CLUSTER=$3 LOCATION=${4:-""} DEPLOY_DIR=$( dirname $( realpath $0 )) @@ -11,9 +11,12 @@ which yq || { echo "yq not found!"; exit 1; } TMPDIR=$(mktemp -d kubezero.XXX) +function join { local IFS="$1"; shift; echo "$*"; } + # First lets generate kubezero.yaml -# This will be stored as secret during the initial kubezero chart install -helm template $DEPLOY_DIR -f $VALUES -f cloudbender.yaml --set argo=false > $TMPDIR/kubezero.yaml +# Add all yaml files in $CLUSTER +VALUES="$(find $CLUSTER -name '*.yaml' | tr '\n' ',')" +helm template $DEPLOY_DIR -f ${VALUES%%,} --set argo=false > $TMPDIR/kubezero.yaml if [ ${ARTIFACTS[0]} == "all" ]; then ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "*.enabled" | awk -F "." '{print $1}')) diff --git a/charts/kubezero/clusters/README.md b/charts/kubezero/clusters/README.md new file mode 100644 index 0000000..e69de29 diff --git a/charts/kubezero/templates/cert-manager.yaml b/charts/kubezero/templates/cert-manager.yaml index d561363..40f06be 100644 --- a/charts/kubezero/templates/cert-manager.yaml +++ b/charts/kubezero/templates/cert-manager.yaml @@ -1,4 +1,5 @@ {{- define "cert-manager-values" }} + localCA: enabled: true {{ with index .Values "cert-manager" "IamArn" }} @@ -14,10 +15,7 @@ clusterIssuer: {{- end }} - {{- define "cert-manager-argo" }} {{- end }} -{{- end }} - {{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 3ac9c51..633a056 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -1,7 +1,7 @@ argo: {} global: - argo: + kubezero: server: https://kubernetes.default.svc repoURL: https://github.com/zero-down-time/kubezero targetRevision: HEAD diff --git a/docs/Upgrade.md b/docs/Upgrade.md new file mode 100644 index 0000000..19903a4 --- /dev/null +++ b/docs/Upgrade.md @@ -0,0 +1,47 @@ +# Upgrade to KubeZero V2(Argoless) + +- disable all auto-sync in argo !! + +- migrate values.yaml to new structure,adapt as needed + +- update new central kubezero location in git and merge cluster configs + +## High level / Admin changes +- ArgoCD is now optional +- ArgoCD is NOT required nor used during initial cluster bootstrap +- the initial bootstrap script now uses the same config as ArgoCD later on +- the initial bootstrap is WAY faster and re-try safe + +## Individual changes + +### Cert-manager +- local issuer is now a cluster issuer +- all resources moved to cert-manager namespace + +### Kiam +- check certs and function due to cert-manager changes +- set priorty class + +### Logging +- ES/Kibana version bump, new ECK operator + +### ArgoCD +- version bump, new app of app architecure + +### Metrics +- version bumps +- all servicemonitor resources are now in the same namespaces as the apps +- check all metrics still work + +### Calico +- version bump + +### EBS +- version bump + +### Istio +- operator removed, deployment migrated to helm, cleanups +- version bump to 1.8 +- no more policy by default +- all ingress in dedicated new namespace istio-ingress as well as dedicated helm chart +- set priorty class -- 2.40.1 From 7df88c888319cd80a7720de6cb8a898d750fd665 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 26 Nov 2020 15:31:40 -0800 Subject: [PATCH 09/48] Add missing .helmignore --- .../kubezero-aws-ebs-csi-driver/.helmignore | 2 ++ .../kubezero-aws-efs-csi-driver/.helmignore | 24 +++++++++++++++++++ charts/kubezero-istio/.helmignore | 2 ++ 3 files changed, 28 insertions(+) create mode 100644 charts/kubezero-aws-efs-csi-driver/.helmignore create mode 100644 charts/kubezero-istio/.helmignore diff --git a/charts/kubezero-aws-ebs-csi-driver/.helmignore b/charts/kubezero-aws-ebs-csi-driver/.helmignore index 50af031..58b068b 100644 --- a/charts/kubezero-aws-ebs-csi-driver/.helmignore +++ b/charts/kubezero-aws-ebs-csi-driver/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj .vscode/ + +git diff --git a/charts/kubezero-aws-efs-csi-driver/.helmignore b/charts/kubezero-aws-efs-csi-driver/.helmignore new file mode 100644 index 0000000..58b068b --- /dev/null +++ b/charts/kubezero-aws-efs-csi-driver/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +git diff --git a/charts/kubezero-istio/.helmignore b/charts/kubezero-istio/.helmignore new file mode 100644 index 0000000..b4a6b6b --- /dev/null +++ b/charts/kubezero-istio/.helmignore @@ -0,0 +1,2 @@ +istioctl +istio-?.?.? -- 2.40.1 From 7e1d26aa5cefa2c09be05ed206c3e005705e4a00 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 27 Nov 2020 08:19:44 -0800 Subject: [PATCH 10/48] More fixes --- charts/kubezero/templates/{argo.yaml => argo-cd.yaml} | 0 charts/kubezero/values.yaml | 2 ++ 2 files changed, 2 insertions(+) rename charts/kubezero/templates/{argo.yaml => argo-cd.yaml} (100%) diff --git a/charts/kubezero/templates/argo.yaml b/charts/kubezero/templates/argo-cd.yaml similarity index 100% rename from charts/kubezero/templates/argo.yaml rename to charts/kubezero/templates/argo-cd.yaml diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 633a056..5cc73c9 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -46,3 +46,5 @@ logging: argo-cd: enabled: false namespace: argocd + istio: + enabled: false -- 2.40.1 From bc7f4b08edcb0b16e4fb329ab90f97d348546492 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 28 Nov 2020 15:01:20 -0800 Subject: [PATCH 11/48] More bugfixes, ingress certs --- .../templates/ingress-certificate.yaml | 23 +++++++++++++++++-- .../templates/ingress-gateway.yaml | 6 ++--- charts/kubezero-istio-ingress/values.yaml | 2 ++ charts/kubezero-istio/update.sh | 2 +- charts/kubezero-metrics/values.yaml | 4 ++++ 5 files changed, 31 insertions(+), 6 deletions(-) diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml index 5ea0ad0..fbb2fee 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml @@ -2,15 +2,34 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: public-ingress-cert + name: ingress-cert namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: - secretName: public-ingress-cert + secretName: ingress-cert issuerRef: name: letsencrypt-dns-prod kind: ClusterIssuer dnsNames: {{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} {{- end }} + +{{- if index .Values "istio-private-ingress" "dnsNames" }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: private-ingress-cert + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + secretName: private-ingress-cert + issuerRef: + name: letsencrypt-dns-prod + kind: ClusterIssuer + dnsNames: +{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }} +{{- end }} + diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index 319ead6..4995ee0 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -28,7 +28,7 @@ spec: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: ingress-cert {{- end }} {{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} @@ -62,7 +62,7 @@ spec: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: private-ingress-cert - port: number: 5672 name: amqp @@ -85,7 +85,7 @@ spec: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: public-ingress-cert + credentialName: private-ingress-cert - port: number: 6379 name: redis diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index 0129098..5d57615 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -11,6 +11,8 @@ global: defaultPodDisruptionBudget: enabled: false + arch: + amd64: 2 istio-ingress: enabled: false diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index dee4b6a..648dc6d 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -30,4 +30,4 @@ cp -r istio-${ISTIO_VERSION}/manifests/charts/gateways/istio-ingress ../kubezero sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml # Get matching istioctl -# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } +[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 2f20d6a..40868fc 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -132,6 +132,10 @@ kube-prometheus-stack: enabled: false testFramework: enabled: false + # Missing default in prometheus-stack + sidecar: + notifiers: + enabled: false # Assign state metrics to control plane kube-state-metrics: -- 2.40.1 From 91c59e35609f81596baa3ef5ff406b0f726ecc3d Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 28 Nov 2020 23:54:40 +0000 Subject: [PATCH 12/48] Metrics update --- charts/kubezero-metrics/Chart.yaml | 2 +- charts/kubezero-metrics/values.yaml | 8 ++------ 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index a6e19e6..d120307 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kube-prometheus-stack - version: 11.1.1 + version: 12.2.4 repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter version: 2.7.1 diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 40868fc..a7e1a37 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -3,13 +3,13 @@ grafana: enabled: false ipBlocks: [] url: "" - gateway: istio-system/ingressgateway + gateway: istio-ingress/ingressgateway prometheus: istio: enabled: false url: "" - gateway: istio-system/ingressgateway + gateway: istio-ingress/ingressgateway kube-prometheus-stack: defaultRules: @@ -132,10 +132,6 @@ kube-prometheus-stack: enabled: false testFramework: enabled: false - # Missing default in prometheus-stack - sidecar: - notifiers: - enabled: false # Assign state metrics to control plane kube-state-metrics: -- 2.40.1 From 4bca9bd8699d541cb2e34338133407acaa2bcc11 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 30 Nov 2020 01:49:38 -0800 Subject: [PATCH 13/48] Add local-path-provisioner, re-org bootstrap --- .../Chart.yaml | 18 + .../kubezero-local-path-provisioner/README.md | 42 +++ .../README.md.gotmpl | 27 ++ .../charts/local-path-provisioner/Chart.yaml | 12 + .../charts/local-path-provisioner/README.md | 116 +++++++ .../templates/NOTES.txt | 13 + .../templates/_helpers.tpl | 71 ++++ .../templates/clusterrole.yaml | 21 ++ .../templates/clusterrolebinding.yaml | 16 + .../templates/configmap.yaml | 18 + .../templates/deployment.yaml | 73 ++++ .../templates/registry-secret.yaml | 9 + .../templates/serviceaccount.yaml | 15 + .../templates/storageclass.yaml | 15 + .../charts/local-path-provisioner/values.yaml | 144 ++++++++ .../kubezero-local-path-provisioner/update.sh | 8 + .../values.yaml | 16 + charts/kubezero/bootstrap.sh | 327 +++++------------- charts/kubezero/templates/argoless.yaml | 4 +- .../templates/local-path-provisioner.yaml | 7 + charts/kubezero/values.yaml | 11 +- 21 files changed, 744 insertions(+), 239 deletions(-) create mode 100644 charts/kubezero-local-path-provisioner/Chart.yaml create mode 100644 charts/kubezero-local-path-provisioner/README.md create mode 100644 charts/kubezero-local-path-provisioner/README.md.gotmpl create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml create mode 100644 charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml create mode 100755 charts/kubezero-local-path-provisioner/update.sh create mode 100644 charts/kubezero-local-path-provisioner/values.yaml create mode 100644 charts/kubezero/templates/local-path-provisioner.yaml diff --git a/charts/kubezero-local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/Chart.yaml new file mode 100644 index 0000000..4a32718 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: kubezero-local-path-provisioner +description: KubeZero Umbrella Chart for local-path-provisioner +type: application +version: 0.1.0 +appVersion: 0.0.18 +home: https://kubezero.com +icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png +keywords: + - kubezero + - local-path-provisioner +maintainers: + - name: Quarky9 +dependencies: + - name: kubezero-lib + version: ">= 0.1.3" + repository: https://zero-down-time.github.io/kubezero/ +kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/README.md new file mode 100644 index 0000000..a09236e --- /dev/null +++ b/charts/kubezero-local-path-provisioner/README.md @@ -0,0 +1,42 @@ +# kubezero-local-volume-provisioner + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.4](https://img.shields.io/badge/AppVersion-2.3.4-informational?style=flat-square) + +KubeZero Umbrella Chart for local-static-provisioner + +Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Quarky9 | | | + +## Requirements + +Kubernetes: `>= 1.16.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| local-static-provisioner.classes[0].hostDir | string | `"/mnt/disks"` | | +| local-static-provisioner.classes[0].name | string | `"local-sc-xfs"` | | +| local-static-provisioner.common.namespace | string | `"kube-system"` | | +| local-static-provisioner.daemonset.nodeSelector."node.kubernetes.io/localVolume" | string | `"present"` | | +| local-static-provisioner.prometheus.operator.enabled | bool | `false` | | + +## KubeZero default configuration + +- add nodeSelector to only install on nodes actually having ephemeral local storage +- provide matching storage class to expose mounted disks under `/mnt/disks` + +## Resources + +- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/README.md.gotmpl b/charts/kubezero-local-path-provisioner/README.md.gotmpl new file mode 100644 index 0000000..7eecd10 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/README.md.gotmpl @@ -0,0 +1,27 @@ +{{ template "chart.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.description" . }} + +Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +## KubeZero default configuration + +- add nodeSelector to only install on nodes actually having ephemeral local storage +- provide matching storage class to expose mounted disks under `/mnt/disks` + +## Resources + +- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml new file mode 100644 index 0000000..59f96aa --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +description: Use HostPath for persistent local storage with Kubernetes +name: local-path-provisioner +version: 0.0.18 +appVersion: "v0.0.18" +keywords: + - storage + - hostpath +kubeVersion: ">=1.12.0-r0" +home: https://github.com/rancher/local-path-provisioner +sources: + - https://github.com/rancher/local-path-provisioner.git diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md new file mode 100644 index 0000000..03235f0 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md @@ -0,0 +1,116 @@ +# Local Path Provisioner + +[Local Path Provisioner](https://github.com/rancher/local-path-provisioner) provides a way for the Kubernetes users to +utilize the local storage in each node. Based on the user configuration, the Local Path Provisioner will create +`hostPath` based persistent volume on the node automatically. It utilizes the features introduced by Kubernetes [Local +Persistent Volume feature](https://kubernetes.io/blog/2018/04/13/local-persistent-volumes-beta/), but make it a simpler +solution than the built-in `local` volume feature in Kubernetes. + +## TL;DR; + +```console +$ git clone https://github.com/rancher/local-path-provisioner.git +$ cd local-path-provisioner +$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ +``` + +## Introduction + +This chart bootstraps a [Local Path Provisioner](https://github.com/rancher/local-path-provisioner) deployment on a +[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.12+ with Beta APIs enabled + +## Installing the Chart + +To install the chart with the release name `local-path-storage`: + +```console +$ git clone https://github.com/rancher/local-path-provisioner.git +$ cd local-path-provisioner +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage +``` + +The command deploys Local Path Provisioner on the Kubernetes cluster in the default configuration. The +[configuration](#configuration) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `local-path-storage` deployment: + +```console +$ helm delete --purge local-path-storage +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the Local Path Provisioner for Kubernetes chart and their +default values. + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `image.repository` | Local Path Provisioner image name | `rancher/local-path-provisioner` | +| `image.tag` | Local Path Provisioner image tag | `v0.0.18` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `storageClass.create` | If true, create a `StorageClass` | `true` | +| `storageClass.provisionerName` | The provisioner name for the storage class | `nil` | +| `storageClass.defaultClass` | If true, set the created `StorageClass` as the cluster's default `StorageClass` | `false` | +| `storageClass.name` | The name to assign the created StorageClass | local-path | +| `storageClass.reclaimPolicy` | ReclaimPolicy field of the class | Delete | +| `nodePathMap` | Configuration of where to store the data on each node | `[{node: DEFAULT_PATH_FOR_NON_LISTED_NODES, paths: [/opt/local-path-provisioner]}]` | +| `resources` | Local Path Provisioner resource requests & limits | `{}` | +| `rbac.create` | If true, create & use RBAC resources | `true` | +| `serviceAccount.create` | If true, create the Local Path Provisioner service account | `true` | +| `serviceAccount.name` | Name of the Local Path Provisioner service account to use or create | `nil` | +| `nodeSelector` | Node labels for Local Path Provisioner pod assignment | `{}` | +| `tolerations` | Node taints to tolerate | `[]` | +| `affinity` | Pod affinity | `{}` | +| `configmap.setup` | Configuration of script to execute setup operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
mkdir -m 0777 -p ${absolutePath} | +| `configmap.teardown` | Configuration of script to execute teardown operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
rm -rf ${absolutePath} | +| `configmap.name` | configmap name | `local-path-config` | +| `configmap.helperPod` | helper pod yaml file | apiVersion: v1
kind: Pod
metadata:
 name: helper-pod
spec:
 containers:
 - name: helper-pod
