ZeroDownTime
/
kubezero
3
0
Fork 0
Code Issues 1 Pull Requests 24 Releases Wiki Activity

Patch relase V2.19.1 #39

Merged
stefan merged 15 commits from master into stable 2021-04-07 10:17:58 +00:00
Conversation 0 Commits 15 Files Changed 68 +1106 -365
68 changed files with 1106 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/kubeadm/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm name: kubeadm
description: KubeZero Kubeadm golden config description: KubeZero Kubeadm golden config
type: application type: application
version: 1.19.8 version: 1.19.9
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

8
charts/kubeadm/templates/ClusterConfiguration.yaml
View File

@ -23,12 +23,14 @@ controllerManager:
terminated-pod-gc-threshold: "300" terminated-pod-gc-threshold: "300"
leader-elect: {{ .Values.clusterHighAvailable | quote }} leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
scheduler: scheduler:
extraArgs: extraArgs:
profiling: "false" profiling: "false"
bind-address: {{ .Values.listenAddress }} bind-address: {{ .Values.listenAddress }}
leader-elect: {{ .Values.clusterHighAvailable | quote }} leader-elect: {{ .Values.clusterHighAvailable | quote }}
logging-format: json logging-format: json
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
apiServer: apiServer:
certSANs: certSANs:
- {{ regexSplit ":" .Values.apiEndpoint -1 | first }} - {{ regexSplit ":" .Values.apiEndpoint -1 | first }}
@ -44,13 +46,11 @@ apiServer:
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }} {{- if eq .Values.platform "aws" }}
authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml
feature-gates: "CSIMigrationAWS=true,CSIMigrationAWSComplete=true,DefaultPodTopologySpread=true"
{{- else }}
feature-gates: "DefaultPodTopologySpread=true"
{{- end }} {{- end }}
feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }}
enable-admission-plugins: NodeRestriction,EventRateLimit enable-admission-plugins: NodeRestriction,EventRateLimit
{{- if .Values.clusterHighAvailable }} {{- if .Values.clusterHighAvailable }}
# goaway-chance: ".001" goaway-chance: ".001"
{{- end }} {{- end }}
logging-format: json logging-format: json
{{- with .Values.apiExtraArgs }} {{- with .Values.apiExtraArgs }}

18
charts/kubeadm/templates/KubeletConfiguration.yaml
View File

@ -17,21 +17,19 @@ eventRecordQPS: 0
# tlsCertFile: /var/lib/kubelet/pki/kubelet.crt # tlsCertFile: /var/lib/kubelet/pki/kubelet.crt
# tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key # tlsPrivateKeyFile: /var/lib/kubelet/pki/kubelet.key
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256] tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256]
featureGates: featureGates: {{ include "kubeadm.featuregates" ( dict "return" "map" "platform" .Values.platform ) }}
CustomCPUCFSQuotaPeriod: true
{{- if eq .Values.platform "aws" }}
CSIMigrationAWS: true
CSIMigrationAWSComplete: true
{{- end }}
# Minimal unit is 50m per pod # Minimal unit is 50m per pod
podsPerCore: 20 podsPerCore: 20
# cpuCFSQuotaPeriod: 10ms
# Basic OS on Ubuntu 20.04 incl. crio # Basic OS on Ubuntu 20.04 incl. crio
systemReserved: #systemReserved:
memory: 256Mi # memory: 256Mi
# This should be dynamic based on number of maxpods and available cores # This should be dynamic based on number of maxpods and available cores
# https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#memory_cpu # https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#memory_cpu
# Below are default minimal for 2 cores and minimum kubelet # Below are default minimal for 2 cores and minimum kubelet
kubeReserved: kubeReserved:
cpu: 70m cpu: 70m
memory: 128Mi # memory: 128Mi
# cpuCFSQuotaPeriod: 10ms # Lets use below to reserve memory for system processes as kubeReserved/sytemReserved doesnt go well with systemd it seems
evictionHard:
memory.available: "484Mi"

18
charts/kubeadm/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,18 @@
{{- /*
Feature gates for all control plane components
*/ -}}
{{- define "kubeadm.featuregates" -}}
{{- $gates := dict "DefaultPodTopologySpread" "true" "CustomCPUCFSQuotaPeriod" "true" "GenericEphemeralVolume" "true" }}
{{- if eq .platform "aws" }}
{{- $gates = merge $gates ( dict "CSIMigrationAWS" "true" "CSIMigrationAWSComplete" "true") }}
{{- end }}
{{- if eq .return "csv" }}
{{- range $key, $val := $gates }}
{{- $key }}={{- $val }},
{{- end }}
{{- else }}
{{- range $key, $val := $gates }}
{{ $key }}: {{ $val }}
{{- end }}
{{- end }}
{{- end -}}

6
charts/kubezero-aws-ebs-csi-driver/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-aws-ebs-csi-driver name: kubezero-aws-ebs-csi-driver
description: KubeZero Umbrella Chart for aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver
type: application type: application
version: 0.4.4 version: 0.5.0
appVersion: 0.9.0 appVersion: 0.10.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
sources: sources:
@ -18,7 +18,7 @@ maintainers:
- name: Quarky9 - name: Quarky9
dependencies: dependencies:
- name: aws-ebs-csi-driver - name: aws-ebs-csi-driver
version: 0.9.14 version: 0.10.0
repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
- name: kubezero-lib - name: kubezero-lib
version: ">= 0.1.3" version: ">= 0.1.3"

4
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
appVersion: 0.9.0 appVersion: 0.10.0
description: A Helm chart for AWS EBS CSI Driver description: A Helm chart for AWS EBS CSI Driver
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
keywords: keywords:
@ -15,4 +15,4 @@ maintainers:
name: aws-ebs-csi-driver name: aws-ebs-csi-driver
sources: sources:
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver - https://github.com/kubernetes-sigs/aws-ebs-csi-driver
version: 0.9.14 version: 0.10.0

6
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml
View File

@ -88,6 +88,12 @@ spec:
- name: AWS_REGION - name: AWS_REGION
value: {{ .Values.region }} value: {{ .Values.region }}
{{- end }} {{- end }}
{{- if .Values.controller.extraVars }}
{{- range $key, $val := .Values.controller.extraVars }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.proxy.http_proxy }} {{- if .Values.proxy.http_proxy }}
- name: HTTP_PROXY - name: HTTP_PROXY
value: {{ .Values.proxy.http_proxy | quote }} value: {{ .Values.proxy.http_proxy | quote }}

3
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml
View File

@ -39,6 +39,9 @@ spec:
containers: containers:
- name: snapshot-controller - name: snapshot-controller
image: {{ printf "%s:%s" .Values.snapshotController.repository .Values.snapshotController.tag }} image: {{ printf "%s:%s" .Values.snapshotController.repository .Values.snapshotController.tag }}
{{- with .Values.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
env: env:
{{- if .Values.proxy.http_proxy }} {{- if .Values.proxy.http_proxy }}
- name: HTTP_PROXY - name: HTTP_PROXY

