diff --git a/README.md b/README.md index 8f48dbf..7b1a644 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,14 @@ KubeZero is a Kubernetes distribution providing an integrated container platform # Version / Support Matrix -| KubeZero \ Kubernetes Version | v1.18 | v1.19 | v1.20 | EOL | +| KubeZero \ Kubernetes Version | v1.19 | v1.20 | v1.21 | EOL | |----------------------------------------|-------|-------|-------|-------------| -| master branch | yes | yes | beta | | -| stable branch | yes | yes | no | | -| v2.19.0 | yes | yes | no | 30 Jun 2021 | -| v2.18.0 | yes | no | no | 30 Apr 2021 | +| master branch | no | yes | alpha | | +| stable branch | yes | no | no | | +| v2.20.0 | no | yes | no | 30 Aug 2021 | +| v2.19.0 | yes | no | no | 30 Aug 2021 | + +[Upstream release policy](https://kubernetes.io/releases/) # Architecure ![aws_architecture](docs/aws_architecture.png) diff --git a/charts/kubeadm/.helmignore b/charts/kubeadm/.helmignore index 0b1f83c..cc1438c 100644 --- a/charts/kubeadm/.helmignore +++ b/charts/kubeadm/.helmignore @@ -1,2 +1,2 @@ -*.sh *.md +*.md.gotmpl diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml index b46b7d0..1918978 100644 --- a/charts/kubeadm/Chart.yaml +++ b/charts/kubeadm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubeadm description: KubeZero Kubeadm golden config type: application -version: 1.20.0 +version: 1.20.8 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubeadm/README.md.gotmpl b/charts/kubeadm/README.md.gotmpl index ab835c6..dc0e843 100644 --- a/charts/kubeadm/README.md.gotmpl +++ b/charts/kubeadm/README.md.gotmpl @@ -35,3 +35,7 @@ Installs the Istio control plane - https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration - https://github.com/awslabs/amazon-eks-ami + +### Etcd +- https://itnext.io/breaking-down-and-fixing-etcd-cluster-d81e35b9260d + diff --git a/charts/kubeadm/scripts/minor.sh b/charts/kubeadm/scripts/minor.sh new file mode 100755 index 0000000..30111fb --- /dev/null +++ b/charts/kubeadm/scripts/minor.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "Minor uppgrade from 1.19!" diff --git a/charts/kubeadm/scripts/patch.sh b/charts/kubeadm/scripts/patch.sh new file mode 100755 index 0000000..cd03a42 --- /dev/null +++ b/charts/kubeadm/scripts/patch.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "Patch upgrade within 1.20" diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index e7da166..985b048 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -2,40 +2,54 @@ apiVersion: kubeadm.k8s.io/v1beta2 kind: ClusterConfiguration metadata: name: kubezero-clusterconfiguration -kubernetesVersion: {{ .Values.clusterVersion }} +kubernetesVersion: {{ .Chart.Version }} clusterName: {{ .Values.clusterName }} -controlPlaneEndpoint: {{ .Values.apiEndpoint }} +controlPlaneEndpoint: {{ .Values.api.endpoint }} networking: podSubnet: 10.244.0.0/16 etcd: local: extraArgs: + ### DNS discovery + #discovery-srv: {{ .Values.domain }} + #discovery-srv-name: {{ .Values.clusterName }} + #initial-cluster: + initial-cluster-token: etcd-{{ .Values.clusterName }} listen-metrics-urls: "http://{{ .Values.listenAddress }}:2381" logger: "zap" # log-level: "warn" - {{- with .Values.etcdExtraArgs }} + {{- with .Values.etcd.extraArgs }} {{- toYaml . | nindent 6 }} {{- end }} + # These will only be used to create the etcd certs but removed for Init/Join kudeadm calls allowing us to sneak in aliases for etcd nodes + serverCertSANs: + - "{{ .Values.etcd.nodeName }}" + - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}" + - "{{ .Values.domain }}" + peerCertSANs: + - "{{ .Values.etcd.nodeName }}" + - "{{ .Values.etcd.nodeName }}.