  image: busybox | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set storageClass.provisionerName=rancher.io/local-path +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the +chart. For example, + +```console +$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## RBAC + +By default the chart will install the recommended RBAC roles and rolebindings. + +You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable +[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/). + +To determine if your cluster supports RBAC, run the following command: + +```console +$ kubectl api-versions | grep rbac +``` + +If the output contains "beta", you may install the chart with RBAC enabled (see below). + +### Enable RBAC role/rolebinding creation + +To enable the creation of RBAC resources (On clusters with RBAC). Do the following: + +```console +$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set rbac.create=true +``` diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt new file mode 100644 index 0000000..25370ac --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt @@ -0,0 +1,13 @@ +You can create a hostpath-backed persistent volume with a persistent volume claim like this: + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: local-path-pvc +spec: + accessModes: + - ReadWriteOnce + storageClassName: {{ .Values.storageClass.name }} + resources: + requests: + storage: 2Gi diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl new file mode 100644 index 0000000..cd58f3d --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl @@ -0,0 +1,71 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "local-path-provisioner.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "local-path-provisioner.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "local-path-provisioner.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "local-path-provisioner.labels" -}} +app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} +helm.sh/chart: {{ include "local-path-provisioner.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use. +*/}} +{{- define "local-path-provisioner.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "local-path-provisioner.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the provisioner to use. +*/}} +{{- define "local-path-provisioner.provisionerName" -}} +{{- if .Values.storageClass.provisionerName -}} +{{- printf .Values.storageClass.provisionerName -}} +{{- else -}} +cluster.local/{{ template "local-path-provisioner.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "local-path-provisioner.secret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml new file mode 100644 index 0000000..a9fd1c6 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..9a46a7b --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "local-path-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "local-path-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml new file mode 100644 index 0000000..b025053 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.configmap.name }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +data: + config.json: |- + { + "nodePathMap": {{ .Values.nodePathMap | toPrettyJson | nindent 8 }} + } + setup: |- + {{ .Values.configmap.setup | nindent 4 }} + teardown: |- + {{ .Values.configmap.teardown | nindent 4 }} + helperPod.yaml: |- + {{ .Values.configmap.helperPod | nindent 4 }} + diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml new file mode 100644 index 0000000..ad42ae0 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "local-path-provisioner.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.privateRegistry.registryUrl }} + image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- else }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - local-path-provisioner + - --debug + - start + - --config + - /etc/config/config.json + - --service-account-name + - {{ template "local-path-provisioner.serviceAccountName" . }} + - --provisioner-name + - {{ template "local-path-provisioner.provisionerName" . }} + - --helper-image + {{- if .Values.privateRegistry.registryUrl }} + - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" + {{- else }} + - "{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" + {{- end }} + - --configmap-name + - {{ .Values.configmap.name }} + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + value: {{ .Release.Namespace }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: config-volume + configMap: + name: {{ .Values.configmap.name }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml new file mode 100644 index 0000000..eb33897 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml @@ -0,0 +1,9 @@ +{{- if .Values.defaultSettings.registrySecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.defaultSettings.registrySecret }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "local-path-provisioner.secret" . }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml new file mode 100644 index 0000000..aed111e --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "local-path-provisioner.serviceAccountName" . }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +{{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .Values.defaultSettings.registrySecret }} + - name: {{ .Values.defaultSettings.registrySecret }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml new file mode 100644 index 0000000..c451b82 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml @@ -0,0 +1,15 @@ +{{ if .Values.storageClass.create -}} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ .Values.storageClass.name }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +{{- if .Values.storageClass.defaultClass }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" +{{- end }} +provisioner: {{ template "local-path-provisioner.provisionerName" . }} +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: {{ .Values.storageClass.reclaimPolicy }} +{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml new file mode 100644 index 0000000..a19bcd2 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml @@ -0,0 +1,144 @@ +# Default values for local-path-provisioner. + +replicaCount: 1 + +image: + repository: rancher/local-path-provisioner + tag: v0.0.18 + pullPolicy: IfNotPresent + +helperImage: + repository: busybox + tag: latest + +defaultSettings: + registrySecret: ~ + +privateRegistry: + registryUrl: ~ + registryUser: ~ + registryPasswd: ~ + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +## For creating the StorageClass automatically: +storageClass: + create: true + + ## Set a provisioner name. If unset, a name will be generated. + # provisionerName: rancher.io/local-path + + ## Set StorageClass as the default StorageClass + ## Ignored if storageClass.create is false + defaultClass: false + + ## Set a StorageClass name + ## Ignored if storageClass.create is false + name: local-path + + ## ReclaimPolicy field of the class, which can be either Delete or Retain + reclaimPolicy: Delete + +# nodePathMap is the place user can customize where to store the data on each node. +# 1. If one node is not listed on the nodePathMap, and Kubernetes wants to create volume on it, the paths specified in +# DEFAULT_PATH_FOR_NON_LISTED_NODES will be used for provisioning. +# 2. If one node is listed on the nodePathMap, the specified paths will be used for provisioning. +# 1. If one node is listed but with paths set to [], the provisioner will refuse to provision on this node. +# 2. If more than one path was specified, the path would be chosen randomly when provisioning. +# +# The configuration must obey following rules: +# 1. A path must start with /, a.k.a an absolute path. +# 2. Root directory (/) is prohibited. +# 3. No duplicate paths allowed for one node. +# 4. No duplicate node allowed. +nodePathMap: + - node: DEFAULT_PATH_FOR_NON_LISTED_NODES + paths: + - /opt/local-path-provisioner + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +rbac: + # Specifies whether RBAC resources should be created + create: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +configmap: + # specify the config map name + name: local-path-config + # specify the custom script for setup and teardown + setup: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + mkdir -m 0777 -p ${absolutePath} + teardown: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + + rm -rf ${absolutePath} + # specify the custom helper pod yaml + helperPod: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: busybox + + + + + diff --git a/charts/kubezero-local-path-provisioner/update.sh b/charts/kubezero-local-path-provisioner/update.sh new file mode 100755 index 0000000..78e944f --- /dev/null +++ b/charts/kubezero-local-path-provisioner/update.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# get subchart until they have upstream repo +rm -rf charts/local-path-provisioner && mkdir -p charts/local-path-provisioner + +git clone --depth=1 https://github.com/rancher/local-path-provisioner.git +cp -r local-path-provisioner/deploy/chart/* charts/local-path-provisioner +rm -rf local-path-provisioner diff --git a/charts/kubezero-local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/values.yaml new file mode 100644 index 0000000..2add882 --- /dev/null +++ b/charts/kubezero-local-path-provisioner/values.yaml @@ -0,0 +1,16 @@ +local-path-provisioner: + storageClass: + create: true + defaultClass: false + + nodePathMap: + - node: DEFAULT_PATH_FOR_NON_LISTED_NODES + paths: + - /opt/local-path-provisioner + + nodeSelector: + node-role.kubernetes.io/master: "" + + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index 87af724..0e30f35 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -6,18 +6,19 @@ ARTIFACTS=("$2") CLUSTER=$3 LOCATION=${4:-""} +API_VERSIONS="-a monitoring.coreos.com/v1" + DEPLOY_DIR=$( dirname $( realpath $0 )) which yq || { echo "yq not found!"; exit 1; } TMPDIR=$(mktemp -d kubezero.XXX) -function join { local IFS="$1"; shift; echo "$*"; } - # First lets generate kubezero.yaml # Add all yaml files in $CLUSTER VALUES="$(find $CLUSTER -name '*.yaml' | tr '\n' ',')" helm template $DEPLOY_DIR -f ${VALUES%%,} --set argo=false > $TMPDIR/kubezero.yaml +# Resolve all the all enabled artifacts in order of their appearance if [ ${ARTIFACTS[0]} == "all" ]; then ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "*.enabled" | awk -F "." '{print $1}')) fi @@ -49,44 +50,76 @@ function chart_location() { } -function _helm() { - local action=$1 - local chart=$2 - local release=$3 - local namespace=$4 - shift 4 +# make sure namespace exists prior to calling helm as the create-namespace options doesn't work +function create_ns() { + local namespace=$1 + kubectl get ns $namespace || kubectl create ns $namespace +} - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds $@ > $TMPDIR/helm.yaml - if [ $action == "apply" ]; then - # make sure namespace exists prior to calling helm as the create-namespace options doesn't work - kubectl get ns $namespace || kubectl create ns $namespace - fi +# delete non kube-system ns +function delete_ns() { + local namespace=$1 + [ "$namespace" != "kube-system" ] && kubectl delete ns $namespace +} + + +# Extract crds via helm calls and apply delta=crds only +function _crds() { + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml +} + + +# helm template | kubectl apply -f - +# confine to one namespace if possible +function apply(){ + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds -f $TMPDIR/values.yaml $API_VERSIONS $@ > $TMPDIR/helm.yaml # If resources are out of the single $namespace, apply without restrictions nr_ns=$(grep -e '^ namespace:' $TMPDIR/helm.yaml | sed "s/\"//g" | sort | uniq | wc -l) if [ $nr_ns -gt 1 ]; then - kubectl $action -f $TMPDIR/helm.yaml + kubectl $action -f $TMPDIR/helm.yaml && rc=$? || rc=$? else - kubectl $action --namespace $namespace -f $TMPDIR/helm.yaml + kubectl $action --namespace $namespace -f $TMPDIR/helm.yaml && rc=$? || rc=$? fi } -function deploy() { - _helm apply $@ -} +function _helm() { + local action=$1 + local chart="kubezero-$2" + local release=$2 + local namespace=$(get_namespace $2) -function delete() { - _helm delete $@ + if [ $action == "crds" ]; then + _crds + else + + # namespace must exist prior to apply + [ $action == "apply" ] && create_ns $namespace + + # Optional pre hook + declare -F ${release}-pre && ${release}-pre + + apply + + # Optional post hook + declare -F ${release}-post && ${release}-post + + # Delete dedicated namespace if not kube-system + [ $action == "delete" ] && delete_ns $namespace + fi } function is_enabled() { local chart=$1 + local enabled=$(yq r $TMPDIR/kubezero.yaml ${chart}.enabled) - enabled=$(yq r $TMPDIR/kubezero.yaml ${chart}.enabled) if [ "$enabled" == "true" ]; then yq r $TMPDIR/kubezero.yaml ${chart}.values > $TMPDIR/values.yaml return 0 @@ -95,262 +128,84 @@ function is_enabled() { } -########## -# Calico # -########## -function calico() { - local chart="kubezero-calico" - local release="calico" - local namespace="kube-system" +function has_crds() { + local chart=$1 + local enabled=$(yq r $TMPDIR/kubezero.yaml ${chart}.crds) - local task=$1 + [ "$enabled" == "true" ] && return 0 + return 1 +} - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? - kubectl apply -f $TMPDIR/helm.yaml - # Don't delete the only CNI - #elif [ $task == "delete" ]; then - # delete $chart $release $namespace -f $TMPDIR/values.yaml - elif [ $task == "crds" ]; then - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml - fi + +function get_namespace() { + local namespace=$(yq r $TMPDIR/kubezero.yaml ${1}.namespace) + [ -z "$namespace" ] && echo "kube-system" || echo $namespace } ################ # cert-manager # ################ -function cert-manager() { - local chart="kubezero-cert-manager" - local release="cert-manager" - local namespace="cert-manager" +function cert-manager-post() { + # If any error occurs, wait for initial webhook deployment and try again + # see: https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$? - - # If any error occurs, wait for initial webhook deployment and try again - # see: https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation - if [ $rc -ne 0 ]; then - wait_for "kubectl get deployment -n $namespace cert-manager-webhook" - kubectl rollout status deployment -n $namespace cert-manager-webhook - wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"' - deploy $chart $release $namespace -f $TMPDIR/values.yaml - fi - - wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer" - kubectl wait --timeout=180s --for=condition=Ready -n $namespace ClusterIssuer/kubezero-local-ca-issuer - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns $namespace - - elif [ $task == "crds" ]; then - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set cert-manager.installCRDs=false > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set cert-manager.installCRDs=true > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml + if [ $rc -ne 0 ]; then + wait_for "kubectl get deployment -n $namespace cert-manager-webhook" + kubectl rollout status deployment -n $namespace cert-manager-webhook + wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"' + apply fi + + wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer" + kubectl wait --timeout=180s --for=condition=Ready -n $namespace ClusterIssuer/kubezero-local-ca-issuer } ######## # Kiam # ######## -function kiam() { - local chart="kubezero-kiam" - local release="kiam" - local namespace="kube-system" - - local task=$1 - - if [ $task == "deploy" ]; then - # Certs only first - deploy $chart $release $namespace --set kiam.enabled=false - kubectl wait --timeout=120s --for=condition=Ready -n kube-system Certificate/kiam-server - - # Make sure kube-system and cert-manager are allowed to kiam - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' - kubectl annotate --overwrite namespace cert-manager 'iam.amazonaws.com/permitted=.*CertManagerRole.*' - - # Get kiam rolled out and make sure it is working - deploy $chart $release $namespace -f $TMPDIR/values.yaml - wait_for 'kubectl get daemonset -n kube-system kiam-agent' - kubectl rollout status daemonset -n kube-system kiam-agent - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - fi +function kiam-pre() { + # Certs only first + apply --set kiam.enabled=false + kubectl wait --timeout=120s --for=condition=Ready -n kube-system Certificate/kiam-server } +function kiam-post() { + wait_for 'kubectl get daemonset -n kube-system kiam-agent' + kubectl rollout status daemonset -n kube-system kiam-agent -####### -# EBS # -####### -function aws-ebs-csi-driver() { - local chart="kubezero-aws-ebs-csi-driver" - local release="aws-ebs-csi-driver" - local namespace="kube-system" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - fi -} - - -######### -# Istio # -######### -function istio() { - local chart="kubezero-istio" - local release="istio" - local namespace="istio-system" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns istio-system - - elif [ $task == "crds" ]; then - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml - fi -} - -################# -# Istio Ingress # -################# -function istio-ingress() { - local chart="kubezero-istio-ingress" - local release="istio-ingress" - local namespace="istio-ingress" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns istio-ingress - fi -} - - -########### -# Metrics # -########### -function metrics() { - local chart="kubezero-metrics" - local release="metrics" - local namespace="monitoring" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns monitoring - - elif [ $task == "crds" ]; then - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml - fi + # Make sure kube-system and cert-manager are allowed to kiam + kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*' + kubectl annotate --overwrite namespace cert-manager 'iam.amazonaws.com/permitted=.*CertManagerRole.