10
charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml
View File

@ -6,7 +6,7 @@ replicaCount: 2
image: image:
repository: k8s.gcr.io/provider-aws/aws-ebs-csi-driver repository: k8s.gcr.io/provider-aws/aws-ebs-csi-driver
tag: "v0.9.0" tag: "v0.10.0"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
logLevel: 5 logLevel: 5
@ -72,7 +72,7 @@ resources:
priorityClassName: "" priorityClassName: ""
nodeSelector: {} nodeSelector: {}
tolerateAllTaints: true tolerateAllTaints: false
tolerations: [] tolerations: []
affinity: {} affinity: {}
@ -109,11 +109,15 @@ k8sTagClusterId: ""
# region: us-east-1 # region: us-east-1
region: "" region: ""
# Additonal environment variables for the controller
controller:
extraVars: {}
node: node:
priorityClassName: "" priorityClassName: ""
nodeSelector: {} nodeSelector: {}
podAnnotations: {} podAnnotations: {}
tolerateAllTaints: true tolerateAllTaints: false
tolerations: [] tolerations: []
resources: {} resources: {}

2
charts/kubezero-aws-ebs-csi-driver/update.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=0.9.14 VERSION=0.10.0
rm -rf charts/aws-ebs-csi-driver rm -rf charts/aws-ebs-csi-driver
curl -L -s -o - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/helm-chart-aws-ebs-csi-driver-${VERSION}/aws-ebs-csi-driver-${VERSION}.tgz | tar xfz - -C charts curl -L -s -o - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/helm-chart-aws-ebs-csi-driver-${VERSION}/aws-ebs-csi-driver-${VERSION}.tgz | tar xfz - -C charts

4
charts/kubezero-aws-efs-csi-driver/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
name: kubezero-aws-efs-csi-driver name: kubezero-aws-efs-csi-driver
description: KubeZero Umbrella Chart for aws-efs-csi-driver description: KubeZero Umbrella Chart for aws-efs-csi-driver
version: 0.3.2 version: 0.3.4
appVersion: 1.2.0 appVersion: 1.2.0
kubeVersion: ">=1.18.0-0" kubeVersion: ">=1.18.0-0"
home: https://kubezero.com home: https://kubezero.com
@ -21,5 +21,5 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: aws-efs-csi-driver - name: aws-efs-csi-driver
version: 1.2.1 version: 1.2.2
# repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/ # repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/

23
charts/kubezero-aws-efs-csi-driver/affinity_resources.patch
View File

@ -1,6 +1,6 @@
diff -tubNr charts/aws-efs-csi-driver/templates/node-daemonset.yaml charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml diff -tubrN charts/aws-efs-csi-driver/templates/node-daemonset.yaml charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml
--- charts/aws-efs-csi-driver/templates/node-daemonset.yaml 2021-03-19 00:22:54.000000000 +0100 --- charts/aws-efs-csi-driver/templates/node-daemonset.yaml 2021-03-23 14:34:03.000000000 +0100
+++ charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml 2021-03-24 13:06:56.105762451 +0100 +++ charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml 2021-04-01 14:31:36.427375803 +0200
@@ -40,15 +40,10 @@ @@ -40,15 +40,10 @@
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
{{- . | toYaml | nindent 8 }} {{- . | toYaml | nindent 8 }}
@ -31,9 +31,20 @@ diff -tubNr charts/aws-efs-csi-driver/templates/node-daemonset.yaml charts/aws-e
- name: csi-driver-registrar - name: csi-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }}
args: args:
diff -tubNr charts/aws-efs-csi-driver/values.yaml charts/aws-efs-csi-driver.zdt/values.yaml diff -tubrN charts/aws-efs-csi-driver/values.yaml charts/aws-efs-csi-driver.zdt/values.yaml
--- charts/aws-efs-csi-driver/values.yaml 2021-03-19 00:22:54.000000000 +0100 --- charts/aws-efs-csi-driver/values.yaml 2021-03-23 14:34:03.000000000 +0100
+++ charts/aws-efs-csi-driver.zdt/values.yaml 2021-03-24 13:06:56.105762451 +0100 +++ charts/aws-efs-csi-driver.zdt/values.yaml 2021-04-01 14:37:21.290724721 +0200
@@ -11,8 +11,8 @@
sidecars:
livenessProbeImage:
- repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
- tag: v2.1.0-eks-1-18-1
+ repository: k8s.gcr.io/sig-storage/livenessprobe
+ tag: "v2.2.0"
nodeDriverRegistrarImage:
repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
tag: v2.0.1-eks-1-18-1
@@ -43,7 +43,15 @@ @@ -43,7 +43,15 @@
tolerations: [] tolerations: []

2
charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/Chart.yaml
View File

@ -15,4 +15,4 @@ maintainers:
name: aws-efs-csi-driver name: aws-efs-csi-driver
sources: sources:
- https://github.com/kubernetes-sigs/aws-efs-csi-driver - https://github.com/kubernetes-sigs/aws-efs-csi-driver
version: 1.2.1 version: 1.2.2

2
charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/_helpers.tpl
View File

@ -48,7 +48,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
Create the name of the service account to use Create the name of the service account to use
*/}} */}}
{{- define "aws-efs-csi-driver.serviceAccountName" -}} {{- define "aws-efs-csi-driver.serviceAccountName" -}}
{{- if .Values.serviceAccount.controller.create -}} {{- if .Values.controller.create -}}
{{ default (include "aws-efs-csi-driver.fullname" .) .Values.serviceAccount.controller.name }} {{ default (include "aws-efs-csi-driver.fullname" .) .Values.serviceAccount.controller.name }}
{{- else -}} {{- else -}}
{{ default "default" .Values.serviceAccount.controller.name }} {{ default "default" .Values.serviceAccount.controller.name }}

2
charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-deployment.yaml
View File

@ -34,9 +34,7 @@ spec:
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
{{- . | toYaml | nindent 8 }} {{- . | toYaml | nindent 8 }}
{{- end }} {{- end }}
{{- if .Values.serviceAccount.controller.create }}
serviceAccountName: {{ include "aws-efs-csi-driver.serviceAccountName" . }} serviceAccountName: {{ include "aws-efs-csi-driver.serviceAccountName" . }}
{{- end }}
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
tolerations: tolerations:
- operator: Exists - operator: Exists

4
charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml
View File

@ -1,4 +1,4 @@
{{- if .Values.serviceAccount.controller.create -}} {{- if .Values.serviceAccount.controller.create }}
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
@ -9,6 +9,7 @@ metadata:
annotations: annotations:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- end }}
--- ---
kind: ClusterRole kind: ClusterRole
@ -56,4 +57,3 @@ roleRef:
kind: ClusterRole kind: ClusterRole
name: efs-csi-external-provisioner-role name: efs-csi-external-provisioner-role
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
{{- end }}

6
charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/values.yaml
View File

@ -11,8 +11,8 @@ image:
sidecars: sidecars:
livenessProbeImage: livenessProbeImage:
repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe repository: k8s.gcr.io/sig-storage/livenessprobe
tag: v2.1.0-eks-1-18-1 tag: "v2.2.0"
nodeDriverRegistrarImage: nodeDriverRegistrarImage:
repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
tag: v2.0.1-eks-1-18-1 tag: v2.0.1-eks-1-18-1
@ -98,7 +98,7 @@ storageClasses: []
# - tls # - tls
# parameters: # parameters:
# provisioningMode: efs-ap # provisioningMode: efs-ap
# fileSystemId: fs-92107410 # fileSystemId: fs-1122aabb
# directoryPerms: "700" # directoryPerms: "700"
# gidRangeStart: "1000" # gidRangeStart: "1000"
# gidRangeEnd: "2000" # gidRangeEnd: "2000"