{{ .Values.domain }}" + - "{{ .Values.domain }}" controllerManager: extraArgs: profiling: "false" bind-address: {{ .Values.listenAddress }} terminated-pod-gc-threshold: "300" - leader-elect: {{ .Values.clusterHighAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} scheduler: extraArgs: profiling: "false" bind-address: {{ .Values.listenAddress }} - leader-elect: {{ .Values.clusterHighAvailable | quote }} + # leader-elect: {{ .Values.highAvailable | quote }} logging-format: json feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} apiServer: certSANs: - - {{ regexSplit ":" .Values.apiEndpoint -1 | first }} + - {{ regexSplit ":" .Values.api.endpoint -1 | first }} extraArgs: - etcd-servers: {{ .Values.allEtcdEndpoints }} + etcd-servers: {{ .Values.api.allEtcdEndpoints }} profiling: "false" audit-log-path: "/var/log/kubernetes/audit.log" audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml @@ -46,15 +60,22 @@ apiServer: tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml {{- if eq .Values.platform "aws" }} + service-account-issuer: "{{ .Values.serviceAccountIssuer }}" + service-account-jwks-uri: "{{ .Values.serviceAccountIssuer }}/openid/v1/jwks" + api-audiences: "istio-ca,sts.amazonaws.com" authentication-token-webhook-config-file: /etc/kubernetes/apiserver/aws-iam-authenticator.yaml + {{- else }} + api-audiences: "istio-ca" {{- end }} feature-gates: {{ include "kubeadm.featuregates" ( dict "return" "csv" "platform" .Values.platform ) | trimSuffix "," | quote }} + # for 1.21 + # enable-admission-plugins: DenyServiceExternalIPs,NodeRestriction,EventRateLimit enable-admission-plugins: NodeRestriction,EventRateLimit - {{- if .Values.clusterHighAvailable }} - goaway-chance: ".001" - {{- end }} + # {{- if .Values.highAvailable }} + # goaway-chance: ".001" + # {{- end }} logging-format: json - {{- with .Values.apiExtraArgs }} + {{- with .Values.api.extraArgs }} {{- toYaml . | nindent 4 }} {{- end }} extraVolumes: diff --git a/charts/kubeadm/templates/InitConfiguration.yaml b/charts/kubeadm/templates/InitConfiguration.yaml index 1b9deb3..969e9bf 100644 --- a/charts/kubeadm/templates/InitConfiguration.yaml +++ b/charts/kubeadm/templates/InitConfiguration.yaml @@ -3,10 +3,14 @@ kind: InitConfiguration metadata: name: kubezero-initconfiguration localAPIEndpoint: - bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} + bindPort: {{ .Values.api.listenPort }} nodeRegistration: ignorePreflightErrors: - Swap - DirAvailable--var-lib-etcd + - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/JoinConfiguration.yaml b/charts/kubeadm/templates/JoinConfiguration.yaml index 6d3d44a..72953b8 100644 --- a/charts/kubeadm/templates/JoinConfiguration.yaml +++ b/charts/kubeadm/templates/JoinConfiguration.yaml @@ -5,12 +5,16 @@ discovery: kubeConfigPath: /root/.kube/config controlPlane: localAPIEndpoint: - advertiseAddress: IP_ADDRESS - bindPort: {{ regexSplit ":" .Values.apiEndpoint -1 | last }} + advertiseAddress: {{ .Values.serviceIp }} + bindPort: {{ .Values.api.listenPort }} nodeRegistration: ignorePreflightErrors: - DirAvailable--var-lib-etcd - FileAvailable--etc-kubernetes-pki-ca.crt - Swap + - KubeletVersion kubeletExtraArgs: node-labels: {{ .Values.nodeLabels | quote }} + {{- with .Values.providerID }} + provider-id: {{ . }} + {{- end }} diff --git a/charts/kubeadm/templates/admin-kubectl.yaml b/charts/kubeadm/templates/admin-kubectl.yaml index bdbf724..62ad49f 100644 --- a/charts/kubeadm/templates/admin-kubectl.yaml +++ b/charts/kubeadm/templates/admin-kubectl.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Config clusters: - cluster: - server: https://{{ .Values.apiEndpoint }} + server: https://{{ .Values.api.endpoint }} name: {{ .Values.clusterName }} contexts: - context: diff --git a/charts/kubeadm/templates/patches/coredns0.yaml b/charts/kubeadm/templates/patches/coredns0.yaml index ef42b4e..208e743 100644 --- a/charts/kubeadm/templates/patches/coredns0.yaml +++ b/charts/kubeadm/templates/patches/coredns0.yaml @@ -1,5 +1,5 @@ spec: - replicas: {{ ternary 3 1 .Values.clusterHighAvailable }} + replicas: {{ ternary 3 1 .Values.highAvailable }} template: spec: containers: diff --git a/charts/kubeadm/templates/patches/etcd0.yaml b/charts/kubeadm/templates/patches/etcd0.yaml index 1ef4e10..b33390b 100644 --- a/charts/kubeadm/templates/patches/etcd0.yaml +++ b/charts/kubeadm/templates/patches/etcd0.yaml @@ -5,3 +5,4 @@ spec: requests: cpu: 200m memory: 192Mi + ephemeral-storage: 1Gi diff --git a/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml b/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml index 70ba334..7310ef0 100644 --- a/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml +++ b/charts/kubeadm/templates/resources/02-aws-iam-authenticator-mappings.yaml @@ -5,7 +5,7 @@ kind: IAMIdentityMapping metadata: name: kubezero-worker-nodes spec: - arn: {{ .Values.WorkerNodeRole }} + arn: {{ .Values.workerNodeRole }} username: system:node:{{ "{{" }}EC2PrivateDNSName{{ "}}" }} groups: # For now use masters, define properly with 1.20 diff --git a/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml new file mode 100644 index 0000000..927881b --- /dev/null +++ b/charts/kubeadm/templates/resources/20-oicd-public-rbac.yaml @@ -0,0 +1,13 @@ +{{- if eq .Values.platform "aws" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-public +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:service-account-issuer-discovery +subjects: + - kind: Group + name: system:unauthenticated +{{- end }} diff --git a/charts/kubeadm/values.yaml b/charts/kubeadm/values.yaml index 6260a55..a861fdd 100644 --- a/charts/kubeadm/values.yaml +++ b/charts/kubeadm/values.yaml @@ -1,16 +1,26 @@ -clusterVersion: 1.19.0 -listenAddress: 0.0.0.0 clusterName: pleasechangeme -apiEndpoint: kube-api.changeme.org:6443 -etcdExtraArgs: {} -apiExtraArgs: {} -clusterHighAvailable: false -allEtcdEndpoints: "" +domain: changeme.org + +serviceIp: set_via_cmdline + +api: + endpoint: kube-api.changeme.org:6443 + listenPort: 6443 + allEtcdEndpoints: "" + extraArgs: {} + +etcd: + nodeName: set_via_cmdline + extraArgs: {} + +highAvailable: false +listenAddress: 0.0.0.0 + # supported values aws,bare-metal platform: "aws" # Set to