*' } ########### # Logging # ########### -function logging() { - local chart="kubezero-logging" - local release="logging" - local namespace="logging" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -a "monitoring.coreos.com/v1" -f $TMPDIR/values.yaml - - kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns logging - - # Doesnt work right now due to V2 Helm implementation of the eck-operator-crd chart - #elif [ $task == "crds" ]; then - # helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - # helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml - # diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - # kubectl apply -f $TMPDIR/crds.yaml - fi -} - - -########## -# ArgoCD # -########## -function argo-cd() { - local chart="kubezero-argo-cd" - local release="argocd" - local namespace="argocd" - - local task=$1 - - if [ $task == "deploy" ]; then - deploy $chart $release $namespace -f $TMPDIR/values.yaml - - # Install the kubezero app of apps - # deploy kubezero kubezero $namespace -f $TMPDIR/kubezero.yaml - - elif [ $task == "delete" ]; then - delete $chart $release $namespace -f $TMPDIR/values.yaml - kubectl delete ns argocd - - elif [ $task == "crds" ]; then - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml - fi +function logging-post() { + kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' } ## MAIN ## if [ $1 == "deploy" ]; then for t in ${ARTIFACTS[@]}; do - is_enabled $t && $t deploy + is_enabled $t && _helm apply $t done +# If artifact enabled and has crds install elif [ $1 == "crds" ]; then for t in ${ARTIFACTS[@]}; do - is_enabled $t && $t crds + is_enabled $t && has_crds $t && _helm crds $t done # Delete in reverse order, continue even if errors elif [ $1 == "delete" ]; then set +e for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do - is_enabled ${ARTIFACTS[idx]} && ${ARTIFACTS[idx]} delete + is_enabled ${ARTIFACTS[idx]} && _helm delete ${ARTIFACTS[idx]} done fi diff --git a/charts/kubezero/templates/argoless.yaml b/charts/kubezero/templates/argoless.yaml index 00cfb8b..fd1986f 100644 --- a/charts/kubezero/templates/argoless.yaml +++ b/charts/kubezero/templates/argoless.yaml @@ -1,6 +1,6 @@ {{- if not .Values.argo }} -{{- $artifacts := list "calico" "cert-manager" "kiam" "aws-ebs-csi-driver" "aws-efs-csi-driver" "local-volume-provisioner" "istio" "istio-ingress" "metrics" "logging" "argo-cd" }} +{{- $artifacts := list "calico" "cert-manager" "kiam" "aws-ebs-csi-driver" "aws-efs-csi-driver" "local-volume-provisioner" "local-path-provisioner" "istio" "istio-ingress" "metrics" "logging" "argo-cd" }} {{- if .Values.global }} global: @@ -11,6 +11,8 @@ global: {{- if index $.Values . }} {{ . }}: enabled: {{ index $.Values . "enabled" }} + namespace: {{ default "kube-system" ( index $.Values . "namespace" ) }} + crds: {{ default false ( index $.Values . "crds" ) }} values: {{- include (print . "-values") $ | nindent 4 }} {{- end }} diff --git a/charts/kubezero/templates/local-path-provisioner.yaml b/charts/kubezero/templates/local-path-provisioner.yaml new file mode 100644 index 0000000..6760243 --- /dev/null +++ b/charts/kubezero/templates/local-path-provisioner.yaml @@ -0,0 +1,7 @@ +{{- define "local-path-provisioner-values" }} +{{- end }} + +{{- define "local-path-provisioner-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 5cc73c9..a5c8dcb 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -9,10 +9,12 @@ global: calico: enabled: false + crds: true retain: true cert-manager: enabled: false + crds: true namespace: cert-manager kiam: @@ -21,6 +23,9 @@ kiam: local-volume-provisioner: enabled: false +local-path-provisioner: + enabled: false + aws-ebs-csi-driver: enabled: false @@ -29,6 +34,7 @@ aws-efs-csi-driver: istio: enabled: false + crds: true namespace: istio-system istio-ingress: @@ -37,14 +43,15 @@ istio-ingress: metrics: enabled: false + crds: true namespace: monitoring logging: enabled: false + crds: true namespace: logging argo-cd: enabled: false + crds: true namespace: argocd - istio: - enabled: false -- 2.40.1 From 85e89f768cfadbfb42260599a69ffaef58d33d6e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 30 Nov 2020 11:34:44 +0000 Subject: [PATCH 14/48] cert-manager version bump, local-path-provisioner fixes --- charts/kubezero-cert-manager/Chart.yaml | 2 +- charts/kubezero/bootstrap.sh | 10 +++++++--- charts/kubezero/templates/local-path-provisioner.yaml | 9 +++++++++ 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index 518d68e..72e6898 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -15,7 +15,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: cert-manager - version: 1.0.4 + version: 1.1.0 repository: https://charts.jetstack.io condition: cert-manager.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index 0e30f35..3b50a62 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -53,7 +53,9 @@ function chart_location() { # make sure namespace exists prior to calling helm as the create-namespace options doesn't work function create_ns() { local namespace=$1 - kubectl get ns $namespace || kubectl create ns $namespace + if [ "$namespace" != "kube-system" ]; then + kubectl get ns $namespace || kubectl create ns $namespace + fi } @@ -66,8 +68,8 @@ function delete_ns() { # Extract crds via helm calls and apply delta=crds only function _crds() { - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml kubectl apply -f $TMPDIR/crds.yaml } @@ -113,6 +115,8 @@ function _helm() { # Delete dedicated namespace if not kube-system [ $action == "delete" ] && delete_ns $namespace fi + + return 0 } diff --git a/charts/kubezero/templates/local-path-provisioner.yaml b/charts/kubezero/templates/local-path-provisioner.yaml index 6760243..500d52b 100644 --- a/charts/kubezero/templates/local-path-provisioner.yaml +++ b/charts/kubezero/templates/local-path-provisioner.yaml @@ -1,4 +1,13 @@ {{- define "local-path-provisioner-values" }} +local-path-provisioner: +{{- with index .Values "local-path-provisioner" "storageClass" }} + storageClass: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with index .Values "local-path-provisioner" "nodePathMap" }} + nodePathMap: + {{- toYaml . | nindent 4 }} +{{- end }} {{- end }} {{- define "local-path-provisioner-argo" }} -- 2.40.1 From a23282bdf5168e5a904ba526e83878f7ec811497 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 30 Nov 2020 04:13:52 -0800 Subject: [PATCH 15/48] More fixes --- .../kubezero-istio/remove-control-plane.yaml | 1794 +++++++++++++++++ charts/kubezero/values.yaml | 7 + scripts/update_helm.sh | 21 + 3 files changed, 1822 insertions(+) create mode 100644 charts/kubezero-istio/remove-control-plane.yaml create mode 100755 scripts/update_helm.sh diff --git a/charts/kubezero-istio/remove-control-plane.yaml b/charts/kubezero-istio/remove-control-plane.yaml new file mode 100644 index 0000000..2001a2e --- /dev/null +++ b/charts/kubezero-istio/remove-control-plane.yaml @@ -0,0 +1,1794 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod-service-account + namespace: istio-system + labels: + app: istiod + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-pilot-istio-system + labels: + app: pilot + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio + istio: istiod +webhooks: + - name: validation.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + - security.istio.io + - authentication.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: ANY # inbound, outbound, and gateway + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + subFilter: + name: "envoy.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.6 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.6.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.7 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.7.*' + listener: + filterChain: + filter: + name: "envoy.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + istio.io/rev: default + release: istio +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + proxyMetadata: + DNS_AGENT: "" + tracing: + zipkin: + address: zipkin.istio-system:9411 + disableMixerHttpReports: true + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio.io/rev: default + release: istio +data: + + values: |- + { + "global": { + "arch": { + "amd64": 2, + "ppc64le": 2, + "s390x": 2 + }, + "caAddress": "", + "centralIstiod": false, + "configValidation": true, + "controlPlaneSecurityEnabled": true, + "createRemoteSvcEndpoints": false, + "defaultNodeSelector": {}, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "enableHelmTest": false, + "enabled": true, + "hub": "docker.io/istio", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshExpansion": { + "enabled": false, + "useILB": false + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "namespace": "istio-system", + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "policyNamespace": "istio-system", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "remotePolicyAddress": "", + "remoteTelemetryAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "1.7.5", + "telemetryNamespace": "istio-system", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "trustDomain": "cluster.local", + "useMCP": false + }, + "istio_cni": { + "enabled": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "enableNamespacesByDefault": false, + "injectLabel": "istio-injection", + "injectedAnnotations": {}, + "neverInjectSelector": [], + "objectSelector": { + "autoInject": true, + "enabled": false + }, + "rewriteAppHTTPProbe": true + } + } + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + + template: | + rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - 15001 + - "-z" + - "15006" + - "-u" + - 1337 + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- if .Values.global.proxy_init.resources }} + resources: + {{ toYaml .Values.global.proxy_init.resources | indent 4 }} + {{- else }} + resources: {} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq .Values.global.proxy.enableCoreDump true }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.trustDomain }} + - --trust-domain={{ .Values.global.trustDomain }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} + - --concurrency + - "{{ .ProxyConfig.Concurrency.GetValue }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} + {{- else if .Values.global.proxy.holdApplicationUntilProxyStarts}} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{ .DeploymentMeta.Name }} + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if .Values.global.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.trustDomain }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 4 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{- end }} + {{- if .ProxyConfig.ProxyMetadata.ISTIO_META_DNS_CAPTURE }} + dnsConfig: + options: + - name: "ndots" + value: "4" + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 2 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.podDNSSearchNamespaces }} + dnsConfig: + searches: + {{- range .Values.global.podDNSSearchNamespaces }} + - {{ render . }} + {{- end }} + {{- end }} + podRedirectAnnot: + {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} + {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} + k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" + {{- else }} + k8s.v1.cni.cncf.io/networks: "istio-cni" + {{- end }} + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{- end }} + traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + + labels: + istio.io/rev: default + app: sidecar-injector + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchLabels: + istio-injection: enabled +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istiod + istio: pilot + istio.io/rev: default + release: istio + name: istiod + namespace: istio-system +spec: + selector: + matchLabels: + istio: pilot + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app: istiod + istio: pilot + istio.io/rev: default + spec: + containers: + - args: + - discovery + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --trust-domain=cluster.local + - --keepaliveMaxServerConnectionAge + - 30m + env: + - name: REVISION + value: default + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "true" + - name: INJECTION_WEBHOOK_CONFIG_NAME + value: istio-sidecar-injector + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "false" + - name: CLUSTER_ID + value: Kubernetes + - name: CENTRAL_ISTIOD + value: "false" + image: docker.io/istio/pilot:1.7.5 + name: discovery + ports: + - containerPort: 8080 + - containerPort: 15010 + - containerPort: 15017 + - containerPort: 15053 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + volumeMounts: + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/run/secrets/istio-dns + name: local-certs + - mountPath: /etc/cacerts + name: cacerts + readOnly: true + - mountPath: /var/run/secrets/remote + name: istio-kubeconfig + readOnly: true + - mountPath: /var/lib/istio/inject + name: inject + readOnly: true + securityContext: + fsGroup: 1337 + serviceAccountName: istiod-service-account + volumes: + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: cacerts + secret: + optional: true + secretName: cacerts + - name: istio-kubeconfig + secret: + optional: true + secretName: istio-kubeconfig + - configMap: + name: istio-sidecar-injector + name: inject + - configMap: + name: istio + name: config-volume +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +rules: +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: pilot + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio + istio.io/rev: default +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: istio-system + labels: + istio.io/rev: default + app: istiod + istio: pilot + release: istio +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + - port: 15014 + name: http-monitoring # prometheus stats + - name: dns-tls + port: 853 + targetPort: 15053 + protocol: TCP + selector: + app: istiod + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot +--- diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index a5c8dcb..ed6fe94 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -7,6 +7,8 @@ global: targetRevision: HEAD pathPrefix: '' +HighAvailableControlplane: false + calico: enabled: false crds: true @@ -45,6 +47,9 @@ metrics: enabled: false crds: true namespace: monitoring + istio: + grafana: {} + prometheus: {} logging: enabled: false @@ -55,3 +60,5 @@ argo-cd: enabled: false crds: true namespace: argocd + istio: + enabled: false diff --git a/scripts/update_helm.sh b/scripts/update_helm.sh new file mode 100755 index 0000000..50abd1c --- /dev/null +++ b/scripts/update_helm.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -eux + +CHARTS=${1:-'.*'} + +SRCROOT="$(cd "$(dirname "$0")/.." && pwd)" + +for dir in $(find -L $SRCROOT/charts -mindepth 1 -maxdepth 1 -type d); +do + name=$(basename $dir) + [[ $name =~ $CHARTS ]] || continue + if [ $(helm dep list $dir 2>/dev/null| wc -l) -gt 1 ] + then + echo "Processing chart dependencies" + rm -rf $dir/tmpcharts + helm dependency update --skip-refresh $dir + fi + + echo "Processing $dir" + helm lint $dir && helm --debug package $dir +done -- 2.40.1 From 3497392c394fa9dd512310e9ead76b231c6bbc6f Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 30 Nov 2020 09:30:06 -0800 Subject: [PATCH 16/48] ArgoCd naming fixes --- .../Chart.yaml | 2 +- .../README.md | 2 +- .../README.md.gotmpl | 0 .../templates/istio-authorization-policy.yaml | 0 .../templates/istio-service.yaml | 0 .../templates/kubezero.yaml | 0 .../values.yaml | 0 charts/kubezero-cert-manager/README.md | 2 +- charts/kubezero-istio-ingress/README.md | 1 + .../kubezero-istio/remove-control-plane.yaml | 1794 ----------------- charts/kubezero-istio/upgrade_istio_18.sh | 14 + .../kubezero-local-path-provisioner/README.md | 18 +- charts/kubezero-logging/README.md | 2 +- charts/kubezero-metrics/README.md | 6 +- charts/kubezero/README.md | 25 +- .../templates/{argo-cd.yaml => argocd.yaml} | 12 +- charts/kubezero/templates/argoless.yaml | 2 +- charts/kubezero/values.yaml | 4 +- docs/Upgrade.md | 18 +- 19 files changed, 72 insertions(+), 1830 deletions(-) rename charts/{kubezero-argo-cd => kubezero-argocd}/Chart.yaml (95%) rename charts/{kubezero-argo-cd => kubezero-argocd}/README.md (99%) rename charts/{kubezero-argo-cd => kubezero-argocd}/README.md.gotmpl (100%) rename charts/{kubezero-argo-cd => kubezero-argocd}/templates/istio-authorization-policy.yaml (100%) rename charts/{kubezero-argo-cd => kubezero-argocd}/templates/istio-service.yaml (100%) rename charts/{kubezero-argo-cd => kubezero-argocd}/templates/kubezero.yaml (100%) rename charts/{kubezero-argo-cd => kubezero-argocd}/values.yaml (100%) delete mode 100644 charts/kubezero-istio/remove-control-plane.yaml create mode 100755 charts/kubezero-istio/upgrade_istio_18.sh rename charts/kubezero/templates/{argo-cd.yaml => argocd.yaml} (59%) diff --git a/charts/kubezero-argo-cd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml similarity index 95% rename from charts/kubezero-argo-cd/Chart.yaml rename to charts/kubezero-argocd/Chart.yaml index 5182dc4..52e6369 100644 --- a/charts/kubezero-argo-cd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application -name: kubezero-argo-cd +name: kubezero-argocd version: 0.6.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-argo-cd/README.md b/charts/kubezero-argocd/README.md similarity index 99% rename from charts/kubezero-argo-cd/README.md rename to charts/kubezero-argocd/README.md index 41222fa..81b8cfe 100644 --- a/charts/kubezero-argo-cd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,4 +1,4 @@ -# kubezero-argo-cd +# kubezero-argocd ![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) diff --git a/charts/kubezero-argo-cd/README.md.gotmpl b/charts/kubezero-argocd/README.md.gotmpl similarity index 100% rename from charts/kubezero-argo-cd/README.md.gotmpl rename to charts/kubezero-argocd/README.md.gotmpl diff --git a/charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml similarity index 100% rename from charts/kubezero-argo-cd/templates/istio-authorization-policy.yaml rename to charts/kubezero-argocd/templates/istio-authorization-policy.yaml diff --git a/charts/kubezero-argo-cd/templates/istio-service.yaml b/charts/kubezero-argocd/templates/istio-service.yaml similarity index 100% rename from charts/kubezero-argo-cd/templates/istio-service.yaml rename to charts/kubezero-argocd/templates/istio-service.yaml diff --git a/charts/kubezero-argo-cd/templates/kubezero.yaml b/charts/kubezero-argocd/templates/kubezero.yaml similarity index 100% rename from charts/kubezero-argo-cd/templates/kubezero.yaml rename to charts/kubezero-argocd/templates/kubezero.yaml diff --git a/charts/kubezero-argo-cd/values.yaml b/charts/kubezero-argocd/values.yaml similarity index 100% rename from charts/kubezero-argo-cd/values.yaml rename to charts/kubezero-argocd/values.yaml diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index c48dfa7..9a15eae 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 1.0.4 | +| https://charts.jetstack.io | cert-manager | 1.1.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## AWS - IAM Role diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md index f865751..a206288 100644 --- a/charts/kubezero-istio-ingress/README.md +++ b/charts/kubezero-istio-ingress/README.md @@ -28,6 +28,7 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| global.arch.amd64 | int | `2` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.hub | string | `"docker.io/istio"` | | | global.jwtPolicy | string | `"first-party-jwt"` | | diff --git a/charts/kubezero-istio/remove-control-plane.yaml b/charts/kubezero-istio/remove-control-plane.yaml deleted file mode 100644 index 2001a2e..0000000 --- a/charts/kubezero-istio/remove-control-plane.yaml +++ /dev/null @@ -1,1794 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod-service-account - namespace: istio-system - labels: - app: istiod - release: istio ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-pilot-istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio - istio: istiod -webhooks: - - name: validation.