2
charts/kubezero-aws-efs-csi-driver/update.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=1.2.1 VERSION=1.2.2
rm -rf charts/aws-efs-csi-driver rm -rf charts/aws-efs-csi-driver
curl -L -s -o - https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/download/helm-chart-aws-efs-csi-driver-${VERSION}/aws-efs-csi-driver-${VERSION}.tgz | tar xfz - -C charts curl -L -s -o - https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/download/helm-chart-aws-efs-csi-driver-${VERSION}/aws-efs-csi-driver-${VERSION}.tgz | tar xfz - -C charts

8
charts/kubezero-istio-ingress/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress description: KubeZero Umbrella Chart for Istio based Ingress
type: application type: application
version: 0.5.0 version: 0.5.1
appVersion: 1.9.1 appVersion: 1.9.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,9 +16,9 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress - name: istio-ingress
version: 1.9.1 version: 1.9.2
condition: istio-ingress.enabled condition: istio-ingress.enabled
- name: istio-private-ingress - name: istio-private-ingress
version: 1.9.1 version: 1.9.2
condition: istio-private-ingress.enabled condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

2
charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-ingress name: istio-ingress
version: 1.9.1 version: 1.9.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

4
charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml
View File

@ -3,7 +3,7 @@
apiVersion: autoscaling/v2beta1 apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | indent 4 }} {{ $gateway.labels | toYaml | indent 4 }}
@ -17,7 +17,7 @@ spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
metrics: metrics:
- type: Resource - type: Resource
resource: resource:

22
charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml
View File

@ -1,8 +1,10 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | indent 4 }} {{ $gateway.labels | toYaml | indent 4 }}
@ -32,7 +34,7 @@ spec:
release: istio release: istio
chart: gateways chart: gateways
{{- end }} {{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }} {{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }} service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}} {{- else}}
@ -41,14 +43,17 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }} istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways" operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
annotations: annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }} {{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020" prometheus.io/port: "15020"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus" prometheus.io/path: "/stats/prometheus"
{{- end }} {{- end }}
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }} {{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }} {{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }} {{ end }}
@ -60,7 +65,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
fsGroup: 1337 fsGroup: 1337
{{- end }} {{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }} {{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}" priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }} {{- end }}
@ -123,7 +128,7 @@ spec:
- --log_as_json - --log_as_json
{{- end }} {{- end }}
- --serviceCluster - --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }} - {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }} {{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }}
{{- end }} {{- end }}
@ -201,9 +206,9 @@ spec:
fieldRef: fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision'] fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME - name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }} value: {{ $gateway.name }}
- name: ISTIO_META_OWNER - name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }} {{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}" value: "{{ $.Values.global.meshID }}"
@ -349,3 +354,4 @@ spec:
tolerations: tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }} {{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }} {{- end }}
{{- end }}

143
charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml Normal file
View File

@ -0,0 +1,143 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

2
charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml
View File

@ -3,7 +3,7 @@
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | trim | indent 4 }} {{ $gateway.labels | toYaml | trim | indent 4 }}

78
charts/kubezero-istio-ingress/charts/istio-ingress/templates/preconfigured.yaml
View File

@ -1,78 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

2
charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml
View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
release: {{ .Release.Name }} release: {{ .Release.Name }}

6
charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml
View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
release: {{ .Release.Name }} release: {{ .Release.Name }}
@ -12,8 +12,8 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account name: {{ $gateway.name }}-service-account
--- ---

2
charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml
View File

@ -3,7 +3,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
annotations: annotations:
{{- range $key, $val := $gateway.serviceAnnotations }} {{- range $key, $val := $gateway.serviceAnnotations }}

2
charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml
View File

@ -8,7 +8,7 @@ imagePullSecrets:
{{- end }} {{- end }}
{{- end }} {{- end }}
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | trim | indent 4 }} {{ $gateway.labels | toYaml | trim | indent 4 }}

5
charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml
View File

@ -120,6 +120,9 @@ gateways:
# whether to run the gateway in a privileged container # whether to run the gateway in a privileged container
runAsRoot: false runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes. # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: "" revision: ""
@ -171,7 +174,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.1 tag: 1.9.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-private-ingress name: istio-private-ingress
version: 1.9.1 version: 1.9.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

4
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml
View File

@ -3,7 +3,7 @@
apiVersion: autoscaling/v2beta1 apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | indent 4 }} {{ $gateway.labels | toYaml | indent 4 }}
@ -17,7 +17,7 @@ spec:
scaleTargetRef: scaleTargetRef:
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
metrics: metrics:
- type: Resource - type: Resource
resource: resource:

22
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml
View File

@ -1,8 +1,10 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if eq $gateway.injectionTemplate "" }}
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | indent 4 }} {{ $gateway.labels | toYaml | indent 4 }}
@ -32,7 +34,7 @@ spec:
release: istio release: istio
chart: gateways chart: gateways
{{- end }} {{- end }}
service.istio.io/canonical-name: {{ $gateway.name | default "istio-ingressgateway" }} service.istio.io/canonical-name: {{ $gateway.name }}
{{- if not (eq .Values.revision "") }} {{- if not (eq .Values.revision "") }}
service.istio.io/canonical-revision: {{ .Values.revision }} service.istio.io/canonical-revision: {{ .Values.revision }}
{{- else}} {{- else}}
@ -41,14 +43,17 @@ spec:
istio.io/rev: {{ .Values.revision | default "default" }} istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways" operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
annotations: annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }} {{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020" prometheus.io/port: "15020"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus" prometheus.io/path: "/stats/prometheus"
{{- end }} {{- end }}
sidecar.istio.io/inject: "false" sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}"
{{- if ne $gateway.injectionTemplate "" }}
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- end}}
{{- if $gateway.podAnnotations }} {{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }} {{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }} {{ end }}
@ -60,7 +65,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
fsGroup: 1337 fsGroup: 1337
{{- end }} {{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account serviceAccountName: {{ $gateway.name }}-service-account
{{- if .Values.global.priorityClassName }} {{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}" priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }} {{- end }}
@ -123,7 +128,7 @@ spec:
- --log_as_json - --log_as_json
{{- end }} {{- end }}
- --serviceCluster - --serviceCluster
- {{ $gateway.name | default "istio-ingressgateway" }} - {{ $gateway.name }}
{{- if .Values.global.sts.servicePort }} {{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }} - --stsPort={{ .Values.global.sts.servicePort }}
{{- end }} {{- end }}
@ -201,9 +206,9 @@ spec:
fieldRef: fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision'] fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: ISTIO_META_WORKLOAD_NAME - name: ISTIO_META_WORKLOAD_NAME
value: {{ $gateway.name | default "istio-ingressgateway" }} value: {{ $gateway.name }}
- name: ISTIO_META_OWNER - name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name | default "istio-ingressgateway" }} value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }}
{{- if $.Values.global.meshID }} {{- if $.Values.global.meshID }}
- name: ISTIO_META_MESH_ID - name: ISTIO_META_MESH_ID
value: "{{ $.Values.global.meshID }}" value: "{{ $.Values.global.meshID }}"
@ -349,3 +354,4 @@ spec:
tolerations: tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }} {{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }} {{- end }}
{{- end }}

143
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml Normal file
View File