false for openrc, eg. on Gentoo or Alpine systemd: true protectKernelDefaults: true -WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode" -KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode" +workerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode" +kubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode" diff --git a/charts/kubezero-argocd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml index 64c2eb8..f5bd506 100644 --- a/charts/kubezero-argocd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argocd -version: 0.7.1 +version: 0.8.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,6 +15,6 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: argo-cd - version: 2.17.4 + version: 3.6.10 repository: https://argoproj.github.io/argo-helm kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-argocd/README.md b/charts/kubezero-argocd/README.md index f972fd2..272c351 100644 --- a/charts/kubezero-argocd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,6 +1,6 @@ # kubezero-argocd -![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application @@ -18,7 +18,7 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 2.17.4 | +| https://argoproj.github.io/argo-helm | argo-cd | 3.6.10 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -30,23 +30,22 @@ Kubernetes: `>= 1.18.0` | argo-cd.controller.args.statusProcessors | string | `"8"` | | | argo-cd.controller.logFormat | string | `"json"` | | | argo-cd.controller.metrics.enabled | bool | `false` | | -| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.dex.enabled | bool | `false` | | -| argo-cd.global.image.tag | string | `"v1.8.7"` | | +| argo-cd.global.image.tag | string | `"v2.0.4"` | | | argo-cd.installCRDs | bool | `false` | | | argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | -| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | +| argo-cd.server.config."ui.bannercontent" | string | `"KubeZero Release 2.20 incl. ArgoCD 2.0 -> Release notes"` | | +| argo-cd.server.config."ui.bannerurl" | string | `"https://blog.argoproj.io/argo-cd-v2-0-rc1-is-here-f7d21ff1aa64"` | | | argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | | argo-cd.server.extraArgs[0] | string | `"--insecure"` | | | argo-cd.server.logFormat | string | `"json"` | | | argo-cd.server.metrics.enabled | bool | `false` | | -| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | diff --git a/charts/kubezero-argocd/dashboards.yaml b/charts/kubezero-argocd/dashboards.yaml new file mode 100644 index 0000000..1324955 --- /dev/null +++ b/charts/kubezero-argocd/dashboards.yaml @@ -0,0 +1,8 @@ +configmap: grafana-dashboards +gzip: true +condition: 'index .Values "argo-cd" "controller" "metrics" "enabled"' +dashboards: +- name: ArgoCD + url: https://grafana.com/api/dashboards/14584/revisions/1/download + tags: + - ArgoCD diff --git a/charts/kubezero-argocd/templates/grafana-dashboards.yaml b/charts/kubezero-argocd/templates/grafana-dashboards.yaml new file mode 100644 index 0000000..82058fa --- /dev/null +++ b/charts/kubezero-argocd/templates/grafana-dashboards.yaml @@ -0,0 +1,13 @@ +{{- if index .Values "argo-cd" "controller" "metrics" "enabled" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" +{{ include "kubezero-lib.labels" . | indent 4 }} +binaryData: + ArgoCD.json.gz: + H4sIAAAAAAAC/+2d63PbtpbAv+ev4OXt3LE7sivKsiV3JrPjJn3tpo0bJ72z22Q0EAlJrCmSJcHEqtf7ty8eJAWSIKkHZVH2yYckAijhdXDO7xyAwP0LTdNHI9v1IxLq32p/fOqIlAD/FdkB5mk0RdPu+d80jyx8TFN1H7nY0TtJsm2xxCmKpniZ6KI5f/bHbPJnHIS257Icnac9dNRlTAM0QS4qlJJPTsvJZ0glDU+7p93q4tRNCpA/Uxblz7Qjz7GON2iYsqQZRmSO/GJZP+UzVi7HQgSFXhSYOF+YH3hzTGY4CovlXSvypCKNDXsyJIgUC7vJpG7XgwTfKUp4n0ktlkD/FmKPXNejtaG5TO5FkbpjhySdBcuK0JxxZDvkZ/ZLRmeZKnW5uivpM9hFY4flkyDCUvrMthSptum5rzzHC9gPBtMxOup2tJ5h0L/OzzuacSz/dNLoq2VbtH9pVw4OSKYKSwkJZ2MPBZYe5z3wfz+9iLtex5ZNcrXVpy4mP7MeN/rnw75IYvPhvec5xPZpRpcn8lFxI8cRnwgOeI3YFy96ZxeDweBs0D/nvUf72b2VVBAfX4X6MT3HQX6I2S9PkBOmHVXf8frExo71ynMn9jQdX/FVPEGRwzXg/YPUSR4VloCOiahX0kHp701p3rUXZn9rlpOHL/Rzry8l3CXdE39esM+F3+ZddzFMPy/741OaRmzCx0V/S+v52cZflk1NhjfwvqjnUX1vlbaun29dTeMMdeN6F+nn7NiLrvez8zAefJdgl01H/R9/oGDq2XM0xZ+OZoT44bfffIM+01YFoXE6tcksGkchDuKvnJre/Jvom7Nu7+JyMOz+R/jSMLr/+vyyn5k8c4/PP32OglvL++LqhZr7TjS13d/zZmXZ7wFyQx8FopbyRE6HhCsp5ZiYyJzh9/YcexGRJk6T0p2miqnEdYqcKHUCmVH7P6MGLtSlB6TpwZ5Fvm+70+zYidYuv11aAhqHnhMRrHey+SHBfijp3OTPfe6z1AYqrRi7uR8S+h45EY57M5f70FmjgICqnIqfH3bzP575/Km0CyPX5gJtESsKYuPzQvHoxsooP13PctO1t9p0PestP9MpFdCG52VUMY3n6O41ldxrj36HZRndbt0Up/39SywgonOl+nErk+S6npvJ/DMKiT1ZJNkoIp6c7QU2nZWJAdJn9PPfVDkgR36IjnJk4reKmvH56ZhFudQdFJJfPfIr7Qp5pmTnA5+dIaeOTDpvYpgYM+XAc4WRs0wsLdPQ9TUV1Z+YZJuTaS2+87ngE6qQjo61E42O5RHFRhOH4YiyXEBGLGsUYqpjrfD+T2/88qPOtLJpnVDNS8X1hCqpwDbDj3qHcQlVjCZ++X8f9a/STx/1h+Nsh0y8YI5IUjD9dTpsYfaRRP5+QCbhk9PIZAd4wuFEv5Im0ovcoCyN5wefFVQ0nRxXQU+Dns7qaa51HlVBn6+moC/7bVPQFIMQKOidK2jTi1xyxP/WxgvtSOjeY+1I6OKR6dB+x8HIdifefYUe3kQRUyXJSTfjijWppOf4B6pD84LM0m9m9oQUM2Kt/ko0OgS9Dnq9pXp9uJpeH5yDXn9Kej3APkYF/SJSX9sBNtOO2sAWhNE8UftUNdSo/A6VaTIS5oLnxZaC5swwcsiMYT6JQp6XSaFPhAvXlPOlzxtCfWttyZXvO7YZ++ZgT8CetNOeGMZqBsXoDsCigKdAPQVqdLyln1BvMJ6Yj/CONj+0iZep9JPX6y+qNKTQEN28YqQTnBX1sqAxE4nWu4os0ZFGISPRsbqbm2dZLfsp14S7rNIRqbabry+YqgMwVf1VTVV37UXCgzUOVGa/vE9k9w0ai/XenNbMPvULCm5ZkKOwZyA1NBu6J61xRDw/3jTwj5cf9S0di2wf1dsfB0+xa/2QFqE/qnV6m7RcYZvEPiulcUKOjUK+XSS7nUEfo6AgTzWmLJy9we6U8C0N3Uw6DjfYf2Fh054jLtWZgta2iEtVsInWmtiOI481T/gxQJYtVu276+u3QV6/DWr128y2LOzeCIHN96XYILHc/SEkMVsPOtBT9yp8r95KhD5PFcrDjALF1oR459H3c58s1Fn/gwOvmCNMcr4MYZLzqYE9nZEb5f4mptEUqV7AJ11S5VzWaxyaCrXnEe7L5EtPtS97vjAUVJxwXofyxC+2RTL7eVRGiIkyd4oSiDc916XKUzLaakOF2KasVJWXVY5pSNUspNrBZHZuigvSU6fifVZbJu9RKK//i/SiMNLut3CAuVqfOJ60l06o27eZ6bbMLKs5Vcfmbb67GXj52HpDe71QgcOLfnHvKi3rUZ2mvNG6X/bAw8NGFkzG6T9Ws2zv8DSW99wXNgq0pbsK72WlgYLiJsCl3ujlZ/8osZ22a9mfbStCTtHTljYey5t+79CdnZu848i8FTIpN0V2y+RNBcuNmbmn1bovVVcK67VAd7hiKkg2tlsidbTMgGQlwWG0Wagdy/Cm36Gw4MbFqr/wuND9hWSplSqDfd/qehYmxKIoDdwWK4SRp7/Bn9NKZzbZFuIK0t7WjHI85K2t5yWrWgPF1la1ROSINuuUvcZ0rlpYbDDHc/vEoi7RSdFjZpvoqQZflDns+i92GNruNPs7fhT4TiFIQAeA/oTi8XE2xskfvolCnxnQXA29ALnTwsMf3FuX7TsVG72P+P7u5K/j8vCOCu3r8L4K8Sswf9U97uW4r2TwSg4vlchUKi9y/cgk0+jlEu+KkS0uoRel/VrF6HKQ4lxpoIsuowLj61G+HOcrkb6A9aovS2yvylYCfjnk14B+ucETOfQ7/46BOy8vlf5AtU9Q5ReU+gZFUVD5COV+QomvoPYXWIKGQu1vNhCZRz1lfCqegG+KTnC+0iUEXuM/VPkIFX5Cta9Q6y9U+gwZv6FYaoXzUOpAKKPfLXMkst9PImDcucjkHBeD7/VORp2jsYKzUeJwZOqWczpKHY/q6H+JE1LliFQ6I5UOSdYpEeCg3fDWZOVZ5ZlkvROVnis4KCs5KcXZrXZWShyWSqelynEpd15q9HnRiSk2oejMKKdllU9Q6RfkfINeIU/tH1T4CKV+gmJVZ2ftMHbdjtJ5uFALVon/U+kDZQsqcwdbB/9vI/J2ckO1dPbhBXYc78vjeQqsBvknlU0Dl2LHLkUhsRmf4gJ8CvApwKcAn+LxfArpuZZ5FFLNDt6fYJYbvAnwJsCb2KE3Uf66r7TGmJ+F9admPMkVmouyvXf9TZdoVnQlnrKrIPd65erD2ZaewvlBOAol2cp9RXtwE2I/QCD9Rl5AlcnapxPQUvg32gT/ha7fCfsHXuRaR7ZrBpjaXdkV4HTLBWkTh+Dhj6+SSf/p+FiQ/FdTWhrb8b8Nx2/A6Wm5T4PSr0xCuZkqMOD0PXB62Vam9eBX15tFX9WbLpsSvNTCE6PXnjY+kcWCZ4ah59tg6OWWGDo4e0TYLAs7r0ab+49KA24+51jzQeCmP6PfYqnfB4EX/O8PyHawtTGGdjT+e49Mo7zMhwcqfU8NTNlwRAGGAHKbwTR3PuUBcSmA5/px5XRZ59nHkwclh1kfdDi5TSFjo7dtzHjYKKwrMioDw0INqDKAtYG1D3FfhwqzA3YuskmxecQP3Nk+tAuR3UYA+l08LrZYA940xqvSUsDSe9uMYcBmjEOL1pooUB3RxJKvkWWJPdMKuWQPvGPRDUWhnRUOzmLfT+/T+ee4P5l0876T+OqNiYTKCP8qjGjyxAzP41lNlarvOYjgGx+b1BwWaIMaDOoRClI8PVeiT8XcDfmvRvNypcEM/VJlkzBRCRvQbiW7DrZi12E5u8bXXBWIP4ndfpfquKLZnlFAdBgkvoqlqnjYD3dCuiuRr3r2PKyCahKHPeRwh109hf+7qhU7gA8hBRVn+hUZw6kO1OXvKdti62d3BfJwcEPIUYMVa5PDNQ54p7gmXhkeSt0UmvOTHRKPWvx5neTFv/+67KiHhB5UA6XfXSnV/CoSfydE99doPubUXuip+IEb+28VUugLddEVS2S1hrXccpbazXJVWzE8vmOTVGwrjc5C9MF3sYHKn126fKK8GxeFbjzElc82RUx651tGTIbdvUZMDmgrHbxxA2/ctDwyczsM+QW3LOxStw66YliGPjPuaAEWanF0S538lr1Cw2r48KDd32cqefDRnP8ahtrV9c+wVQ+iOBDFgT13uyDPwTaHS50ZW5Ln5cXeybMOLTdeyVPG0DdFy9bTYcNUCORXTX5fvOCWMh612Rb2yayC8dj/WSJjw9OvM+e3PvIqGyvy4JHs30nHa69ZxwORPTMi28tOtD03A3isHe9ADLY6tWd7WBu2BdbKX3JYi9bKdRXgFuCW4mib22iMTeKM8B02R+w4M9udVl0oxknL9OZztF3EbAPYiks9eN66Fr2sxV2vBZELzAUvrO74hdVDbWGrXhp45VGr4TkODuDVAQZgw7KjaHrw7kAz+696255MedZ/du8OPL3F6uIVVe1aqT5/ZgA99UZzPGcHHIajGUb+CDmOZ47GC4LD+z+98cuPuuDrE6pgAtsM46ilGqofP2apul7q8ED6Fzz3goX2IURTDK8D7DlsyWUfFpJhIRnATcQmz7Y+Unx46HsYHxf7WDMB+QD5doN8doAIPvIDz8RhODL9iFIZHSMrjLckrk19fxjzT8eAfpuh36vrD8B97QidGhsfqQJMCEz4rJiw392SCS96rUHCja+SgVjgkz1K5BmGAade4EWEjTbE/R4L/n5M+xzoD14fAcLb3yL4e+xgpukWz30h/FK9ED4cwjp4Q+vgg223enb3e7vKXk6sBvqFnaJN7RSNX6ceId8epe8ke+M/sUnCdV/Iju8v5FmPHAMVhT6BU/HECGhvxQhor9ihhcDDwMPAwxDxbM9tef1tsa3X6kvxgOqA6g6P6jSthusA6B4d6NihOAnUAc0BzQHNAc09ufXr4UULXkYBWgNaO/RjERNoo4qOtr6pUxGB37bYkSj6VfuejwgAHAAcANx+lqfjiQgvaHOrpV6YHnRhYTrt1eE2B0Zuuy49XDHAueE1y5sgbzzPVVkrcSnPBDB9lmA6tUnurO70E1XALz/qTngS4LlHGJZqVW/HdOcJlqbp8LrMpjsmbaK9E+MQakfpEBzDuUPAp8CnEGDcB0wpT3Tcmqb6QFNAU8+HpiaYmDMgqX2RlDnD5q0XEQCpdoNU0ycYAkbBVbTtuYq2dTfObhVQM873euOsYfTXuXK2ms72f7msTBBWFPCbUNOTS+K7ZjdgigbvoD3sO2YZD/zAOmyn18tWSxncH6s9t/tjwQA+DQOoDILs3QJePHMLuOoaBVhByQq+CU/e8U4DSwiWEG5S321EffX35rc9hnRgQES9qYg6nOnZrpD76se4B9j3TsRO1RYd6eR71tM5xD0/KyCIDke4QxgddiPs8Qj3ba+XHMDezjbvRgBs2hibyo69BE5q36GXgEmwaRMwabuXit5RvabdcL0GLxbxNQpD/WLRxcWTe7Fod8G54WWpVhKdCbG3XcfeAAJ3HjsTONjCE9EhfAZceMjhsyZvCgcsfLLRs0p+udyGXy4H1fxydgH8srv4F6BL8/ErYBUIYUEIC0JYwCpPjVWM7kUNrAzbCiubng8IsZYnBCxmYfNyDblof0XIJbbDNjQb1RuZm0OZ3nNBmVfae/qg9lvcxw0STReIBogGiKaOaKgKJMLa6v+kf7Tpu+tXfIXONnH47Rrv6vS2ooqKd3U4VZz3V7GgyRSbo+DW8r64ulrr5JID5FINXnLccaoFCL4j+iECYsXbEQ3B4+rvJBs1ka5+tzUXM5dkx/cy7+BU7PXINTkWWxDsRodiV9mUfZ6JraFQ+5t1M1Bv4y/zTQPfHAnGHc2QaznYik/Eqabg9HvULLDHfN+xTY7Rp1fL/8d2ozLeV3zbj/+2SQWgo/H/Mi3mWY98tE5aiYeHTvxJ1OPwb0QpjE968g4crA24DbgNAcRdMaD6tfxaCOwBBK4XvgSSA5LbkOTie0xO4+P+geBaSHDZsQF6A3oDegN6208Er1ez/NvvA7wBvAG8PQq8+YH3JzbJ6bX4F+CthfCWHZuN4Q0WuoHdgN2A3baKvNXC28XzgjeAM4CzncEZO8MjtCkCLU7fpf8FRFsN0aqHjR98nO6SDWxim4VNEEv9WpzD8TQsy/N8TkMKs5pYLdo9E9LUubBbAmZBuIAxgTGBMYEx9xIfPKvZyNkfAmICYgJiNoKYIQ5DtgXvRvwLcNnC+F92bIDNgM2AzYDN9hP/q4WzS4AzgDOAs0bgjN3LxODsd/EvwFkL4Sw7NgBnAGcAZwBnewmc9fs1b0B3gc2AzYDNmnl/1TS9yCWnV+JfYLMWsll2bIDNgM2AzYDN9hM4q4OzSwicAZwBnDW1qkmI7U7D05v4P4BnrVzXzAwO8BnwGfDZnq7V2umNWnK/tPkmrZ76Ji1jaRxbfJXWaifz7ekC18st7281jB6cCV3DsI9xUes6INt7ziArQHVEAcUO6d8cbGKSXYdAJ8imCHx84KCXgB1rEq0EVfKAeIB4gHiPfXMq