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - config.istio.io - - security.istio.io - - authentication.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: ANY # inbound, outbound, and gateway - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.http_connection_manager" - subFilter: - name: "envoy.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.6 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.6.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.7 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.7.*' - listener: - filterChain: - filter: - name: "envoy.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - istio.io/rev: default - release: istio -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - networks: {} - - mesh: |- - defaultConfig: - discoveryAddress: istiod.istio-system.svc:15012 - proxyMetadata: - DNS_AGENT: "" - tracing: - zipkin: - address: zipkin.istio-system:9411 - disableMixerHttpReports: true - enablePrometheusMerge: true - rootNamespace: istio-system - trustDomain: cluster.local ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - istio.io/rev: default - release: istio -data: - - values: |- - { - "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, - "caAddress": "", - "centralIstiod": false, - "configValidation": true, - "controlPlaneSecurityEnabled": true, - "createRemoteSvcEndpoints": false, - "defaultNodeSelector": {}, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "enableHelmTest": false, - "enabled": true, - "hub": "docker.io/istio", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshExpansion": { - "enabled": false, - "useILB": false - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "namespace": "istio-system", - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "policyNamespace": "istio-system", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "holdApplicationUntilProxyStarts": false, - "image": "proxyv2", - "includeIPRanges": "*", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2", - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } - } - }, - "remotePilotAddress": "", - "remotePolicyAddress": "", - "remoteTelemetryAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "1.7.5", - "telemetryNamespace": "istio-system", - "tracer": { - "datadog": { - "address": "$(HOST_IP):8126" - }, - "lightstep": { - "accessToken": "", - "address": "" - }, - "stackdriver": { - "debug": false, - "maxNumberOfAnnotations": 200, - "maxNumberOfAttributes": 200, - "maxNumberOfMessageEvents": 200 - }, - "zipkin": { - "address": "" - } - }, - "trustDomain": "cluster.local", - "useMCP": false - }, - "istio_cni": { - "enabled": false - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "enableNamespacesByDefault": false, - "injectLabel": "istio-injection", - "injectedAnnotations": {}, - "neverInjectSelector": [], - "objectSelector": { - "autoInject": true, - "enabled": false - }, - "rewriteAppHTTPProbe": true - } - } - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - injectedAnnotations: - - template: | - rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - istio-iptables - - "-p" - - 15001 - - "-z" - - "15006" - - "-u" - - 1337 - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- if .Values.global.proxy_init.resources }} - resources: - {{ toYaml .Values.global.proxy_init.resources | indent 4 }} - {{- else }} - resources: {} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq .Values.global.proxy.enableCoreDump true }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" .Values.global.proxy_init.image }} - image: "{{ .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - {{ if ne "" (index .ObjectMeta.Labels "app") -}} - - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" - {{ else -}} - - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" - {{ end -}} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.trustDomain }} - - --trust-domain={{ .Values.global.trustDomain }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .ProxyConfig.Concurrency.GetValue 0 }} - - --concurrency - - "{{ .ProxyConfig.Concurrency.GetValue }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} - {{- else if .Values.global.proxy.holdApplicationUntilProxyStarts}} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: CANONICAL_SERVICE - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-name'] - - name: CANONICAL_REVISION - valueFrom: - fieldRef: - fieldPath: metadata.labels['service.istio.io/canonical-revision'] - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{- range $index, $container := .Spec.Containers }}{{- if ne $index 0}},{{- end}}{{ $container.Name }}{{- end}}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{ if .ObjectMeta.Annotations }} - - name: ISTIO_METAJSON_ANNOTATIONS - value: | - {{ toJSON .ObjectMeta.Annotations }} - {{ end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{ .DeploymentMeta.Name }} - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if .Values.global.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.trustDomain }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} - runAsGroup: 1337 - fsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 4 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{- end }} - {{- if .ProxyConfig.ProxyMetadata.ISTIO_META_DNS_CAPTURE }} - dnsConfig: - options: - - name: "ndots" - value: "4" - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 2 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.podDNSSearchNamespaces }} - dnsConfig: - searches: - {{- range .Values.global.podDNSSearchNamespaces }} - - {{ render . }} - {{- end }} - {{- end }} - podRedirectAnnot: - {{- if and (.Values.istio_cni.enabled) (not .Values.istio_cni.chained) }} - {{ if isset .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks` }} - k8s.v1.cni.cncf.io/networks: "{{ index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`}}, istio-cni" - {{- else }} - k8s.v1.cni.cncf.io/networks: "istio-cni" - {{- end }} - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{- end }} - traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - - labels: - istio.io/rev: default - app: sidecar-injector - release: istio -webhooks: - - name: sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchLabels: - istio-injection: enabled ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: istiod - istio: pilot - istio.io/rev: default - release: istio - name: istiod - namespace: istio-system -spec: - selector: - matchLabels: - istio: pilot - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - labels: - app: istiod - istio: pilot - istio.io/rev: default - spec: - containers: - - args: - - discovery - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --trust-domain=cluster.local - - --keepaliveMaxServerConnectionAge - - 30m - env: - - name: REVISION - value: default - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: PILOT_TRACE_SAMPLING - value: "1" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "true" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "true" - - name: INJECTION_WEBHOOK_CONFIG_NAME - value: istio-sidecar-injector - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "false" - - name: CLUSTER_ID - value: Kubernetes - - name: CENTRAL_ISTIOD - value: "false" - image: docker.io/istio/pilot:1.7.5 - name: discovery - ports: - - containerPort: 8080 - - containerPort: 15010 - - containerPort: 15017 - - containerPort: 15053 - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - resources: - requests: - cpu: 500m - memory: 2048Mi - securityContext: - capabilities: - drop: - - ALL - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/run/secrets/istio-dns - name: local-certs - - mountPath: /etc/cacerts - name: cacerts - readOnly: true - - mountPath: /var/run/secrets/remote - name: istio-kubeconfig - readOnly: true - - mountPath: /var/lib/istio/inject - name: inject - readOnly: true - securityContext: - fsGroup: 1337 - serviceAccountName: istiod-service-account - volumes: - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - name: cacerts - secret: - optional: true - secretName: cacerts - - name: istio-kubeconfig - secret: - optional: true - secretName: istio-kubeconfig - - configMap: - name: istio-sidecar-injector - name: inject - - configMap: - name: istio - name: config-volume ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: pilot - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio - istio.io/rev: default -spec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 ---- -apiVersion: v1 -kind: Service -metadata: - name: istiod - namespace: istio-system - labels: - istio.io/rev: default - app: istiod - istio: pilot - release: istio -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - - port: 15014 - name: http-monitoring # prometheus stats - - name: dns-tls - port: 853 - targetPort: 15053 - protocol: TCP - selector: - app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot ---- diff --git a/charts/kubezero-istio/upgrade_istio_18.sh b/charts/kubezero-istio/upgrade_istio_18.sh new file mode 100755 index 0000000..038b40e --- /dev/null +++ b/charts/kubezero-istio/upgrade_istio_18.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Remove operator first +kubectl delete deployment istio-operator -n istio-operator +kubectl delete ns istio-operator + +# Remove policy +kubectl delete deployment istio-policy -n istio-system + +# Install new istio and istio-ingress chart + +# Remobe old ingress +kubectl delete deployment istio-ingressgateway -n istio-system +kubectl delete deployment istio-private-ingressgateway -n istio-system diff --git a/charts/kubezero-local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/README.md index a09236e..c69fb7f 100644 --- a/charts/kubezero-local-path-provisioner/README.md +++ b/charts/kubezero-local-path-provisioner/README.md @@ -1,8 +1,8 @@ -# kubezero-local-volume-provisioner +# kubezero-local-path-provisioner -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.4](https://img.shields.io/badge/AppVersion-2.3.4-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.18](https://img.shields.io/badge/AppVersion-0.0.18-informational?style=flat-square) -KubeZero Umbrella Chart for local-static-provisioner +KubeZero Umbrella Chart for local-path-provisioner Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. @@ -26,11 +26,13 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| local-static-provisioner.classes[0].hostDir | string | `"/mnt/disks"` | | -| local-static-provisioner.classes[0].name | string | `"local-sc-xfs"` | | -| local-static-provisioner.common.namespace | string | `"kube-system"` | | -| local-static-provisioner.daemonset.nodeSelector."node.kubernetes.io/localVolume" | string | `"present"` | | -| local-static-provisioner.prometheus.operator.enabled | bool | `false` | | +| local-path-provisioner.nodePathMap[0].node | string | `"DEFAULT_PATH_FOR_NON_LISTED_NODES"` | | +| local-path-provisioner.nodePathMap[0].paths[0] | string | `"/opt/local-path-provisioner"` | | +| local-path-provisioner.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| local-path-provisioner.storageClass.create | bool | `true` | | +| local-path-provisioner.storageClass.defaultClass | bool | `false` | | +| local-path-provisioner.tolerations[0].effect | string | `"NoSchedule"` | | +| local-path-provisioner.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | ## KubeZero default configuration diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index e83b7fc..c65a66e 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -20,7 +20,7 @@ Kubernetes: `>= 1.16.0` |------------|------|---------| | https://helm.elastic.co | eck-operator | 1.3.0 | | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | -| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.2 | +| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.10 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 89d5f9e..2dc4e71 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 11.1.1 | +| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 12.2.4 | | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | @@ -27,7 +27,7 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| | grafana.istio.enabled | bool | `false` | | -| grafana.istio.gateway | string | `"istio-system/ingressgateway"` | | +| grafana.istio.gateway | string | `"istio-ingress/ingressgateway"` | | | grafana.istio.ipBlocks | list | `[]` | | | grafana.istio.url | string | `""` | | | kube-prometheus-stack.alertmanager.enabled | bool | `false` | | @@ -109,7 +109,7 @@ Kubernetes: `>= 1.16.0` | prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | | | prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | prometheus.istio.enabled | bool | `false` | | -| prometheus.istio.gateway | string | `"istio-system/ingressgateway"` | | +| prometheus.istio.gateway | string | `"istio-ingress/ingressgateway"` | | | prometheus.istio.url | string | `""` | | # Dashboards diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index 0a6deb8..b1cf63e 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -2,7 +2,7 @@ ![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -KubeZero ArgoCD Application - Root App of Apps chart of KubeZero +KubeZero - Bootstrap and ArgoCD Root App of Apps chart **Homepage:** @@ -24,27 +24,38 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| argo-cd.enabled | bool | `false` | | -| argo-cd.namespace | string | `"argocd"` | | +| HighAvailableControlplane | bool | `false` | | +| argo | object | `{}` | | +| argocd.crds | bool | `true` | | +| argocd.enabled | bool | `false` | | +| argocd.istio.enabled | bool | `false` | | +| argocd.namespace | string | `"argocd"` | | | aws-ebs-csi-driver.enabled | bool | `false` | | | aws-efs-csi-driver.enabled | bool | `false` | | +| calico.crds | bool | `true` | | | calico.enabled | bool | `false` | | | calico.retain | bool | `true` | | +| cert-manager.crds | bool | `true` | | | cert-manager.enabled | bool | `false` | | | cert-manager.namespace | string | `"cert-manager"` | | -| global.defaultDestination.server | string | `"https://kubernetes.default.svc"` | | -| global.defaultSource.pathPrefix | string | `""` | | -| global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | | -| global.defaultSource.targetRevision | string | `"HEAD"` | | +| global.kubezero.pathPrefix | string | `""` | | +| global.kubezero.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | | +| global.kubezero.server | string | `"https://kubernetes.default.svc"` | | +| global.kubezero.targetRevision | string | `"HEAD"` | | | istio-ingress.enabled | bool | `false` | | | istio-ingress.namespace | string | `"istio-ingress"` | | +| istio.crds | bool | `true` | | | istio.enabled | bool | `false` | | | istio.namespace | string | `"istio-system"` | | | kiam.enabled | bool | `false` | | +| local-path-provisioner.enabled | bool | `false` | | | local-volume-provisioner.enabled | bool | `false` | | | logging.enabled | bool | `false` | | | logging.namespace | string | `"logging"` | | +| metrics.crds | bool | `true` | | | metrics.enabled | bool | `false` | | +| metrics.istio.grafana | object | `{}` | | +| metrics.istio.prometheus | object | `{}` | | | metrics.namespace | string | `"monitoring"` | | ---------------------------------------------- diff --git a/charts/kubezero/templates/argo-cd.yaml b/charts/kubezero/templates/argocd.yaml similarity index 59% rename from charts/kubezero/templates/argo-cd.yaml rename to charts/kubezero/templates/argocd.yaml index ab4940b..fc82caf 100644 --- a/charts/kubezero/templates/argo-cd.yaml +++ b/charts/kubezero/templates/argocd.yaml @@ -1,4 +1,4 @@ -{{- define "argo-cd-values" }} +{{- define "argocd-values" }} argo-cd: controller: metrics: @@ -9,21 +9,21 @@ argo-cd: server: metrics: enabled: {{ .Values.metrics.enabled }} - {{- with index .Values "argo-cd" "server" }} + {{- with index .Values "argocd" "server" }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with index .Values "argo-cd" "configs" }} + {{- with index .Values "argocd" "configs" }} configs: {{- toYaml . | nindent 4 }} {{- end }} -{{- if and ( index .Values "argo-cd" "istio" "enabled" ) .Values.istio.enabled }} +{{- if and ( index .Values "argocd" "istio" "enabled" ) .Values.istio.enabled }} istio: - {{- with index .Values "argo-cd" "istio" }} + {{- with index .Values "argocd" "istio" }} {{- toYaml . | nindent 2 }} {{- end }} {{- end }} -{{- with index .Values "argo-cd" "kubezero" }} +{{- with index .Values "argocd" "kubezero" }} kubezero: {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/kubezero/templates/argoless.yaml b/charts/kubezero/templates/argoless.yaml index fd1986f..09a4ced 100644 --- a/charts/kubezero/templates/argoless.yaml +++ b/charts/kubezero/templates/argoless.yaml @@ -1,6 +1,6 @@ {{- if not .Values.argo }} -{{- $artifacts := list "calico" "cert-manager" "kiam" "aws-ebs-csi-driver" "aws-efs-csi-driver" "local-volume-provisioner" "local-path-provisioner" "istio" "istio-ingress" "metrics" "logging" "argo-cd" }} +{{- $artifacts := list "calico" "cert-manager" "kiam" "aws-ebs-csi-driver" "aws-efs-csi-driver" "local-volume-provisioner" "local-path-provisioner" "istio" "istio-ingress" "metrics" "logging" "argocd" }} {{- if .Values.global }} global: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index ed6fe94..f681028 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -53,10 +53,10 @@ metrics: logging: enabled: false - crds: true + # crds: true namespace: logging -argo-cd: +argocd: enabled: false crds: true namespace: argocd diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 19903a4..4b84a00 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -1,18 +1,26 @@ # Upgrade to KubeZero V2(Argoless) -- disable all auto-sync in argo !! +- disable all auto-sync in argo !! ( remove auto-sync from old values.yaml and run deploy one last time ) or disable manual via Argo UI starting with Kubezero app itself -- migrate values.yaml to new structure,adapt as needed +- uninstall argo helm chart + `helm uninstall kubezero -n argocd` +- migrate values.yaml to new structure, adapt as needed - update new central kubezero location in git and merge cluster configs +- Upgrade control plane nodes / worker nodes + +- upgrade all crds +- upgrade calico,cert-manager,kiam,csi drivers +- Istio: + ## High level / Admin changes - ArgoCD is now optional - ArgoCD is NOT required nor used during initial cluster bootstrap - the initial bootstrap script now uses the same config as ArgoCD later on - the initial bootstrap is WAY faster and re-try safe -## Individual changes +## Individual changes ### Cert-manager - local issuer is now a cluster issuer @@ -36,8 +44,8 @@ ### Calico - version bump -### EBS -- version bump +### EBS +- version bump ### Istio - operator removed, deployment migrated to helm, cleanups -- 2.40.1 From 8b048dd39070e1cdb18b9645a9696960c5530fdb Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 1 Dec 2020 07:46:04 -0800 Subject: [PATCH 17/48] More fixes and upgrade docs --- charts/kubezero-istio/upgrade_istio_18.sh | 14 --------- charts/kubezero/bootstrap.sh | 12 +++++--- charts/kubezero/scripts/delete_istio_17.sh | 19 ++++++++++++ charts/kubezero/scripts/patch_vs.sh | 19 ++++++++++++ charts/kubezero/scripts/remove_argo_ns.sh | 7 +++++ docs/Upgrade.md | 36 +++++++++++++++++++--- 6 files changed, 83 insertions(+), 24 deletions(-) delete mode 100755 charts/kubezero-istio/upgrade_istio_18.sh create mode 100755 charts/kubezero/scripts/delete_istio_17.sh create mode 100755 charts/kubezero/scripts/patch_vs.sh create mode 100755 charts/kubezero/scripts/remove_argo_ns.sh diff --git a/charts/kubezero-istio/upgrade_istio_18.sh b/charts/kubezero-istio/upgrade_istio_18.sh deleted file mode 100755 index 038b40e..0000000 --- a/charts/kubezero-istio/upgrade_istio_18.