@ -0,0 +1,143 @@
{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
Any settings from values.gateways should be here - these are options specific to the gateway.
Global settings, like the image, various env vars and volumes, etc will be injected.
The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
{{- if not $gateway.autoscaleEnabled }}
{{- if $gateway.replicaCount }}
replicas: {{ $gateway.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{ $gateway.labels | toYaml | indent 6 }}
strategy:
rollingUpdate:
maxSurge: {{ $gateway.rollingMaxSurge }}
maxUnavailable: {{ $gateway.rollingMaxUnavailable }}
template:
metadata:
labels:
{{ $gateway.labels | toYaml | indent 8 }}
{{- if eq .Release.Namespace "istio-system"}}
heritage: Tiller
release: istio
chart: gateways
{{- end }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
sidecar.istio.io/inject: "true"
{{- with .Values.revision }}
istio.io/rev: {{ . }}
{{- end }}
annotations:
{{- if .Values.meshConfig.enablePrometheusMerge }}
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
{{- end }}
sidecar.istio.io/inject: "true"
inject.istio.io/templates: "{{ $gateway.injectionTemplate }}"
{{- if $gateway.podAnnotations }}
{{ toYaml $gateway.podAnnotations | indent 8 }}
{{ end }}
spec:
{{- if not $gateway.runAsRoot }}
securityContext:
runAsUser: 1337
runAsGroup: 1337
runAsNonRoot: true
fsGroup: 1337
{{- end }}
serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: auto
ports:
{{- range $key, $val := $gateway.ports }}
- containerPort: {{ $val.targetPort | default $val.port }}
protocol: {{ $val.protocol | default "TCP" }}
{{- end }}
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
{{- if not $gateway.runAsRoot }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
resources:
{{- if $gateway.resources }}
{{ toYaml $gateway.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
{{- if not $gateway.runAsRoot }}
- name: ISTIO_META_UNPRIVILEGED_POD
value: "true"
{{- end }}
{{- range $key, $val := $gateway.env }}
- name: {{ $key }}
value: {{ $val }}
{{- end }}
volumeMounts:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- range $gateway.configVolumes }}
{{- if .mountPath }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- end }}
{{- if $gateway.additionalContainers }}
{{ toYaml $gateway.additionalContainers | indent 8 }}
{{- end }}
volumes:
{{- range $gateway.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $gateway.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }}
{{- include "podAntiAffinity" $gateway | indent 6 }}
{{- if $gateway.tolerations }}
tolerations:
{{ toYaml $gateway.tolerations | indent 6 }}
{{- else if .Values.global.defaultTolerations }}
tolerations:
{{ toYaml .Values.global.defaultTolerations | indent 6 }}
{{- end }}
{{- end }}

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml
View File

@ -3,7 +3,7 @@
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | trim | indent 4 }} {{ $gateway.labels | toYaml | trim | indent 4 }}

78
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/preconfigured.yaml
View File

@ -1,78 +0,0 @@
{{ $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if .Values.global.multiCluster.enabled }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
istio.io/rev: {{ .Values.revision | default "default" }}
install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
operator.istio.io/component: "IngressGateways"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
port:
name: tls
number: 15443
protocol: TLS
tls:
mode: AUTO_PASSTHROUGH
---
{{- if .Values.global.multiCluster.includeEnvoyFilter }}
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: NETWORK_FILTER
match:
context: GATEWAY
listener:
portNumber: 15443
filterChain:
filter:
name: "envoy.filters.network.sni_cluster"
patch:
operation: INSERT_AFTER
value:
name: "envoy.filters.network.tcp_cluster_rewrite"
typed_config:
"@type": "type.googleapis.com/istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1.TcpClusterRewrite"
cluster_pattern: "\\.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}$"
cluster_replacement: ".svc.{{ .Values.global.proxy.clusterDomain }}"
---
{{- end }}
## To ensure all traffic to globalDomainSuffix is using mTLS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-multicluster-ingressgateway
namespace: {{ .Release.Namespace }}
labels:
{{ $gateway.labels | toYaml | indent 4 }}
release: {{ .Release.Name }}
spec:
host: "*.{{ .Values.global.multiCluster.globalDomainSuffix | trim }}"
{{- if .Values.global.defaultConfigVisibilitySettings }}
exportTo:
- '*'
{{- end }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
{{- end }}

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml
View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
release: {{ .Release.Name }} release: {{ .Release.Name }}

6
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml
View File

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
release: {{ .Release.Name }} release: {{ .Release.Name }}
@ -12,8 +12,8 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ $gateway.name | default "istio-ingressgateway" }}-sds name: {{ $gateway.name }}-sds
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account name: {{ $gateway.name }}-service-account
--- ---

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml
View File

@ -3,7 +3,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }} name: {{ $gateway.name }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
annotations: annotations:
{{- range $key, $val := $gateway.serviceAnnotations }} {{- range $key, $val := $gateway.serviceAnnotations }}

2
charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml
View File

@ -8,7 +8,7 @@ imagePullSecrets:
{{- end }} {{- end }}
{{- end }} {{- end }}
metadata: metadata:
name: {{ $gateway.name | default "istio-ingressgateway" }}-service-account name: {{ $gateway.name }}-service-account
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
{{ $gateway.labels | toYaml | trim | indent 4 }} {{ $gateway.labels | toYaml | trim | indent 4 }}

5
charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml
View File

@ -120,6 +120,9 @@ gateways:
# whether to run the gateway in a privileged container # whether to run the gateway in a privileged container
runAsRoot: false runAsRoot: false
# The injection template to use for the gateway. If not set, no injection will be performed.
injectionTemplate: ""
# Revision is set as 'version' label and part of the resource names when installing multiple control planes. # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: "" revision: ""
@ -171,7 +174,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.1 tag: 1.9.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

8
charts/kubezero-istio/Chart.yaml
View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.5.0 version: 0.5.1
appVersion: 1.9.1 appVersion: 1.9.2
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: base - name: base
version: 1.9.1 version: 1.9.2
- name: istio-discovery - name: istio-discovery
version: 1.9.1 version: 1.9.2
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

2
charts/kubezero-istio/charts/base/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: base name: base
version: 1.9.1 version: 1.9.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs description: Helm chart for deploying Istio cluster resources and CRDs
keywords: keywords:

3
charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml
View File

@ -2473,7 +2473,8 @@ spec:
format: int32 format: int32
type: integer type: integer
perTryTimeout: perTryTimeout:
description: Timeout per retry attempt for a given request. description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string type: string
retryOn: retryOn:
description: Specifies the conditions under which retry takes description: Specifies the conditions under which retry takes

3
charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml
View File

@ -2475,7 +2475,8 @@ spec:
format: int32 format: int32
type: integer type: integer
perTryTimeout: perTryTimeout:
description: Timeout per retry attempt for a given request. description: Timeout per attempt for a given request, including
the initial call and any retries.
type: string type: string
retryOn: retryOn:
description: Specifies the conditions under which retry takes description: Specifies the conditions under which retry takes

2
charts/kubezero-istio/charts/istio-discovery/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-discovery name: istio-discovery
version: 1.9.1 version: 1.9.2
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane description: Helm chart for istio control plane
keywords: keywords:

233
charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml Normal file
View File