1UX1hPci/jJTMUxjsNyzrviKHpozPEfxngd2VUNXJJOFKMNCwa14khqJpUTqV1Qdvnqtp79N8Nx3EPP+0k6gli0kkgxLNLe03fdZy+CIuw2U6psdtlwRAOTTKveAKpBJsTQ0A5sbzsL469QocUc+lzwTp3nIgEktgxNZ+MpRgEGJvOpzqiltxeOxGpH5T+bl1MjLylqnKjhgKMaOfCj2iDTaRiZ1iu9yB17r4a3tfwicm4VrKiqXSJRUuTxWS0OLHOf3ZCROv5ZLkQY9Mxz14V3mSdiuHY+Y6NyRUKNHt9EYj3zPGtnuxJNuYjjWdzzkWc2+6Yin9V1jwDNzJpWCtXtFho5lt5+kz578jgKbhaVPfuNlKCdTjZSdfi24KSsJ1fJW5ACme7hQhb8lrdWzuSUZseSKPpIyohC/F+pMhnalOEekGCPnqSO+FJmqTDknvkPSmJeI/9o6j9dCre2+Go14mQlopv/ZqfIrkfZEqtM6qIX6RRkKyL2hcsPKumPNDskBSXkdlHcZxpXIjG62CjSr2bLOy8s6b7oso1vRsG7TpZ1VlHbWeGnGrLxps4bL6pWX1Wu6rH55Wf2myxqWlzXMlvVCgcpLe2XMO+fzDpWoDh3njjHr9Gad/qyT+XnJvPTW5pX8vK+jlfWUdfFSkLh/VBZd7qRl/qHR6TTwIp8R/m60urrjarquEZHmDawqtOHy4jPaSotM8lefTGnP8OXQTrGAFeeMGYXEm7eJ7+O4W3wmccyzYrn4QBA/rnqzgL9it5Qwfvy1Jgh/ba432sH1q4jxuqr/Kh+ez0Cp4zyexm9GcmcYOWQ2Cgki2fnaoNbP91lVrzWifH/ijVqUFprkN1sqnXzTgL32nTGfhcBV+kyzpd9Eoc/WZKzSspdPNFvyL3Z1m5P8Zkt9jacBqmpu+kCz5X5wb938HXNysUn+6oY9lsaOJBuddKw6ce91kuZ0ihV4XMP/3DVmSHv5ielLJjhVikNkN1vm24i8nXCJLSt2+UTbZ7DooE5a4cbmKP+XLSE+iBUYm4tgvPYyEYu/Oi3pJI166DyWydL0zNd827zlq/Xxl2PkSyNnsuDq59Jik9GVPpzJH6TomBy90g35gxz8kWMzcuxEN2Lh+pS0gW3ILE6o8lLkH76Qf1gupdeXPyzFXR9Ycn2TumS672/PXQYQpJdVxBIZT4z4phf9r+vb6Y8/TQfxktrndNmNQ3FOr+lvJxPbtJGjiV/SXqNwNvZQYLENy95E+8/IxVqv2zP0Fw//D4RhmGe/kgEA +{{- end }} diff --git a/charts/kubezero-argocd/update.sh b/charts/kubezero-argocd/update.sh new file mode 100755 index 0000000..ccb8397 --- /dev/null +++ b/charts/kubezero-argocd/update.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Create ZDT dashboard configmap +../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-argocd/values.yaml b/charts/kubezero-argocd/values.yaml index ecba336..9f7ec78 100644 --- a/charts/kubezero-argocd/values.yaml +++ b/charts/kubezero-argocd/values.yaml @@ -42,7 +42,7 @@ argo-cd: global: image: - tag: v1.8.7 + tag: v2.0.4 controller: args: @@ -55,8 +55,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - additionalLabels: - release: metrics resources: # limits: @@ -72,12 +70,13 @@ argo-cd: enabled: false serviceMonitor: enabled: true - additionalLabels: - release: metrics server: logFormat: json config: + ui.bannercontent: "KubeZero Release 2.20 incl. ArgoCD 2.0 -> Release notes" + ui.bannerurl: "https://blog.argoproj.io/argo-cd-v2-0-rc1-is-here-f7d21ff1aa64" + # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio url: argocd.example.com @@ -117,8 +116,6 @@ argo-cd: enabled: false serviceMonitor: enabled: true - additionalLabels: - release: metrics extraArgs: - --insecure diff --git a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml index 14f5d11..c9737eb 100644 --- a/charts/kubezero-aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-aws-ebs-csi-driver description: KubeZero Umbrella Chart for aws-ebs-csi-driver type: application -version: 0.5.1 -appVersion: 0.10.0 +version: 0.6.3 +appVersion: 1.2.