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Remove operator first -kubectl delete deployment istio-operator -n istio-operator -kubectl delete ns istio-operator - -# Remove policy -kubectl delete deployment istio-policy -n istio-system - -# Install new istio and istio-ingress chart - -# Remobe old ingress -kubectl delete deployment istio-ingressgateway -n istio-system -kubectl delete deployment istio-private-ingressgateway -n istio-system diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index 3b50a62..ab748e0 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -2,7 +2,7 @@ set -ex ACTION=$1 -ARTIFACTS=("$2") +ARTIFACTS=($(echo $2 | tr "," "\n")) CLUSTER=$3 LOCATION=${4:-""} @@ -99,10 +99,9 @@ function _helm() { if [ $action == "crds" ]; then _crds - else - + elif [ $action == "apply" ]; then # namespace must exist prior to apply - [ $action == "apply" ] && create_ns $namespace + create_ns $namespace # Optional pre hook declare -F ${release}-pre && ${release}-pre @@ -112,8 +111,11 @@ function _helm() { # Optional post hook declare -F ${release}-post && ${release}-post + elif [ $action == "delete" ]; then + apply + # Delete dedicated namespace if not kube-system - [ $action == "delete" ] && delete_ns $namespace + delete_ns $namespace fi return 0 diff --git a/charts/kubezero/scripts/delete_istio_17.sh b/charts/kubezero/scripts/delete_istio_17.sh new file mode 100755 index 0000000..6ea378a --- /dev/null +++ b/charts/kubezero/scripts/delete_istio_17.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Istio operator resources first +kubectl delete Istiooperators kubezero-istio -n istio-system +kubectl delete Istiooperators kubezero-istio-private-ingress -n istio-system + +# Istio operator itself +kubectl delete deployment istio-operator -n istio-operator +kubectl delete ns istio-operator + +# Remove policy pod +kubectl delete deployment istio-policy -n istio-system + +# Remove old gateways +kubectl delete gateways ingressgateway -n istio-system +kubectl delete gateways private-ingressgateway -n istio-system + +# Remove old shared public cert +kubectl delete certificate public-ingress-cert -n istio-system diff --git a/charts/kubezero/scripts/patch_vs.sh b/charts/kubezero/scripts/patch_vs.sh new file mode 100755 index 0000000..97b67f4 --- /dev/null +++ b/charts/kubezero/scripts/patch_vs.sh @@ -0,0 +1,19 @@ +#!/bin/bash -x + +# Get all public vs +for vs in $(kubectl get vs -A | grep "istio-system/ingressgateway" | awk '{print $1 ":" $2}'); do + ns=${vs%%:*} + name=${vs##*:} + + kubectl patch virtualservice $name -n $ns --type=json \ + -p='[{"op": "replace", "path": "/spec/gateways/0", "value":"istio-ingress/ingressgateway"}]' +done + +# Get all private vs +for vs in $(kubectl get vs -A | grep "istio-system/private-ingressgateway" | awk '{print $1 ":" $2}'); do + ns=${vs%%:*} + name=${vs##*:} + + kubectl patch virtualservice $name -n $ns --type=json \ + -p='[{"op": "replace", "path": "/spec/gateways/0", "value":"istio-ingress/private-ingressgateway"}]' +done diff --git a/charts/kubezero/scripts/remove_argo_ns.sh b/charts/kubezero/scripts/remove_argo_ns.sh new file mode 100755 index 0000000..4b97297 --- /dev/null +++ b/charts/kubezero/scripts/remove_argo_ns.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +ns=$(kubectl get ns -l argocd.argoproj.io/instance | grep -v NAME | awk '{print $1}') + +for n in $ns; do + kubectl label --overwrite namespace $n 'argocd.argoproj.io/instance-' +done diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 4b84a00..3fd65a1 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -1,18 +1,44 @@ # Upgrade to KubeZero V2(Argoless) -- disable all auto-sync in argo !! ( remove auto-sync from old values.yaml and run deploy one last time ) or disable manual via Argo UI starting with Kubezero app itself +## ArgoCD prep +- disable all auto-sync and "prune" feature to prevent that namespaces defined in previous apps get removed + - either remove auto-sync from old values.yaml and run deploy one last time, trigger kubezero sync ! + - or disable manual via Argo UI starting with Kubezero app itself - uninstall argo helm chart `helm uninstall kubezero -n argocd` +- remove all "argocd.argoproj.io/instance" labels from namespaces to prevent namespace removal later on + `scripts/remove_argo_ns.sh` - migrate values.yaml to new structure, adapt as needed -- update new central kubezero location in git and merge cluster configs + & update new central kubezero location in git and merge cluster configs - Upgrade control plane nodes / worker nodes - upgrade all crds -- upgrade calico,cert-manager,kiam,csi drivers -- Istio: + `./bootstrap.sh crds all clusters/$CLUSTER ../../../kubezero/charts` + +- upgrade base artifacts + `./bootstrap.sh deploy calico,cert-manager,kiam,aws-ebs-csi-driver,aws-efs-csi-driver clusters/$CLUSTER ../../../kubezero/charts` + +- Istio, due to changes of the ingress namespace we need brief downtime +DOWNTIME STARTS ! + - delete istio operators, to remove all pieces, remove operator itself + `./scripts/delete_istio_17.sh` + - deploy istio and istio-ingress via bootstrap.sh + `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` + - patch all VirtualServices via script to new namespace + `./scripts/patch_vs.sh` +DOWNTIME ENDS ! + +- upgrade all artifacts + `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` + +- push kubezero cluster config +- verify argocd incl. kubezero app +- verify all argo apps +- verify all the things + ## High level / Admin changes - ArgoCD is now optional @@ -50,6 +76,6 @@ ### Istio - operator removed, deployment migrated to helm, cleanups - version bump to 1.8 -- no more policy by default +- no more policy pod by default - all ingress in dedicated new namespace istio-ingress as well as dedicated helm chart - set priorty class -- 2.40.1 From 3450f45bf7c3daea9e56e1d4a5f7410d8d956c1e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 1 Dec 2020 07:56:22 -0800 Subject: [PATCH 18/48] docs updates --- docs/Upgrade.md | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 3fd65a1..7e5ab5c 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -1,45 +1,62 @@ # Upgrade to KubeZero V2(Argoless) -## ArgoCD prep -- disable all auto-sync and "prune" feature to prevent that namespaces defined in previous apps get removed +## (optional) Upgrade control plane nodes / worker nodes +- Set kube version in the controller config to eg. `1.18` +- Update kube-controller and worker stacks with latest CFN code + +- terminate controller node(s) +- once all controller nodes successfully upgraded replace worker nodes in a rolling fashion via. drain / terminate / rinse-repeat + +## ArgoCD +- disable all auto-sync and "prune" features to prevent that eg. namespaces from previous apps get removed - either remove auto-sync from old values.yaml and run deploy one last time, trigger kubezero sync ! - or disable manual via Argo UI starting with Kubezero app itself -- uninstall argo helm chart - `helm uninstall kubezero -n argocd` -- remove all "argocd.argoproj.io/instance" labels from namespaces to prevent namespace removal later on - `scripts/remove_argo_ns.sh` +- uninstall argo helm chart: +`helm uninstall kubezero -n argocd` +- remove all "argocd.argoproj.io/instance" labels from namespaces to prevent namespace removal later on: + `./scripts/remove_argo_ns.sh` + +## KubeZero - Part 1 - migrate values.yaml to new structure, adapt as needed & update new central kubezero location in git and merge cluster configs -- Upgrade control plane nodes / worker nodes - -- upgrade all crds +- upgrade all CRDs: `./bootstrap.sh crds all clusters/$CLUSTER ../../../kubezero/charts` -- upgrade base artifacts +- upgrade first components: `./bootstrap.sh deploy calico,cert-manager,kiam,aws-ebs-csi-driver,aws-efs-csi-driver clusters/$CLUSTER ../../../kubezero/charts` +## Istio - Brief DOWNTIME STARTS ! - Istio, due to changes of the ingress namespace we need brief downtime -DOWNTIME STARTS ! + - delete istio operators, to remove all pieces, remove operator itself `./scripts/delete_istio_17.sh` - deploy istio and istio-ingress via bootstrap.sh `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` - patch all VirtualServices via script to new namespace `./scripts/patch_vs.sh` -DOWNTIME ENDS ! -- upgrade all artifacts +!! DOWNTIME ENDS !! + +## KubeZero - Part 2 + +- push kubezero & cluster config to git + +- upgrade all remaining components and install new ArgoCD: `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` -- push kubezero cluster config +## Verification / Tests - verify argocd incl. kubezero app -- verify all argo apps +- verify all argo apps status + - verify all the things + +# Changelog + ## High level / Admin changes - ArgoCD is now optional - ArgoCD is NOT required nor used during initial cluster bootstrap -- 2.40.1 From 71c1bb1ec75b29d40cbd250d07144f14e1c61df3 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 1 Dec 2020 08:08:32 -0800 Subject: [PATCH 19/48] docs updates --- docs/Upgrade.md | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 7e5ab5c..74cb5d6 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -34,7 +34,7 @@ - delete istio operators, to remove all pieces, remove operator itself `./scripts/delete_istio_17.sh` - deploy istio and istio-ingress via bootstrap.sh - `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` + `./bootstrap.sh deploy istio,istio-ingress clusters/$CLUSTER ../../../kubezero/charts` - patch all VirtualServices via script to new namespace `./scripts/patch_vs.sh` @@ -58,20 +58,33 @@ # Changelog ## High level / Admin changes -- ArgoCD is now optional -- ArgoCD is NOT required nor used during initial cluster bootstrap -- the initial bootstrap script now uses the same config as ArgoCD later on -- the initial bootstrap is WAY faster and re-try safe +- ArgoCD is now optional and NOT required nor used during initial cluster bootstrap +- the bootstrap process now uses the same config and templates as the optional ArgoCD applications later on +- the bootstrap is can now be restarted at any time and considerably faster +- the top level KubeZero config for the ArgoCD app-of-apps is now also maintained via the gitops workflow. Changes can be applied by a simple git push rather than manual scripts ## Individual changes +### Calico +- version bump + ### Cert-manager -- local issuer is now a cluster issuer -- all resources moved to cert-manager namespace +- local issuers are now cluster issuer to allow them being used across namespaces +- all cert-manager resources moved into the cert-manager namespace +- version bump to 1.10 ### Kiam -- check certs and function due to cert-manager changes -- set priorty class +- set priorty class to cluster essential +- certificates are now issued by the cluster issuer + +### EBS / EFS +- version bump + +### Istio +- istio operator removed, deployment migrated to helm, various cleanups +- version bump to 1.8 +- all ingress resources are now in the dedicated new namespace istio-ingress ( deployed via separate kubezero chart istio-ingress) +- set priorty class of ingress components to cluster essential ### Logging - ES/Kibana version bump, new ECK operator @@ -80,19 +93,7 @@ - version bump, new app of app architecure ### Metrics -- version bumps -- all servicemonitor resources are now in the same namespaces as the apps -- check all metrics still work - -### Calico - version bump +- all servicemonitor resources are now in the same namespaces as the respective apps to avoid namespace spanning deployments -### EBS -- version bump -### Istio -- operator removed, deployment migrated to helm, cleanups -- version bump to 1.8 -- no more policy pod by default -- all ingress in dedicated new namespace istio-ingress as well as dedicated helm chart -- set priorty class -- 2.40.1 From d6307150b6f3e8b723b1229f8745c5713470b05e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 1 Dec 2020 08:27:06 -0800 Subject: [PATCH 20/48] docs updates --- docs/Upgrade.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 74cb5d6..dd07b14 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -28,8 +28,8 @@ - upgrade first components: `./bootstrap.sh deploy calico,cert-manager,kiam,aws-ebs-csi-driver,aws-efs-csi-driver clusters/$CLUSTER ../../../kubezero/charts` -## Istio - Brief DOWNTIME STARTS ! -- Istio, due to changes of the ingress namespace we need brief downtime +## Istio +Due to changes of the ingress namespace resource the upgrade will cause a brief (~3-5 min) ingress service interruption ! - delete istio operators, to remove all pieces, remove operator itself `./scripts/delete_istio_17.sh` @@ -38,7 +38,7 @@ - patch all VirtualServices via script to new namespace `./scripts/patch_vs.sh` -!! DOWNTIME ENDS !! +Ingress service interruption ends. ## KubeZero - Part 2 -- 2.40.1 From 1ac2eddcea0fd6bd314b925f087caa3f5d511cf7 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 2 Dec 2020 03:53:19 -0800 Subject: [PATCH 21/48] Add alertmanager istio config for metrics, metrics values reorg --- charts/kubezero-metrics/Chart.yaml | 4 +- .../templates/istio-authorization-policy.yaml | 41 ++++--------------- .../templates/istio-service.yaml | 36 +++++----------- charts/kubezero-metrics/values.yaml | 34 +++++++++------ charts/kubezero/templates/metrics.yaml | 16 ++------ docs/Upgrade.md | 3 ++ 6 files changed, 47 insertions(+), 87 deletions(-) diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index d120307..89174c5 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-metrics description: KubeZero Umbrella Chart for prometheus-operator type: application -version: 0.3.0 +version: 0.3.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: kube-prometheus-stack - version: 12.2.4 + version: 12.3.0 repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter version: 2.7.1 diff --git a/charts/kubezero-metrics/templates/istio-authorization-policy.yaml b/charts/kubezero-metrics/templates/istio-authorization-policy.yaml index e049957..3c904c2 100644 --- a/charts/kubezero-metrics/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-metrics/templates/istio-authorization-policy.yaml @@ -1,12 +1,13 @@ -{{- if .Values.grafana.istio.enabled }} -{{- if .Values.grafana.istio.ipBlocks }} +{{- range $name, $service := .Values.istio }} + +{{- if and $service.enabled $service.ipBlocks }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: grafana-deny-not-in-ipblocks + name: {{ $name }}-deny-not-in-ipblocks namespace: istio-system labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: selector: matchLabels: @@ -16,38 +17,10 @@ spec: - from: - source: notIpBlocks: - {{- with .Values.grafana.istio.ipBlocks }} - {{- . | toYaml | nindent 8 }} - {{- end }} + {{- toYaml $service.ipBlocks | nindent 8 }} to: - operation: - hosts: ["{{ .Values.grafana.istio.url }}"] -{{- end }} -{{- end }} -{{- if .Values.prometheus.istio.enabled }} -{{- if .Values.prometheus.istio.ipBlocks }} + hosts: ["{{ $service.url }}"] --- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: prometheus-deny-not-in-ipblocks - namespace: istio-system - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - selector: - matchLabels: - app: istio-ingressgateway - action: DENY - rules: - - from: - - source: - notIpBlocks: - {{- with .Values.prometheus.istio.ipBlocks }} - {{- . | toYaml | nindent 8 }} - {{- end }} - to: - - operation: - hosts: ["{{ .Values.prometheus.istio.url }}"] {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/templates/istio-service.yaml b/charts/kubezero-metrics/templates/istio-service.yaml index 09c75fa..1aa937d 100644 --- a/charts/kubezero-metrics/templates/istio-service.yaml +++ b/charts/kubezero-metrics/templates/istio-service.yaml @@ -1,37 +1,23 @@ -{{- if .Values.grafana.istio.enabled }} +{{- range $name, $service := .Values.istio }} + +{{- if $service.enabled }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: grafana - namespace: {{ .Release.Namespace }} + name: {{ $name }} + namespace: {{ $.Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: hosts: - - {{ .Values.grafana.istio.url }} + - {{ index $service.url }} gateways: - - {{ .Values.grafana.istio.gateway }} + - {{ index $service.gateway }} http: - route: - destination: - host: metrics-grafana -{{- end }} -{{- if .Values.prometheus.istio.enabled }} + host: metrics-{{- $name }} --- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: prometheus - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - hosts: - - {{ .Values.prometheus.istio.url }} - gateways: - - {{ .Values.prometheus.istio.gateway }} - http: - - route: - - destination: - host: metrics-kube-prometheus-st-prometheus +{{- end }} + {{- end }} diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index a7e1a37..320462d 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -1,16 +1,3 @@ -grafana: - istio: - enabled: false - ipBlocks: [] - url: "" - gateway: istio-ingress/ingressgateway - -prometheus: - istio: - enabled: false - url: "" - gateway: istio-ingress/ingressgateway - kube-prometheus-stack: defaultRules: create: true @@ -144,6 +131,8 @@ kube-prometheus-stack: # Todo alertmanager: enabled: false + alertmanagerSpec: + logFormat: json # Metrics adapter prometheus-adapter: @@ -185,3 +174,22 @@ prometheus-adapter: resource: pod containerLabel: container window: 3m + +istio: + grafana: + enabled: false + ipBlocks: [] + url: "" + gateway: istio-ingress/ingressgateway + + prometheus: + enabled: false + ipBlocks: [] + url: "" + gateway: istio-ingress/ingressgateway + + alertmanager: + enabled: false + ipBlocks: [] + url: "" + gateway: istio-ingress/ingressgateway diff --git a/charts/kubezero/templates/metrics.yaml b/charts/kubezero/templates/metrics.yaml index 3d7309a..6c09bf7 100644 --- a/charts/kubezero/templates/metrics.yaml +++ b/charts/kubezero/templates/metrics.yaml @@ -1,18 +1,8 @@ {{- define "metrics-values" }} -{{- if .Values.metrics.istio.grafana.enabled }} -grafana: - istio: - {{- with .Values.metrics.istio.grafana }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} -{{- if .Values.metrics.istio.prometheus.enabled }} -prometheus: - istio: - {{- with .Values.metrics.istio.prometheus }} - {{- toYaml . | nindent 4 }} - {{- end }} +{{- with .Values.metrics.istio }} +istio: + {{- toYaml . | nindent 2 }} {{- end }} {{- if index .Values "metrics" "kube-prometheus-stack" }} kube-prometheus-stack: diff --git a/docs/Upgrade.md b/docs/Upgrade.md index dd07b14..7f0f645 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -57,6 +57,9 @@ Ingress service interruption ends. # Changelog +## Kubernetes 1.18 +https://sysdig.com/blog/whats-new-kubernetes-1-18/ + ## High level / Admin changes - ArgoCD is now optional and NOT required nor used during initial cluster bootstrap - the bootstrap process now uses the same config and templates as the optional ArgoCD applications later on -- 2.40.1 From 1715ba00d459f8137cb61eef34d86fa8826a01c8 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 2 Dec 2020 04:30:17 -0800 Subject: [PATCH 22/48] Fix service names in metrics --- charts/kubezero-metrics/templates/istio-service.yaml | 6 +++--- charts/kubezero-metrics/values.yaml | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/kubezero-metrics/templates/istio-service.yaml b/charts/kubezero-metrics/templates/istio-service.yaml index 1aa937d..a6cea88 100644 --- a/charts/kubezero-metrics/templates/istio-service.yaml +++ b/charts/kubezero-metrics/templates/istio-service.yaml @@ -10,13 +10,13 @@ metadata: {{ include "kubezero-lib.labels" $ | indent 4 }} spec: hosts: - - {{ index $service.url }} + - {{ $service.url }} gateways: - - {{ index $service.gateway }} + - {{ $service.gateway }} http: - route: - destination: - host: metrics-{{- $name }} + host: {{ $service.destination }} --- {{- end }} diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 320462d..0d61809 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -181,15 +181,18 @@ istio: ipBlocks: [] url: "" gateway: istio-ingress/ingressgateway + destination: metrics-grafana prometheus: enabled: false ipBlocks: [] url: "" gateway: istio-ingress/ingressgateway + destination: metrics-kube-prometheus-st-prometheus alertmanager: enabled: false ipBlocks: [] url: "" gateway: istio-ingress/ingressgateway + destination: metrics-kube-prometheus-st-alertmanager -- 2.40.1 From f973a4e23c82e274c7f26167af21cd78e9a9b39c Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 2 Dec 2020 06:24:07 -0800 Subject: [PATCH 23/48] Switch all metrics logs to json --- charts/kubezero-metrics/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 0d61809..8e759ff 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -46,6 +46,7 @@ kube-prometheus-stack: prometheusOperator: enabled: true + logFormat: json # Run on controller nodes tolerations: @@ -85,6 +86,7 @@ kube-prometheus-stack: prometheusSpec: retention: 8d portName: http-prometheus + logFormat: json resources: requests: -- 2.40.1 From 0d2206e9952e8931fed395464eaf401e1d042bfc Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Wed, 2 Dec 2020 07:23:17 -0800 Subject: [PATCH 24/48] Minor version bump for redis, added redis-cluster support --- charts/kubezero-redis/Chart.yaml | 10 ++++++++-- charts/kubezero-redis/values.yaml | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/charts/kubezero-redis/Chart.yaml b/charts/kubezero-redis/Chart.yaml index d538fcb..d6d0496 100644 --- a/charts/kubezero-redis/Chart.yaml +++ b/charts/kubezero-redis/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-redis description: KubeZero Umbrella Chart for Redis HA type: application -version: 0.1.0 +version: 0.2.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,12 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: redis - version: 12.0.0 + version: 12.1.1 repository: https://charts.bitnami.com/bitnami + condition: redis.enabled + - name: redis-cluster + version: 4.1.0 + repository: https://charts.bitnami.com/bitnami + condition: redis-cluster.enabled + kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-redis/values.yaml b/charts/kubezero-redis/values.yaml index 1c1319e..a68d9a8 100644 --- a/charts/kubezero-redis/values.yaml +++ b/charts/kubezero-redis/values.yaml @@ -1,4 +1,6 @@ redis: + enabled: false + redisPort: 6379 cluster: @@ -23,5 +25,25 @@ redis: # extraArgs: # redis.addr: "redis://localhost:6379" + +redis-cluster: + enabled: false + + usePassword: false + + cluster: + nodes: 2 + replicas: 1 + + metrics: + enabled: false + serviceMonitor: + enabled: false + selector: + release: metrics + + persistence: + enabled: false + istio: enabled: false -- 2.40.1 From b4519fe0555343e3a010b65f47a6e0db5b88953e Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 3 Dec 2020 02:04:08 -0800 Subject: [PATCH 25/48] Add helm version check to bootstrap.sh --- charts/kubezero/bootstrap.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index ab748e0..c96c708 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -10,6 +10,9 @@ API_VERSIONS="-a monitoring.coreos.com/v1" DEPLOY_DIR=$( dirname $( realpath $0 )) which yq || { echo "yq not found!"; exit 1; } +which helm || { echo "helm not found!"; exit 1; } +helm_version=$(helm version --short) +echo $helm_version | grep -qe "^v3.[3-9]" || { echo "Helm version >= 3.3 required!"; exit 1; } TMPDIR=$(mktemp -d kubezero.XXX) -- 2.40.1 From ed72dd796b4ae5a08b65a002ea0a13e388dff49b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 4 Dec 2020 06:05:35 -0800 Subject: [PATCH 26/48] ECK fixes for Kube 1.18, Redis cluster support incl. Enyoy proxy --- .../charts/istio-ingress/README.md | 112 --------------- .../charts/istio-private-ingress/README.md | 112 --------------- charts/kubezero-istio/charts/base/README.md | 23 --- .../charts/istio-discovery/README.md | 133 ------------------ charts/kubezero-logging/README.md | 2 +- .../templates/eck/elasticsearch.yaml | 3 + charts/kubezero-logging/values.yaml | 2 +- charts/kubezero-metrics/README.md | 29 ++-- charts/kubezero-redis/README.md | 15 +- .../envoyfilter-custom-redis-cluster.yaml | 36 +++++ .../templates/envoyfilter-redis-proxy.yaml | 35 +++++ .../templates/istio-authorization-policy.yaml | 2 +- charts/kubezero-redis/values.yaml | 1 + charts/kubezero/README.md | 1 + charts/kubezero/bootstrap.sh | 11 +- charts/kubezero/scripts/remove_old_eck.sh | 25 ++++ charts/kubezero/values.yaml | 2 +- 17 files changed, 148 insertions(+), 396 deletions(-) delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/README.md delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md delete mode 100644 charts/kubezero-istio/charts/base/README.md delete mode 100644 charts/kubezero-istio/charts/istio-discovery/README.md create mode 100644 charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml create mode 100644 charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml create mode 100755 charts/kubezero/scripts/remove_old_eck.sh diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-ingress/README.md deleted file mode 100644 index 708ce7b..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# istio-ingress - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio gateways - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | -| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | -| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | -| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | -| gateways.istio-ingressgateway.configVolumes | list | `[]` | | -| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | -| gateways.istio-ingressgateway.customService | bool | `false` | | -| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | -| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | -| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | -| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | -| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | -| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | -| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | -| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | -| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | -| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | -| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | -| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | -| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | -| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | -| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | -| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | -| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | -| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | -| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.tolerations | list | `[]` | | -| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | -| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | -| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | -| global.arch.amd64 | int | `2` | | -| global.arch.ppc64le | int | `2` | | -| global.arch.s390x | int | `2` | | -| global.caAddress | string | `""` | | -| global.defaultConfigVisibilitySettings | list | `[]` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.defaultTolerations | list | `[]` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshExpansion.enabled | bool | `false` | | -| global.meshExpansion.useILB | bool | `false` | | -| global.meshID | string | `""` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.multiCluster.globalDomainSuffix | string | `"global"` | | -| global.multiCluster.includeEnvoyFilter | bool | `true` | | -| global.network | string | `""` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | -| meshConfig.defaultConfig.tracing | string | `nil` | | -| meshConfig.enablePrometheusMerge | bool | `true` | | -| ownerName | string | `""` | | -| revision | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md deleted file mode 100644 index 708ce7b..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# istio-ingress - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio gateways - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | -| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | -| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | -| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | -| gateways.istio-ingressgateway.configVolumes | list | `[]` | | -| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | -| gateways.istio-ingressgateway.customService | bool | `false` | | -| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | -| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | -| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | -| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | -| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | -| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | -| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | -| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | -| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | -| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | -| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | -| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | -| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | -| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | -| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | -| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | -| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | -| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | -| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.tolerations | list | `[]` | | -| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | -| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | -| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | -| global.arch.amd64 | int | `2` | | -| global.arch.ppc64le | int | `2` | | -| global.arch.s390x | int | `2` | | -| global.caAddress | string | `""` | | -| global.defaultConfigVisibilitySettings | list | `[]` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.defaultTolerations | list | `[]` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshExpansion.enabled | bool | `false` | | -| global.meshExpansion.useILB | bool | `false` | | -| global.meshID | string | `""` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.multiCluster.globalDomainSuffix | string | `"global"` | | -| global.multiCluster.includeEnvoyFilter | bool | `true` | | -| global.network | string | `""` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | -| meshConfig.defaultConfig.tracing | string | `nil` | | -| meshConfig.enablePrometheusMerge | bool | `true` | | -| ownerName | string | `""` | | -| revision | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/base/README.md b/charts/kubezero-istio/charts/base/README.md deleted file mode 100644 index 5fd1ccf..0000000 --- a/charts/kubezero-istio/charts/base/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# base - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio cluster resources and CRDs - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| base.enableCRDTemplates | bool | `false` | | -| base.validationURL | string | `""` | | -| global.configValidation | bool | `true` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.istiod.enableAnalysis | bool | `false` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/istio-discovery/README.md b/charts/kubezero-istio/charts/istio-discovery/README.md deleted file mode 100644 index 5d91ddb..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# istio-discovery - -![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) - -Helm chart for istio control plane - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.caAddress | string | `""` | | -| global.centralIstiod | bool | `false` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.externalIstiod | bool | `false` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.istiod.enableAnalysis | bool | `false` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshID | string | `""` | | -| global.meshNetworks | object | `{}` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.network | string | `""` | | -| global.omitSidecarInjectorConfigMap | bool | `false` | | -| global.oneNamespace | bool | `false` | | -| global.operatorManageWebhooks | bool | `false` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.autoInject | string | `"enabled"` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.excludeIPRanges | string | `""` | | -| global.proxy.excludeInboundPorts | string | `""` | | -| global.proxy.excludeOutboundPorts | string | `""` | | -| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.includeIPRanges | string | `"*"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.proxy.privileged | bool | `false` | | -| global.proxy.readinessFailureThreshold | int | `30` | | -| global.proxy.readinessInitialDelaySeconds | int | `1` | | -| global.proxy.readinessPeriodSeconds | int | `2` | | -| global.proxy.resources.limits.cpu | string | `"2000m"` | | -| global.proxy.resources.limits.memory | string | `"1024Mi"` | | -| global.proxy.resources.requests.cpu | string | `"100m"` | | -| global.proxy.resources.requests.memory | string | `"128Mi"` | | -| global.proxy.statusPort | int | `15020` | | -| global.proxy.tracer | string | `"zipkin"` | | -| global.proxy_init.image | string | `"proxyv2"` | | -| global.proxy_init.resources.limits.cpu | string | `"2000m"` | | -| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | | -| global.proxy_init.resources.requests.cpu | string | `"10m"` | | -| global.proxy_init.resources.requests.memory | string | `"10Mi"` | | -| global.remotePilotAddress | string | `""` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | | -| global.tracer.lightstep.accessToken | string | `""` | | -| global.tracer.lightstep.address | string | `""` | | -| global.tracer.stackdriver.debug | bool | `false` | | -| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | | -| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | | -| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | | -| global.tracer.zipkin.address | string | `""` | | -| global.trustDomain | string | `""` | | -| global.useMCP | bool | `false` | | -| istiodRemote.injectionURL | string | `""` | | -| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | | -| meshConfig.rootNamespace | string | `"istio-system"` | | -| ownerName | string | `""` | | -| pilot.autoscaleEnabled | bool | `true` | | -| pilot.autoscaleMax | int | `5` | | -| pilot.autoscaleMin | int | `1` | | -| pilot.configMap | bool | `true` | | -| pilot.configSource.subscribedResources | list | `[]` | | -| pilot.cpu.targetAverageUtilization | int | `80` | | -| pilot.deploymentLabels | object | `{}` | | -| pilot.enableProtocolSniffingForInbound | bool | `true` | | -| pilot.enableProtocolSniffingForOutbound | bool | `true` | | -| pilot.env | object | `{}` | | -| pilot.hub | string | `""` | | -| pilot.image | string | `"pilot"` | | -| pilot.jwksResolverExtraRootCA | string | `""` | | -| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | | -| pilot.nodeSelector | object | `{}` | | -| pilot.plugins | list | `[]` | | -| pilot.podAnnotations | object | `{}` | | -| pilot.replicaCount | int | `1` | | -| pilot.resources.requests.cpu | string | `"500m"` | | -| pilot.resources.requests.memory | string | `"2048Mi"` | | -| pilot.rollingMaxSurge | string | `"100%"` | | -| pilot.rollingMaxUnavailable | string | `"25%"` | | -| pilot.tag | string | `""` | | -| pilot.traceSampling | float | `1` | | -| revision | string | `""` | | -| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | | -| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | | -| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | | -| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | | -| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | | -| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | | -| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | | -| telemetry.enabled | bool | `true` | | -| telemetry.v2.accessLogPolicy.enabled | bool | `false` | | -| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | | -| telemetry.v2.enabled | bool | `true` | | -| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | | -| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | | -| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | | -| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | | -| telemetry.v2.prometheus.enabled | bool | `true` | | -| telemetry.v2.prometheus.wasmEnabled | bool | `false` | | -| telemetry.v2.stackdriver.configOverride | object | `{}` | | -| telemetry.v2.stackdriver.disableOutbound | bool | `false` | | -| telemetry.v2.stackdriver.enabled | bool | `false` | | -| telemetry.v2.stackdriver.logging | bool | `false` | | -| telemetry.v2.stackdriver.monitoring | bool | `false` | | -| telemetry.v2.stackdriver.topology | bool | `false` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index c65a66e..10ab547 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -57,7 +57,7 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| eck-operator.enabled | bool | `false` | | +| eck-operator.enabled | bool | `true` | | | eck-operator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | | eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | diff --git a/charts/kubezero-logging/templates/eck/elasticsearch.yaml b/charts/kubezero-logging/templates/eck/elasticsearch.yaml index ae95c1e..57a0a13 100644 --- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml +++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml @@ -48,6 +48,9 @@ spec: {{- end }} containers: - name: elasticsearch + securityContext: + capabilities: + add: ["SYS_CHROOT"] resources: requests: cpu: {{ default "200m" .cpu_request }} diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index d3fa2e3..7b9ac0a 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -2,7 +2,7 @@ # fullnameOverride: "" eck-operator: - enabled: false + enabled: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 2dc4e71..bdec431 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for prometheus-operator @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 12.2.4 | +| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 12.3.0 | | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | @@ -26,10 +26,22 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| grafana.istio.enabled | bool | `false` | | -| grafana.istio.gateway | string | `"istio-ingress/ingressgateway"` | | -| grafana.istio.ipBlocks | list | `[]` | | -| grafana.istio.url | string | `""` | | +| istio.alertmanager.destination | string | `"metrics-kube-prometheus-st-alertmanager"` | | +| istio.alertmanager.enabled | bool | `false` | | +| istio.alertmanager.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.alertmanager.ipBlocks | list | `[]` | | +| istio.alertmanager.url | string | `""` | | +| istio.grafana.destination | string | `"metrics-grafana"` | | +| istio.grafana.enabled | bool | `false` | | +| istio.grafana.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.grafana.ipBlocks | list | `[]` | | +| istio.grafana.url | string | `""` | | +| istio.prometheus.destination | string | `"metrics-kube-prometheus-st-prometheus"` | | +| istio.prometheus.enabled | bool | `false` | | +| istio.prometheus.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.prometheus.ipBlocks | list | `[]` | | +| istio.prometheus.url | string | `""` | | +| kube-prometheus-stack.alertmanager.alertmanagerSpec.logFormat | string | `"json"` | | | kube-prometheus-stack.alertmanager.enabled | bool | `false` | | | kube-prometheus-stack.coreDns.enabled | bool | `true` | | | kube-prometheus-stack.defaultRules.create | bool | `true` | | @@ -71,6 +83,7 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | +| kube-prometheus-stack.prometheus.prometheusSpec.logFormat | string | `"json"` | | | kube-prometheus-stack.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | @@ -83,6 +96,7 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | | +| kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[1] | string | `"logging"` | | | kube-prometheus-stack.prometheusOperator.namespaces.releaseNamespace | bool | `true` | | @@ -108,9 +122,6 @@ Kubernetes: `>= 1.16.0` | prometheus-adapter.rules.resource.window | string | `"3m"` | | | prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | | | prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | -| prometheus.istio.enabled | bool | `false` | | -| prometheus.istio.gateway | string | `"istio-ingress/ingressgateway"` | | -| prometheus.istio.url | string | `""` | | # Dashboards diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md index 2fd3f16..e275f33 100644 --- a/charts/kubezero-redis/README.md +++ b/charts/kubezero-redis/README.md @@ -1,6 +1,6 @@ # kubezero-redis -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Redis HA @@ -18,7 +18,8 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 12.0.0 | +| https://charts.bitnami.com/bitnami | redis | 12.1.1 | +| https://charts.bitnami.com/bitnami | redis-cluster | 4.1.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -26,7 +27,17 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| | istio.enabled | bool | `false` | | +| redis-cluster.cluster.nodes | int | `2` | | +| redis-cluster.cluster.replicas | int | `1` | | +| redis-cluster.enabled | bool | `false` | | +| redis-cluster.metrics.enabled | bool | `false` | | +| redis-cluster.metrics.serviceMonitor.enabled | bool | `false` | | +| redis-cluster.metrics.serviceMonitor.selector.release | string | `"metrics"` | | +| redis-cluster.persistence.enabled | bool | `false` | | +| redis-cluster.redisPort | int | `6379` | | +| redis-cluster.usePassword | bool | `false` | | | redis.cluster.slaveCount | int | `0` | | +| redis.enabled | bool | `false` | | | redis.master.persistence.enabled | bool | `false` | | | redis.metrics.enabled | bool | `false` | | | redis.metrics.serviceMonitor.enabled | bool | `false` | | diff --git a/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml b/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml new file mode 100644 index 0000000..e044802 --- /dev/null +++ b/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml @@ -0,0 +1,36 @@ +{{- if index .Values "redis-cluster" "enabled" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + namespace: istio-ingress +spec: + configPatches: + - applyTo: CLUSTER + patch: + operation: INSERT_FIRST + value: + name: "{{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster" + connect_timeout: 0.5s + lb_policy: CLUSTER_PROVIDED + load_assignment: + cluster_name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + endpoints: + - lb_endpoints: + {{- $count := index .Values "redis-cluster" "cluster" "nodes" | int }}{{ range $i, $v := until $count }} + - endpoint: + address: + socket_address: + address: {{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc.cluster.local + port_value: {{ index $.Values "redis-cluster" "redisPort" }} + {{- end }} + cluster_type: + name: envoy.clusters.redis + typed_config: + "@type": type.googleapis.com/google.protobuf.Struct + value: + cluster_refresh_rate: 5s + cluster_refresh_timeout: 3s + redirect_refresh_interval: 5s + redirect_refresh_threshold: 5 +{{- end }} diff --git a/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml b/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml new file mode 100644 index 0000000..2c6e9ea --- /dev/null +++ b/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml @@ -0,0 +1,35 @@ +{{- if index .Values "redis-cluster" "enabled" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-proxy + namespace: istio-ingress +spec: + workloadSelector: + labels: + istio: private-ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + name: 0.0.0.0_{{ index .Values "redis-cluster" "redisPort" }} + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: REPLACE + value: + name: envoy.redis_proxy + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.redis_proxy.v2.RedisProxy + stat_prefix: redis_stats + prefix_routes: + catch_all_route: + cluster: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + settings: + op_timeout: 5s + enable_redirection: true + enable_command_stats: true + read_policy: PREFER_REPLICA +{{- end }} diff --git a/charts/kubezero-redis/templates/istio-authorization-policy.yaml b/charts/kubezero-redis/templates/istio-authorization-policy.yaml index 97a2a7f..c3666de 100644 --- a/charts/kubezero-redis/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-redis/templates/istio-authorization-policy.yaml @@ -4,7 +4,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: {{ .Release.Namespace }}-redis-deny-not-in-ipblocks - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: diff --git a/charts/kubezero-redis/values.yaml b/charts/kubezero-redis/values.yaml index a68d9a8..5f3d1c9 100644 --- a/charts/kubezero-redis/values.yaml +++ b/charts/kubezero-redis/values.yaml @@ -29,6 +29,7 @@ redis: redis-cluster: enabled: false + redisPort: 6379 usePassword: false cluster: diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index b1cf63e..2ae02fd 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -50,6 +50,7 @@ Kubernetes: `>= 1.16.0` | kiam.enabled | bool | `false` | | | local-path-provisioner.enabled | bool | `false` | | | local-volume-provisioner.enabled | bool | `false` | | +| logging.crds | bool | `true` | | | logging.enabled | bool | `false` | | | logging.namespace | string | `"logging"` | | | metrics.crds | bool | `true` | | diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index c96c708..97f32e5 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -101,7 +101,9 @@ function _helm() { local namespace=$(get_namespace $2) if [ $action == "crds" ]; then - _crds + declare -F ${release}-crds && ${release}-crds + declare -F ${release}-crds || _crds + elif [ $action == "apply" ]; then # namespace must exist prior to apply create_ns $namespace @@ -193,6 +195,13 @@ function kiam-post() { ########### # Logging # ########### +# eck operator still doesnt support helm v3 so we have to toggle settings in the eck subchart +function logging-crds() { + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set eck-operator.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set eck-operator.installCRDs=true > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml +} function logging-post() { kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' } diff --git a/charts/kubezero/scripts/remove_old_eck.sh b/charts/kubezero/scripts/remove_old_eck.sh new file mode 100755 index 0000000..1aa606f --- /dev/null +++ b/charts/kubezero/scripts/remove_old_eck.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +# Script to migrate an existing ECK 1.2.1 installation to Helm. + +set -euo pipefail + +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"} + +echo "Uninstalling ECK" +kubectl delete -n "${RELEASE_NAMESPACE}" \ + serviceaccount/elastic-operator \ + secret/elastic-webhook-server-cert \ + clusterrole.rbac.authorization.k8s.io/elastic-operator \ + clusterrole.rbac.authorization.k8s.io/elastic-operator-view \ + clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \ + clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \ + rolebinding.rbac.authorization.k8s.io/elastic-operator \ + service/elastic-webhook-server \ + statefulset.apps/elastic-operator \ + validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co + diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index f681028..f034c88 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -53,7 +53,7 @@ metrics: logging: enabled: false - # crds: true + crds: true namespace: logging argocd: -- 2.40.1 From a4b5043228afebb5fb9a43b77df8dbb411208a1d Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 4 Dec 2020 06:10:15 -0800 Subject: [PATCH 27/48] Add note about ECK --- docs/Upgrade.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/Upgrade.md b/docs/Upgrade.md index 7f0f645..4e10fcf 100644 --- a/docs/Upgrade.md +++ b/docs/Upgrade.md @@ -44,6 +44,9 @@ Ingress service interruption ends. - push kubezero & cluster config to git +- if logging incl. ElasticSearch is installed remove the old ECK operator first: + `./scripts/remove_old_eck.sh` + - upgrade all remaining components and install new ArgoCD: `./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` -- 2.40.1 From 22fb93a7f2fcd54375fef84f6b59faa8fb553077 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 5 Dec 2020 14:08:40 -0800 Subject: [PATCH 28/48] Adjust argo ingnores for latest eck webhooks --- charts/kubezero/templates/logging.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/kubezero/templates/logging.yaml b/charts/kubezero/templates/logging.yaml index 3bee94e..ce16135 100644 --- a/charts/kubezero/templates/logging.yaml +++ b/charts/kubezero/templates/logging.yaml @@ -93,6 +93,7 @@ fluent-bit: - /webhooks/4/clientConfig/caBundle - /webhooks/5/clientConfig/caBundle - /webhooks/6/clientConfig/caBundle + - /webhooks/7/clientConfig/caBundle - group: apiextensions.k8s.io kind: CustomResourceDefinition jsonPointers: -- 2.40.1 From a6950196b4dd3267c8dc52c837d47b2b17039a5a Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sat, 5 Dec 2020 14:16:33 -0800 Subject: [PATCH 29/48] Disable CRDs from eck-operator defaults --- charts/kubezero-logging/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 7b9ac0a..dac0504 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -3,6 +3,7 @@ eck-operator: enabled: true + installCRDs: false tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule -- 2.40.1 From 99ceceda564e9d66ed9c158f25fac36922e6e996 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 7 Dec 2020 04:33:33 -0800 Subject: [PATCH 30/48] Re-enable geoip lookups --- charts/kubezero-logging/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index dac0504..4e5f935 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -76,7 +76,6 @@ fluentd: enabled: true additionalLabels: release: metrics - # namespace: monitoring output: # Default should be "logging-kubezero-logging-es-http" if fullnameOverride is NOT used @@ -144,7 +143,7 @@ fluentd: remove_keys id # KubeZero pipeline incl. GeoIP etc. - # pipeline fluentd + pipeline fluentd host "#{ENV['OUTPUT_HOST']}" port "#{ENV['OUTPUT_PORT']}" -- 2.40.1 From 7998d93d17d211cf1a16e4c5f0c35c7b419c3a62 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 7 Dec 2020 13:06:00 -0800 Subject: [PATCH 31/48] Fix empty CRDs, only deploy eck-operator if needed --- charts/kubezero-logging/values.yaml | 2 +- charts/kubezero/bootstrap.sh | 10 +++++----- charts/kubezero/templates/logging.yaml | 6 ++++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 4e5f935..e2fa0e0 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -2,7 +2,7 @@ # fullnameOverride: "" eck-operator: - enabled: true + enabled: false installCRDs: false tolerations: - key: node-role.kubernetes.io/master diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index 97f32e5..54a2cfb 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -71,10 +71,10 @@ function delete_ns() { # Extract crds via helm calls and apply delta=crds only function _crds() { - helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml - helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml - diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set ${release}.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set ${release}.installCRDs=true > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + [ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml } @@ -200,7 +200,7 @@ function logging-crds() { helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set eck-operator.installCRDs=false > $TMPDIR/helm-no-crds.yaml helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set eck-operator.installCRDs=true > $TMPDIR/helm-crds.yaml diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml - kubectl apply -f $TMPDIR/crds.yaml + [ -s $TMPDIR/crds.yaml ] && kubectl apply -f $TMPDIR/crds.yaml } function logging-post() { kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' diff --git a/charts/kubezero/templates/logging.yaml b/charts/kubezero/templates/logging.yaml index ce16135..8b1f93f 100644 --- a/charts/kubezero/templates/logging.yaml +++ b/charts/kubezero/templates/logging.yaml @@ -1,8 +1,10 @@ {{- define "logging-values" }} - -{{- with index .Values "logging" "eck-operator" }} +{{- if or .Values.logging.es .Values.logging.kibana }} eck-operator: + enabled: true + {{- with index .Values "logging" "eck-operator" }} {{- toYaml . | nindent 2 }} + {{- end }} {{- end }} {{- if .Values.logging.elastic_password }} -- 2.40.1 From 59949b485bf32917db2ae348fe605d3e95925eec Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 7 Dec 2020 15:01:40 -0800 Subject: [PATCH 32/48] Use upstream released chart for aws-ebs-csi --- charts/kubezero-aws-ebs-csi-driver/.gitignore | 1 - .../kubezero-aws-ebs-csi-driver/.helmignore | 24 --- charts/kubezero-aws-ebs-csi-driver/Chart.yaml | 3 + charts/kubezero-aws-ebs-csi-driver/README.md | 1 + .../charts/aws-ebs-csi-driver/Chart.yaml | 16 -- .../aws-ebs-csi-driver/templates/NOTES.txt | 3 - .../aws-ebs-csi-driver/templates/_helpers.tpl | 69 -------- .../templates/clusterrole-attacher.yaml | 20 --- .../templates/clusterrole-provisioner.yaml | 35 ---- .../templates/clusterrole-resizer.yaml | 31 ---- .../clusterrole-snapshot-controller.yaml | 35 ---- .../templates/clusterrole-snapshotter.yaml | 25 --- .../clusterrolebinding-attacher.yaml | 15 -- .../clusterrolebinding-provisioner.yaml | 15 -- .../templates/clusterrolebinding-resizer.yaml | 18 -- ...lusterrolebinding-snapshot-controller.yaml | 18 -- .../clusterrolebinding-snapshotter.yaml | 18 -- .../templates/controller.yaml | 157 ------------------ .../templates/csidriver.yaml | 9 - .../aws-ebs-csi-driver/templates/node.yaml | 117 ------------- ...le-snapshot-controller-leaderelection.yaml | 15 -- ...ng-snapshot-controller-leaderelection.yaml | 19 --- .../serviceaccount-csi-controller.yaml | 15 -- .../serviceaccount-snapshot-controller.yaml | 13 -- .../templates/statefulset.yaml | 30 ---- .../charts/aws-ebs-csi-driver/values.yaml | 86 ---------- charts/kubezero-aws-ebs-csi-driver/update.sh | 14 -- 27 files changed, 4 insertions(+), 818 deletions(-) delete mode 100644 charts/kubezero-aws-ebs-csi-driver/.gitignore delete mode 100644 charts/kubezero-aws-ebs-csi-driver/.helmignore delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml delete mode 100644 charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml delete mode 100755 charts/kubezero-aws-ebs-csi-driver/update.sh diff --git a/charts/kubezero-aws-ebs-csi-driver/.gitignore b/charts/kubezero-aws-ebs-csi-driver/.gitignore deleted file mode 100644 index 5664e30..