@ -0,0 +1,233 @@
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}

234
charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml
View File

@ -695,6 +695,240 @@ data:
securityContext: securityContext:
fsGroup: 1337 fsGroup: 1337
{{- end }} {{- end }}
gateway: |
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
labels:
service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
istio.io/rev: {{ .Revision | default "default" | quote }}
annotations: {
{{- if eq (len $containers) 1 }}
kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
{{ end }}
}
spec:
containers:
- name: istio-proxy
{{- if contains "/" .Values.global.proxy.image }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
- --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
{{- if .Values.global.sts.servicePort }}
- --stsPort={{ .Values.global.sts.servicePort }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
{{- end }}
env:
- name: JWT_POLICY
value: {{ .Values.global.jwtPolicy }}
- name: PILOT_CERT_PROVIDER
value: {{ .Values.global.pilotCertProvider }}
- name: CA_ADDR
{{- if .Values.global.caAddress }}
value: {{ .Values.global.caAddress }}
{{- else }}
value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: CANONICAL_SERVICE
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-name']
- name: CANONICAL_REVISION
valueFrom:
fieldRef:
fieldPath: metadata.labels['service.istio.io/canonical-revision']
- name: PROXY_CONFIG
value: |
{{ protoToJSON .ProxyConfig }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_APP_CONTAINERS
value: "{{ $containers | join "," }}"
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ .ProxyConfig.InterceptionMode.String }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: "{{ .DeploymentMeta.Name }}"
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
{{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
- name: TRUST_DOMAIN
value: "{{ . }}"
{{- end }}
{{- range $key, $value := .ProxyConfig.ProxyMetadata }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
timeoutSeconds: 3
failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
volumeMounts:
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
# SDS channel between istioagent and Envoy
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
- name: istio-podinfo
mountPath: /etc/istio/pod
volumes:
# SDS channel between istioagent and Envoy
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-data
emptyDir: {}
- name: istio-podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- path: "cpu-limit"
resourceFieldRef:
containerName: istio-proxy
resource: limits.cpu
divisor: 1m
- path: "cpu-request"
resourceFieldRef:
containerName: istio-proxy
resource: requests.cpu
divisor: 1m
{{- if eq .Values.global.jwtPolicy "third-party-jwt" }}
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- end }}
{{- if eq .Values.global.pilotCertProvider "istiod" }}
- name: istiod-ca-cert
configMap:
name: istio-ca-root-cert
{{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }}
securityContext:
fsGroup: 1337
{{- end }}
--- ---
# Source: istio-discovery/templates/service.yaml # Source: istio-discovery/templates/service.yaml
apiVersion: v1 apiVersion: v1

2
charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml
View File

@ -1,4 +1,4 @@
{{- $containers := list }} {{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata: metadata:
labels: labels:

4
charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml
View File

@ -48,6 +48,10 @@ data:
sidecar: | sidecar: |
{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} {{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }}
{{- end }} {{- end }}
{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }}
gateway: |
{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }}
{{- end }}
{{- with .Values.sidecarInjectorWebhook.templates }} {{- with .Values.sidecarInjectorWebhook.templates }}
{{ toYaml . | trim | indent 6 }} {{ toYaml . | trim | indent 6 }}
{{- end }} {{- end }}

2
charts/kubezero-istio/charts/istio-discovery/values.yaml
View File

@ -232,7 +232,7 @@ global:
# Dev builds from prow are on gcr.io # Dev builds from prow are on gcr.io
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.1 tag: 1.9.2
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

2
charts/kubezero-istio/update.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
set -ex set -ex
export ISTIO_VERSION=1.9.1 export ISTIO_VERSION=1.9.2
if [ ! -d istio-$ISTIO_VERSION ]; then if [ ! -d istio-$ISTIO_VERSION ]; then
NAME="istio-$ISTIO_VERSION" NAME="istio-$ISTIO_VERSION"

6
charts/kubezero-logging/Chart.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-logging name: kubezero-logging
description: KubeZero Umbrella Chart for complete EFK stack description: KubeZero Umbrella Chart for complete EFK stack
type: application type: application
version: 0.6.2 version: 0.6.4
appVersion: 1.4.1 appVersion: 1.4.1
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
@ -26,6 +26,6 @@ dependencies:
version: 0.2.2 version: 0.2.2
condition: fluentd.enabled condition: fluentd.enabled
- name: fluent-bit - name: fluent-bit
version: 0.12.3 version: 0.15.4
condition: fluent-bit.enabled condition: fluent-bit.enabled
kubeVersion: ">= 1.16.0" kubeVersion: ">= 1.18.0"

6
charts/kubezero-logging/charts/fluent-bit/Chart.yaml
View File

@ -1,8 +1,8 @@
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- add custom annotations on dashboards configmap - Upgrade fluent-bit image to v1.7.3
apiVersion: v2 apiVersion: v2
appVersion: 1.7.2 appVersion: 1.7.3
description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems. description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems.
home: https://fluentbit.io/ home: https://fluentbit.io/
icon: https://fluentbit.io/assets/img/logo1-default.png icon: https://fluentbit.io/assets/img/logo1-default.png
@ -20,4 +20,4 @@ maintainers:
name: fluent-bit name: fluent-bit
sources: sources:
- https://github.com/fluent/fluent-bit/ - https://github.com/fluent/fluent-bit/
version: 0.12.3 version: 0.15.4

46
charts/kubezero-logging/charts/fluent-bit/dashboards/fluent-bit.json
View File

@ -122,7 +122,7 @@
"pluginVersion": "7.2.1", "pluginVersion": "7.2.1",
"targets": [ "targets": [
{ {
"expr": "sum(kube_pod_info{pod=~\".*fluent-bit.*\"})", "expr": "sum(kube_pod_info{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\"})",
"format": "time_series", "format": "time_series",
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
@ -221,7 +221,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{ pod }}/{{name}}", "legendFormat": "{{"{{"}} pod {{"}}"}}/{{"{{"}}name{{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -325,7 +325,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{ pod }}/{{name}}", "legendFormat": "{{"{{"}} pod {{"}}"}}/{{"{{"}}name{{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -429,7 +429,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{ pod }}/{{name}}", "legendFormat": "{{"{{"}} pod {{"}}"}}/{{"{{"}}name{{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -535,7 +535,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{ pod }}/{{name}}", "legendFormat": "{{"{{"}} pod {{"}}"}}/{{"{{"}}name{{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -641,7 +641,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{pod}} Retries to {{name}}", "legendFormat": "{{"{{"}}pod{{"}}"}} Retries to {{"{{"}}name{{"}}"}}",
"refId": "A" "refId": "A"
}, },
{ {
@ -649,7 +649,7 @@
"format": "time_series", "format": "time_series",
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{pod}} Failed Retries to {{ name }}", "legendFormat": "{{"{{"}}pod{{"}}"}} Failed Retries to {{"{{"}} name {{"}}"}}",
"refId": "B" "refId": "B"
} }
], ],
@ -756,7 +756,7 @@
"hide": false, "hide": false,
"interval": "", "interval": "",
"intervalFactor": 1, "intervalFactor": 1,
"legendFormat": "{{ pod }}/{{ name }}", "legendFormat": "{{"{{"}} pod {{"}}"}}/{{"{{"}} name {{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -851,7 +851,7 @@
{ {
"expr": "sum(rate(fluentbit_filter_drop_records_total{pod=~\"$pod\"}[5m])) by (pod, instance, name)", "expr": "sum(rate(fluentbit_filter_drop_records_total{pod=~\"$pod\"}[5m])) by (pod, instance, name)",
"interval": "", "interval": "",
"legendFormat": "{{ pod }} / {{ name }}", "legendFormat": "{{"{{"}} pod {{"}}"}} / {{"{{"}} name {{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -946,7 +946,7 @@
{ {
"expr": "sum(rate(fluentbit_filter_add_records_total{pod=~\"$pod\"}[5m])) by (pod, instance, name)", "expr": "sum(rate(fluentbit_filter_add_records_total{pod=~\"$pod\"}[5m])) by (pod, instance, name)",
"interval": "", "interval": "",
"legendFormat": "{{ pod }} / {{ name }}", "legendFormat": "{{"{{"}} pod {{"}}"}} / {{"{{"}} name {{"}}"}}",
"refId": "A" "refId": "A"
} }
], ],
@ -1059,15 +1059,15 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "container_memory_working_set_bytes{pod=~\".*fluent-bit.*\",pod=~\"$pod\", image!=\"\", container!=\"POD\"}\n", "expr": "container_memory_working_set_bytes{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\",pod=~\"$pod\", image!=\"\", container!=\"POD\"}\n",
"interval": "", "interval": "",
"legendFormat": "{{ pod }}", "legendFormat": "{{"{{"}} pod {{"}}"}}",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "avg(kube_pod_container_resource_requests_memory_bytes{pod=~\".*fluent-bit.*\",pod=~\"$pod\"}) by (pod)", "expr": "avg(kube_pod_container_resource_requests_memory_bytes{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\",pod=~\"$pod\"}) by (pod)",
"interval": "", "interval": "",
"legendFormat": "{{ pod }} request", "legendFormat": "{{"{{"}} pod {{"}}"}} request",
"refId": "B" "refId": "B"
} }
], ],
@ -1075,7 +1075,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "Memroy Usage", "title": "Memory Usage",
"tooltip": { "tooltip": {
"shared": true, "shared": true,
"sort": 0, "sort": 0,
@ -1166,15 +1166,15 @@
"steppedLine": false, "steppedLine": false,
"targets": [ "targets": [
{ {
"expr": "rate(container_cpu_usage_seconds_total{pod=~\".*fluent-bit.*\",pod=~\"$pod\",image!=\"\",container!=\"POD\"}[5m])", "expr": "rate(container_cpu_usage_seconds_total{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\",pod=~\"$pod\",image!=\"\",container!=\"POD\"}[5m])",
"interval": "", "interval": "",
"legendFormat": "{{ pod }}", "legendFormat": "{{"{{"}} pod {{"}}"}}",
"refId": "A" "refId": "A"
}, },
{ {
"expr": "avg(kube_pod_container_resource_requests_cpu_cores{pod=~\"$pod\"}) by (pod)", "expr": "avg(kube_pod_container_resource_requests_cpu_cores{pod=~\"$pod\"}) by (pod)",
"interval": "", "interval": "",
"legendFormat": "{{ pod }} request", "legendFormat": "{{"{{"}} pod {{"}}"}} request",
"refId": "B" "refId": "B"
} }
], ],
@ -1249,14 +1249,14 @@
"allValue": null, "allValue": null,
"current": {}, "current": {},
"datasource": "$DS_PROMETHEUS", "datasource": "$DS_PROMETHEUS",
"definition": "label_values(kube_pod_info{pod=~\".*fluent-bit.*\"}, pod)", "definition": "label_values(kube_pod_info{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\"}, pod)",
"hide": 0, "hide": 0,
"includeAll": true, "includeAll": true,
"label": "pod", "label": "pod",
"multi": false, "multi": false,
"name": "pod", "name": "pod",
"options": [], "options": [],
"query": "label_values(kube_pod_info{pod=~\".*fluent-bit.*\"}, pod)", "query": "label_values(kube_pod_info{pod=~\".*{{ include "fluent-bit.fullname" . }}.*\"}, pod)",
"refresh": 2, "refresh": 2,
"regex": "", "regex": "",
"skipUrlSync": false, "skipUrlSync": false,
@ -1299,7 +1299,7 @@
] ]
}, },
"timezone": "", "timezone": "",
"title": "Fluent Bit", "title": "{{ include "fluent-bit.fullname" . }}",
"uid": "fluentbit", "uid": "{{ include "fluent-bit.fullname" . }}",
"version": 2 "version": 2
} }

42
charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl
View File

@ -28,6 +28,14 @@ containers:
{{- if .Values.envFrom }} {{- if .Values.envFrom }}
envFrom: envFrom:
{{- toYaml .Values.envFrom | nindent 4 }} {{- toYaml .Values.envFrom | nindent 4 }}
{{- end }}
{{- if .Values.args }}
args:
{{- toYaml .Values.args | nindent 6 }}
{{- end}}
{{- if .Values.command }}
command:
{{- toYaml .Values.command | nindent 6 }}
{{- end }} {{- end }}
ports: ports:
- name: http - name: http
@ -43,35 +51,39 @@ containers:
{{- if .Values.livenessProbe }} {{- if .Values.livenessProbe }}
livenessProbe: livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 6 }} {{- toYaml .Values.livenessProbe | nindent 6 }}
{{- else }}
livenessProbe:
httpGet:
path: /
port: http
{{- end }} {{- end }}
{{- if .Values.readinessProbe }} {{- if .Values.readinessProbe }}
readinessProbe: readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 6 }} {{- toYaml .Values.readinessProbe | nindent 6 }}
{{- else }}
readinessProbe:
httpGet:
path: /
port: http
{{- end }} {{- end }}
resources: resources:
{{- toYaml .Values.resources | nindent 6 }} {{- toYaml .Values.resources | nindent 6 }}
volumeMounts: volumeMounts:
- name: config {{- toYaml .Values.volumeMounts | nindent 6 }}
mountPath: /fluent-bit/etc/fluent-bit.conf
subPath: fluent-bit.conf
- name: config
mountPath: /fluent-bit/etc/custom_parsers.conf
subPath: custom_parsers.conf
{{- range $key, $value := .Values.luaScripts }} {{- range $key, $value := .Values.luaScripts }}
- name: luascripts - name: luascripts
mountPath: /fluent-bit/scripts/{{ $key }} mountPath: /fluent-bit/scripts/{{ $key }}
subPath: {{ $key }} subPath: {{ $key }}
{{- end }} {{- end }}
{{- if eq .Values.kind "DaemonSet" }} {{- if eq .Values.kind "DaemonSet" }}
- name: varlog {{- toYaml .Values.daemonSetVolumeMounts | nindent 6 }}
mountPath: /var/log
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true
{{- end }} {{- end }}
{{- if .Values.extraVolumeMounts }} {{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 6 }} {{- toYaml .Values.extraVolumeMounts | nindent 6 }}
{{- end }} {{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 2 }}
{{- end }}
volumes: volumes:
- name: config - name: config
configMap: configMap:
@ -82,13 +94,7 @@ volumes:
name: {{ include "fluent-bit.fullname" . }}-luascripts name: {{ include "fluent-bit.fullname" . }}-luascripts
{{- end }} {{- end }}
{{- if eq .Values.kind "DaemonSet" }} {{- if eq .Values.kind "DaemonSet" }}
- name: varlog {{- toYaml .Values.daemonSetVolumes | nindent 2 }}
hostPath:
path: /var/log
- name: etcmachineid
hostPath:
path: /etc/machine-id
type: File
{{- end }} {{- end }}
{{- if .Values.extraVolumes }} {{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 2 }} {{- toYaml .Values.extraVolumes | nindent 2 }}

4
charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml
View File

@ -11,8 +11,8 @@ rules:
resources: resources:
- pods - pods
- namespaces - namespaces
- nodes #- nodes
- nodes/proxy #- nodes/proxy
verbs: verbs:
- get - get
- list - list

2
charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml
View File

@ -14,7 +14,7 @@ metadata:
{{ $.Values.dashboards.labelKey }}: "1" {{ $.Values.dashboards.labelKey }}: "1"
data: data:
{{ base $path }}: | {{ base $path }}: |
{{- $.Files.Get $path | nindent 4 }} {{- tpl ($.Files.Get $path) $ | nindent 4 }}
--- ---
{{- end }} {{- end }}
{{- end -}} {{- end -}}

4
charts/kubezero-logging/charts/fluent-bit/templates/psp.yaml
View File

@ -3,6 +3,10 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:
name: {{ include "fluent-bit.fullname" . }} name: {{ include "fluent-bit.fullname" . }}
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{- toYaml .Values.podSecurityPolicy.annotations | nindent 4 }}
{{- end }}
spec: spec:
privileged: false privileged: false
# Required to prevent escalations to root. # Required to prevent escalations to root.