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/.gitignore +++ /dev/null @@ -1 +0,0 @@ -git diff --git a/charts/kubezero-aws-ebs-csi-driver/.helmignore b/charts/kubezero-aws-ebs-csi-driver/.helmignore deleted file mode 100644 index 58b068b..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/.helmignore +++ /dev/null @@ -1,24 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ - -git diff --git a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml index 4d37b08..5530af2 100644 --- a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml @@ -17,6 +17,9 @@ keywords: maintainers: - name: Quarky9 dependencies: + - name: aws-ebs-csi-driver + version: 0.6.1 + repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ diff --git a/charts/kubezero-aws-ebs-csi-driver/README.md b/charts/kubezero-aws-ebs-csi-driver/README.md index 95110d4..d446f2f 100644 --- a/charts/kubezero-aws-ebs-csi-driver/README.md +++ b/charts/kubezero-aws-ebs-csi-driver/README.md @@ -23,6 +23,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| +| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.6.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## IAM Role diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml deleted file mode 100644 index 1199067..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -appVersion: "0.7.1" -name: aws-ebs-csi-driver -description: A Helm chart for AWS EBS CSI Driver -version: 0.6.1 -kubeVersion: ">=1.13.0-0" -home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver -sources: - - https://github.com/kubernetes-sigs/aws-ebs-csi-driver -keywords: - - aws - - ebs - - csi -maintainers: - - name: leakingtapan - email: chengpan@amazon.com diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt deleted file mode 100644 index 34db916..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that aws-ebs-csi-driver has started, run: - - kubectl get pod -n kube-system -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl deleted file mode 100644 index fdc77c4..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl +++ /dev/null @@ -1,69 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "aws-ebs-csi-driver.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "aws-ebs-csi-driver.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "aws-ebs-csi-driver.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "aws-ebs-csi-driver.labels" -}} -{{ include "aws-ebs-csi-driver.selectorLabels" . }} -{{- if ne .Release.Name "kustomize" }} -helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} -{{- end -}} - -{{/* -Common selector labels -*/}} -{{- define "aws-ebs-csi-driver.selectorLabels" -}} -app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} -{{- if ne .Release.Name "kustomize" }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} -{{- end -}} - -{{/* -Convert the `--extra-volume-tags` command line arg from a map. -*/}} -{{- define "aws-ebs-csi-driver.extra-volume-tags" -}} -{{- $result := dict "pairs" (list) -}} -{{- range $key, $value := .Values.extraVolumeTags -}} -{{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}} -{{- end -}} -{{- if gt (len $result.pairs) 0 -}} -{{- printf "%s=%s" "- --extra-volume-tags" (join "," $result.pairs) -}} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml deleted file mode 100644 index 0b96724..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-attacher-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml deleted file mode 100644 index 84f122a..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-provisioner-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml deleted file mode 100644 index 5f0c758..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.enableVolumeResizing }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-resizer-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - # The following rule should be uncommented for plugins that require secrets - # for provisioning. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - -{{- end}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml deleted file mode 100644 index ffdb1b7..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml deleted file mode 100644 index 061b565..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-snapshotter-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml deleted file mode 100644 index 1888a9b..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-attacher-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-attacher-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml deleted file mode 100644 index 0fd5499..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-provisioner-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-provisioner-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml deleted file mode 100644 index b23063a..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeResizing }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-resizer-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-resizer-role - apiGroup: rbac.authorization.k8s.io - -{{- end}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml deleted file mode 100644 index df4937a..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshot-controller-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-snapshot-controller-role - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml deleted file mode 100644 index 6ebb1d9..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshotter-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-csi-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: ebs-external-snapshotter-role - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml deleted file mode 100644 index e2b0a97..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml +++ /dev/null @@ -1,157 +0,0 @@ -# Controller Service -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ebs-csi-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.podAnnotations }} - annotations: {{ toYaml .Values.podAnnotations | nindent 8 }} - {{- end }} - spec: - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.nodeSelector }} -{{ toYaml . | indent 8 }} - {{- end }} - serviceAccountName: ebs-csi-controller-sa - priorityClassName: system-cluster-critical - {{- with .Values.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - tolerations: - - operator: Exists - {{- with .Values.tolerations }} -{{ toYaml . | indent 8 }} - {{- end }} - containers: - - name: ebs-plugin - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - {{- if ne .Release.Name "kustomize" }} - - controller - {{- else }} - # - {all,controller,node} # specify the driver mode - {{- end }} - - --endpoint=$(CSI_ENDPOINT) - {{- if .Values.extraVolumeTags }} - {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} - {{- end }} - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - optional: true - {{- if .Values.region }} - - name: AWS_REGION - value: {{ .Values.region }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} - - name: csi-provisioner - image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --v=5 - {{- if .Values.enableVolumeScheduling }} - - --feature-gates=Topology=true - {{- end}} - - --enable-leader-election - - --leader-election-type=leases - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-attacher - image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --v=5 - - --leader-election=true - - --leader-election-type=leases - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- if .Values.enableVolumeSnapshot }} - - name: csi-snapshotter - image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- end }} - {{- if .Values.enableVolumeResizing }} - - name: csi-resizer - image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }} - imagePullPolicy: Always - args: - - --csi-address=$(ADDRESS) - - --v=5 - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- end }} - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /csi - volumes: - - name: socket-dir - emptyDir: {} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml deleted file mode 100644 index 1858e39..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: storage.k8s.io/v1beta1 -kind: CSIDriver -metadata: - name: ebs.csi.aws.com - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - attachRequired: true - podInfoOnMount: false diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml deleted file mode 100644 index d6eadbc..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# Node Service -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ebs-csi-node - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.node.podAnnotations }} - annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} - {{- end }} - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - nodeSelector: - kubernetes.io/os: linux - hostNetwork: true - priorityClassName: system-node-critical - tolerations: - - operator: Exists - {{- with .Values.node.tolerations }} -{{ toYaml . | indent 8 }} - {{- end }} - containers: - - name: ebs-plugin - securityContext: - privileged: true - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - args: - - node - - --endpoint=$(CSI_ENDPOINT) - - --logtostderr - - --v=5 - env: - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - volumeMounts: - - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: "Bidirectional" - - name: plugin-dir - mountPath: /csi - - name: device-dir - mountPath: /dev - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - - name: node-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v=5 - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock"] - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: /csi - volumes: - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: device-dir - hostPath: - path: /dev - type: Directory diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml deleted file mode 100644 index 947d241..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-snapshot-controller-leaderelection - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml deleted file mode 100644 index 11d8ed4..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-leaderelection - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: ebs-snapshot-controller - namespace: kube-system -roleRef: - kind: Role - name: snapshot-controller-leaderelection - apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml deleted file mode 100644 index 9e2cf7c..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-csi-controller-sa - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.controller.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - {{- if eq .Release.Name "kustomize" }} - #Enable if EKS IAM for SA is used - #annotations: - # eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role - {{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml deleted file mode 100644 index baa39c8..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ebs-snapshot-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.snapshot.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml deleted file mode 100644 index b824609..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.enableVolumeSnapshot }} -#Snapshot controller -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: ebs-snapshot-controller - namespace: kube-system - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - serviceName: ebs-snapshot-controller - replicas: 1 - selector: - matchLabels: - app: ebs-snapshot-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-snapshot-controller - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - spec: - serviceAccountName: ebs-snapshot-controller - containers: - - name: snapshot-controller - image: quay.io/k8scsi/snapshot-controller:v2.1.1 - args: - - --v=5 - - --leader-election=false -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml deleted file mode 100644 index 8967cc2..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# Default values for aws-ebs-csi-driver. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 2 - -image: - repository: amazon/aws-ebs-csi-driver - tag: "v0.7.1" - pullPolicy: IfNotPresent - -sidecars: - provisionerImage: - repository: quay.io/k8scsi/csi-provisioner - tag: "v1.5.0" - attacherImage: - repository: quay.io/k8scsi/csi-attacher - tag: "v1.2.0" - snapshotterImage: - repository: quay.io/k8scsi/csi-snapshotter - tag: "v2.1.1" - livenessProbeImage: - repository: quay.io/k8scsi/livenessprobe - tag: "v1.1.0" - resizerImage: - repository: quay.io/k8scsi/csi-resizer - tag: "v0.3.0" - nodeDriverRegistrarImage: - repository: quay.io/k8scsi/csi-node-driver-registrar - tag: "v1.1.0" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} - -# True if enable volume scheduling for dynamic volume provisioning -enableVolumeScheduling: false - -# True if enable volume resizing -enableVolumeResizing: false - -# True if enable volume snapshot -enableVolumeSnapshot: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Extra volume tags to attach to each dynamically provisioned volume. -# --- -# extraVolumeTags: -# key1: value1 -# key2: value2 -extraVolumeTags: {} - -# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata -# service. -# --- -# region: us-east-1 -region: "" - -node: - podAnnotations: {} - tolerations: [] - -serviceAccount: - controller: - annotations: {} - snapshot: - annotations: {} diff --git a/charts/kubezero-aws-ebs-csi-driver/update.sh b/charts/kubezero-aws-ebs-csi-driver/update.sh deleted file mode 100755 index 44c1520..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/update.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -ex - -# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts - -REPO="kubernetes-sigs/aws-ebs-csi-driver" -[ -z "$RELEASE" ] && RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1) - -rm -rf git -git clone https://github.com/$REPO.git git -cd git && git checkout $RELEASE && cd - - -rm -rf charts/aws-ebs-csi-driver && mkdir -p charts/aws-ebs-csi-driver -mv git/aws-ebs-csi-driver/* charts/aws-ebs-csi-driver -- 2.40.1 From 6c7bd71e81e40de7edc449d7c0a4362a84e77065 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Tue, 8 Dec 2020 07:05:25 -0800 Subject: [PATCH 33/48] Integrare fluent-bit into logging to allow better config --- charts/kubezero-logging/Chart.yaml | 8 +- charts/kubezero-logging/README.md | 20 +- .../charts/fluent-bit/.helmignore | 23 +++ .../charts/fluent-bit/Chart.yaml | 20 ++ .../charts/fluent-bit/README.md | 23 +++ .../fluent-bit/conf/custom_parsers.conf | 6 + .../charts/fluent-bit/conf/fluent-bit.conf | 72 ++++++++ .../charts/fluent-bit/conf/functions.lua | 28 +++ .../charts/fluent-bit/templates/NOTES.txt | 5 + .../charts/fluent-bit/templates/_helpers.tpl | 63 +++++++ .../charts/fluent-bit/templates/_pod.tpl | 103 +++++++++++ .../fluent-bit/templates/clusterrole.yaml | 28 +++ .../templates/clusterrolebinding.yaml | 16 ++ .../fluent-bit/templates/configmap.yaml | 15 ++ .../fluent-bit/templates/daemonset.yaml | 30 +++ .../fluent-bit/templates/deployment.yaml | 31 ++++ .../charts/fluent-bit/templates/psp.yaml | 38 ++++ .../charts/fluent-bit/templates/service.yaml | 30 +++ .../fluent-bit/templates/serviceaccount.yaml | 12 ++ .../fluent-bit/templates/servicemonitor.yaml | 30 +++ .../templates/tests/test-connection.yaml | 17 ++ .../charts/fluent-bit/values.yaml | 171 ++++++++++++++++++ charts/kubezero-logging/values.yaml | 108 ++--------- 23 files changed, 788 insertions(+), 109 deletions(-) create mode 100644 charts/kubezero-logging/charts/fluent-bit/.helmignore create mode 100644 charts/kubezero-logging/charts/fluent-bit/Chart.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/README.md create mode 100644 charts/kubezero-logging/charts/fluent-bit/conf/custom_parsers.conf create mode 100644 charts/kubezero-logging/charts/fluent-bit/conf/fluent-bit.conf create mode 100644 charts/kubezero-logging/charts/fluent-bit/conf/functions.lua create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/NOTES.txt create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/_helpers.tpl create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/clusterrolebinding.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/configmap.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/daemonset.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/deployment.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/psp.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/service.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/serviceaccount.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/servicemonitor.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/templates/tests/test-connection.yaml create mode 100644 charts/kubezero-logging/charts/fluent-bit/values.yaml diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index c6fc86c..1c0c77e 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -26,9 +26,9 @@ dependencies: version: 2.5.1 repository: https://kubernetes-charts.storage.googleapis.com/ condition: fluentd.enabled - - name: fluent-bit - version: 0.7.10 - repository: https://zero-down-time.github.io/kubezero/ +# - name: fluent-bit +# version: 0.7.10 +# repository: https://zero-down-time.github.io/kubezero/ # repository: https://fluent.github.io/helm-charts - condition: fluent-bit.enabled +# condition: fluent-bit.enabled kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 10ab547..9178c0a 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -20,7 +20,6 @@ Kubernetes: `>= 1.16.0` |------------|------|---------| | https://helm.elastic.co | eck-operator | 1.3.0 | | https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 | -| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.7.10 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream @@ -57,7 +56,8 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| eck-operator.enabled | bool | `true` | | +| eck-operator.enabled | bool | `false` | | +| eck-operator.installCRDs | bool | `false` | | | eck-operator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | | eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | @@ -66,12 +66,14 @@ Kubernetes: `>= 1.16.0` | es.prometheus | bool | `false` | | | es.s3Snapshot.enabled | bool | `false` | | | es.s3Snapshot.iamrole | string | `""` | | -| fluent-bit.config.customParsers | string | `"[PARSER]\n Name cri-log\n Format regex\n Regex ^(?