55
charts/kubezero-logging/charts/fluent-bit/values.yaml
View File

@ -32,6 +32,7 @@ rbac:
podSecurityPolicy: podSecurityPolicy:
create: false create: false
annotations: {}
podSecurityContext: podSecurityContext:
{} {}
@ -96,15 +97,15 @@ dashboards:
annotations: {} annotations: {}
livenessProbe: livenessProbe: {}
httpGet: # httpGet:
path: / # path: /
port: http # port: http
readinessProbe: readinessProbe:
httpGet: # httpGet:
path: / # path: /
port: http # port: http
resources: resources:
{} {}
@ -131,6 +132,11 @@ env: []
envFrom: [] envFrom: []
extraContainers: []
# - name: do-something
# image: busybox
# command: ['do', 'something']
extraPorts: [] extraPorts: []
# - port: 5170 # - port: 5170
# containerPort: 5170 # containerPort: 5170
@ -220,3 +226,38 @@ config:
Time_Keep Off Time_Keep Off
Time_Key time Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L Time_Format %Y-%m-%dT%H:%M:%S.%L
# The config volume is mounted by default, either to the existingConfigMap value, or the default of "fluent-bit.fullname"
volumeMounts:
- name: config
mountPath: /fluent-bit/etc/fluent-bit.conf
subPath: fluent-bit.conf
- name: config
mountPath: /fluent-bit/etc/custom_parsers.conf
subPath: custom_parsers.conf
daemonSetVolumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: etcmachineid
hostPath:
path: /etc/machine-id
type: File
daemonSetVolumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true
args: []
command: []

62
charts/kubezero-logging/fluent-bit.patch
View File

@ -1,20 +1,18 @@
diff -tubNr charts/fluent-bit/Chart.yaml charts/fluent-bit.zdt/Chart.yaml diff -tubrN charts/fluent-bit/Chart.yaml charts/fluent-bit.zdt/Chart.yaml
--- charts/fluent-bit/Chart.yaml 2021-02-23 14:58:39.000000000 +0100 --- charts/fluent-bit/Chart.yaml 2021-04-06 13:55:48.000000000 +0200
+++ charts/fluent-bit.zdt/Chart.yaml 2021-03-07 12:32:34.360084252 +0100 +++ charts/fluent-bit.zdt/Chart.yaml 2021-04-07 11:49:25.955685229 +0200
@@ -1,8 +1,8 @@ @@ -1,7 +1,7 @@
annotations: annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- add custom annotations on dashboards configmap - Upgrade fluent-bit image to v1.7.3
-apiVersion: v1 -apiVersion: v1
-appVersion: 1.7.1
+apiVersion: v2 +apiVersion: v2
+appVersion: 1.7.2 appVersion: 1.7.3
description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems. description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems.
home: https://fluentbit.io/ home: https://fluentbit.io/
icon: https://fluentbit.io/assets/img/logo1-default.png diff -tubrN charts/fluent-bit/templates/_pod.tpl charts/fluent-bit.zdt/templates/_pod.tpl
diff -tubNr charts/fluent-bit/templates/_pod.tpl charts/fluent-bit.zdt/templates/_pod.tpl --- charts/fluent-bit/templates/_pod.tpl 2021-04-06 13:55:48.000000000 +0200
--- charts/fluent-bit/templates/_pod.tpl 2021-02-23 14:58:39.000000000 +0100 +++ charts/fluent-bit.zdt/templates/_pod.tpl 2021-04-07 11:53:45.609030378 +0200
+++ charts/fluent-bit.zdt/templates/_pod.tpl 2021-03-07 12:45:11.766785251 +0100
@@ -13,6 +13,8 @@ @@ -13,6 +13,8 @@
dnsConfig: dnsConfig:
{{- toYaml . | nindent 2 }} {{- toYaml . | nindent 2 }}
@ -24,41 +22,21 @@ diff -tubNr charts/fluent-bit/templates/_pod.tpl charts/fluent-bit.zdt/templates
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
securityContext: securityContext:
@@ -63,9 +65,6 @@ diff -tubrN charts/fluent-bit/templates/clusterrole.yaml charts/fluent-bit.zdt/templates/clusterrole.yaml
{{- if eq .Values.kind "DaemonSet" }} --- charts/fluent-bit/templates/clusterrole.yaml 2021-04-06 13:55:48.000000000 +0200
- name: varlog +++ charts/fluent-bit.zdt/templates/clusterrole.yaml 2021-04-07 11:53:26.049029491 +0200
mountPath: /var/log
- - name: varlibdockercontainers
- mountPath: /var/lib/docker/containers
- readOnly: true
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true
@@ -86,9 +85,6 @@
- name: varlog
hostPath:
path: /var/log
- - name: varlibdockercontainers
- hostPath:
- path: /var/lib/docker/containers
- name: etcmachineid
hostPath:
path: /etc/machine-id
diff -tubNr charts/fluent-bit/templates/clusterrole.yaml charts/fluent-bit.zdt/templates/clusterrole.yaml
--- charts/fluent-bit/templates/clusterrole.yaml 2021-02-23 14:58:39.000000000 +0100
+++ charts/fluent-bit.zdt/templates/clusterrole.yaml 2021-03-07 12:32:34.363417586 +0100
@@ -11,6 +11,8 @@ @@ -11,6 +11,8 @@
resources: resources:
- pods - pods
- namespaces - namespaces
+ - nodes + #- nodes
+ - nodes/proxy + #- nodes/proxy
verbs: verbs:
- get - get
- list - list
diff -tubNr charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent-bit.zdt/templates/tests/test-connection.yaml diff -tubrN charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent-bit.zdt/templates/tests/test-connection.yaml
--- charts/fluent-bit/templates/tests/test-connection.yaml 2021-02-23 14:58:39.000000000 +0100 --- charts/fluent-bit/templates/tests/test-connection.yaml 2021-04-06 13:55:48.000000000 +0200
+++ charts/fluent-bit.zdt/templates/tests/test-connection.yaml 2021-03-07 12:32:34.363417586 +0100 +++ charts/fluent-bit.zdt/templates/tests/test-connection.yaml 2021-04-07 11:52:34.199027132 +0200
@@ -1,3 +1,4 @@ @@ -1,3 +1,4 @@
+{{- if .Values.testFramework.enabled }} +{{- if .Values.testFramework.enabled }}
apiVersion: v1 apiVersion: v1
@ -69,9 +47,9 @@ diff -tubNr charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent
{{- end }} {{- end }}
restartPolicy: Never restartPolicy: Never
+{{- end }} +{{- end }}
diff -tubNr charts/fluent-bit/values.yaml charts/fluent-bit.zdt/values.yaml diff -tubrN charts/fluent-bit/values.yaml charts/fluent-bit.zdt/values.yaml
--- charts/fluent-bit/values.yaml 2021-02-23 14:58:39.000000000 +0100 --- charts/fluent-bit/values.yaml 2021-04-06 13:55:48.000000000 +0200
+++ charts/fluent-bit.zdt/values.yaml 2021-03-07 12:32:34.363417586 +0100 +++ charts/fluent-bit.zdt/values.yaml 2021-04-07 11:52:54.742361399 +0200
@@ -12,6 +12,7 @@ @@ -12,6 +12,7 @@
# tag: # tag:

2
charts/kubezero-logging/update.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
FLUENT_BIT_VERSION=0.12.3 FLUENT_BIT_VERSION=0.15.4
FLUENTD_VERSION=0.2.2 FLUENTD_VERSION=0.2.2
# Fluent Bit # Fluent Bit

20
charts/kubezero-logging/values.yaml
View File

@ -227,7 +227,7 @@ fluent-bit:
tls: false tls: false
input: input:
memBufLimit: 16MB memBufLimit: 4MB
refreshInterval: 10 refreshInterval: 10
logLevel: warn logLevel: warn
@ -256,7 +256,7 @@ fluent-bit:
DB /var/log/flb_kube.db DB /var/log/flb_kube.db
DB.Sync Normal DB.Sync Normal
{{- with .Values.config.input }} {{- with .Values.config.input }}
Mem_Buf_Limit {{ default "16MB" .memBufLimit }} Mem_Buf_Limit {{ default "4MB" .memBufLimit }}
Refresh_Interval {{ default 10 .refreshInterval }} Refresh_Interval {{ default 10 .refreshInterval }}
{{- end }} {{- end }}
@ -350,3 +350,19 @@ fluent-bit:
end end
return 1, timestamp, new_record return 1, timestamp, new_record
end end
daemonSetVolumes:
- name: varlog
hostPath:
path: /var/log
- name: etcmachineid
hostPath:
path: /etc/machine-id
type: File
daemonSetVolumeMounts:
- name: varlog
mountPath: /var/log
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true

2
charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml
View File

@ -31,5 +31,5 @@ spec:
op_timeout: 5s op_timeout: 5s
enable_redirection: true enable_redirection: true
enable_command_stats: true enable_command_stats: true
read_policy: PREFER_REPLICA read_policy: PREFER_MASTER
{{- end }} {{- end }}

21
docs/Upgrade-2.19.md
View File

@ -31,21 +31,24 @@ This change was required to enable node restrictions via the upstream aws-iam-au
- Fluentd replicaCount default from 2 to 1 - Fluentd replicaCount default from 2 to 1
## Upgrade - Without ArgoCD ## Upgrade - Without ArgoCD
### CRDs: 1. Update CRDs of all enabled components:
( commands assume latest kubezero repository being checkout next to this git repository to deploy master / non-released version ) `./bootstrap.sh crds all clusters/$CLUSTER`
`./bootstrap.sh crds all clusters/$CLUSTER ../../../kubezero/charts`
### Components 2. Prepare upgrade
`./bootstrap.sh deploy all clusters/$CLUSTER ../../../kubezero/charts` - delete old fluentd deployement because labels are immutable and they changed due to the migration to new upstream helm chart
`kubectl delete deployment logging-fluentd -n logging`
3. Upgrade all components
`./bootstrap.sh deploy all clusters/$CLUSTER`
## Upgrade - ArgoCD ## Upgrade - ArgoCD
- push latest config to git repo - ArgoCD needs to be upgraded first to support latest Helm chart requirements: `./bootstrap.sh deploy argocd clusters/$CLUSTER`
- verify correct branch etc. ( argoless branch is retired ! ) - push latest cluster config to your git repo
- verify correct branch etc. ( eg. argoless branch has been retired ! )
- trigger sync in ArgoCD starting with the KubeZero root app - trigger sync in ArgoCD starting with the KubeZero root app
( only if auto-sync is not enabled ) ( only if auto-sync is not enabled )
## Verification / Tests ## Verification / Tests
- check if all pods are RUNNING - check if all pods are RUNNING
- check any Ingress services - check any Ingress services
- ... - ...

1
kubezero-repo.GFV/repo Submodule

@ -0,0 +1 @@
Subproject commit 25b8ebe3cc2af88643a4674a63e651e9c31245cb

33
scripts/git-pre-receive-hook.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
#
# Reject pushes that contain commits with messages that do not adhere
# to the defined regex.
# [1] https://www.conventionalcommits.org/en/v1.0.0/#specification
set -e
zero_commit='0000000000000000000000000000000000000000'
msg_regex='^((fixup! |squash! )?(fix|feat|build|chore|ci|docs|style|refactor|perf|test)(?:\(([^\)\s]+)\))?: (.+))(?:\n|$){0,2}?((?:^.+(\n|$))+(?:\n|$){0,2}?)*((?:^.+(\n|$))+)*'
while read -r oldrev newrev refname; do
# Branch or tag got deleted, ignore the push
[ "$newrev" = "$zero_commit" ] && continue
# Calculate range for new branch/updated branch
[ "$oldrev" = "$zero_commit" ] && range="$newrev" || range="$oldrev..$newrev"
for commit in $(git rev-list "$range" --not --all); do
if ! git log --max-count=1 --format=%B $commit | grep -iqE "$msg_regex"; then
echo "ERROR:"
echo "ERROR: Your push was rejected because the commit"
echo "ERROR: $commit in ${refname#refs/heads/}"
echo "ERROR: is not adhering to convential commit format."
echo "ERROR:"
echo "ERROR: Please fix the commit message and push again."
echo "ERROR: https://www.conventionalcommits.org/en/v1.0.0/#specification"
echo "ERROR"
exit 1
fi
done
done

4
scripts/publish.sh
View File

@ -11,7 +11,7 @@ GIT_PUSH=${GIT_PUSH:-true}
[[ "$(git branch --show-current)" == "stable" || -n "$FORCE" ]] || { echo "Helm packages should only be built from stable branch !"; exit 1; } [[ "$(git branch --show-current)" == "stable" || -n "$FORCE" ]] || { echo "Helm packages should only be built from stable branch !"; exit 1; }
TMPDIR=$(mktemp -d kubezero-repo.XXX) TMPDIR=$(mktemp -d kubezero-repo.XXX)
mkdir -p $TMPDIR/stage mkdir -p $TMPDIR/stage && trap 'rm -rf $TMPDIR' ERR EXIT
git clone -b gh-pages ssh://git@git.zero-downtime.net:22000/ZeroDownTime/KubeZero.git $TMPDIR/repo git clone -b gh-pages ssh://git@git.zero-downtime.net:22000/ZeroDownTime/KubeZero.git $TMPDIR/repo
# Reset all # Reset all
@ -52,7 +52,7 @@ git status
if [ "$GIT_PUSH" == "true" ] if [ "$GIT_PUSH" == "true" ]
then then
git add . && git commit -m "Publish charts" && git push ssh://git@git.zero-downtime.net:22000/ZeroDownTime/KubeZero.git gh-pages git add . && git commit -m "ci: Publish charts" && git push ssh://git@git.zero-downtime.net:22000/ZeroDownTime/KubeZero.git gh-pages
fi fi
cd - cd -