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png sources: @@ -18,8 +18,8 @@ maintainers: - name: Quarky9 dependencies: - name: aws-ebs-csi-driver - version: 0.10.0 - repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver + version: 1.2.4 + # repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ diff --git a/charts/kubezero-aws-ebs-csi-driver/README.md b/charts/kubezero-aws-ebs-csi-driver/README.md index a76dc2c..5c389a2 100644 --- a/charts/kubezero-aws-ebs-csi-driver/README.md +++ b/charts/kubezero-aws-ebs-csi-driver/README.md @@ -1,6 +1,6 @@ # kubezero-aws-ebs-csi-driver -![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.0](https://img.shields.io/badge/AppVersion-0.9.0-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.3](https://img.shields.io/badge/AppVersion-1.2.3-informational?style=flat-square) KubeZero Umbrella Chart for aws-ebs-csi-driver @@ -23,7 +23,7 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 0.9.14 | +| | aws-ebs-csi-driver | 1.2.3 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## IAM Role @@ -41,17 +41,16 @@ This class is by default also set as default storage class. | Key | Type | Default | Description | |-----|------|---------|-------------| -| aws-ebs-csi-driver.enableVolumeResizing | bool | `true` | | -| aws-ebs-csi-driver.enableVolumeScheduling | bool | `true` | | +| aws-ebs-csi-driver.controller.logLevel | int | `1` | | +| aws-ebs-csi-driver.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| aws-ebs-csi-driver.controller.replicaCount | int | `1` | | +| aws-ebs-csi-driver.controller.resources.limits.memory | string | `"40Mi"` | | +| aws-ebs-csi-driver.controller.resources.requests.cpu | string | `"10m"` | | +| aws-ebs-csi-driver.controller.resources.requests.memory | string | `"24Mi"` | | +| aws-ebs-csi-driver.controller.tolerations[0].effect | string | `"NoSchedule"` | | +| aws-ebs-csi-driver.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | aws-ebs-csi-driver.enableVolumeSnapshot | bool | `true` | | -| aws-ebs-csi-driver.extraVolumeTags | object | `{}` | Optional tags to be added to each EBS volume | -| aws-ebs-csi-driver.logLevel | int | `1` | | | aws-ebs-csi-driver.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| aws-ebs-csi-driver.podAnnotations | object | `{}` | iam.amazonaws.com/role: to assume | -| aws-ebs-csi-driver.replicaCount | int | `1` | | -| aws-ebs-csi-driver.resources.limits.memory | string | `"40Mi"` | | -| aws-ebs-csi-driver.resources.requests.cpu | string | `"10m"` | | -| aws-ebs-csi-driver.resources.requests.memory | string | `"24Mi"` | | | aws-ebs-csi-driver.storageClasses[0].allowVolumeExpansion | bool | `true` | | | aws-ebs-csi-driver.storageClasses[0].name | string | `"ebs-sc-gp2-xfs"` | | | aws-ebs-csi-driver.storageClasses[0].parameters."csi.storage.k8s.io/fstype" | string | `"xfs"` | | diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/CHANGELOG.md b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/CHANGELOG.md new file mode 100644 index 0000000..b82cf86 --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/CHANGELOG.md @@ -0,0 +1,6 @@ +# Helm chart + +# v1.2.4 +* Bump app/driver version to `v1.1.1` +* Install VolumeSnapshotClass, VolumeSnapshotContent, VolumeSnapshot CRDs if enableVolumeSnapshot is true +* Only run csi-snapshotter sidecar if enableVolumeSnapshot is true or if CRDs are already installed diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml index d246abe..80496ee 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 0.10.0 +appVersion: 1.1.1 description: A Helm chart for AWS EBS CSI Driver home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver keywords: @@ -15,4 +15,4 @@ maintainers: name: aws-ebs-csi-driver sources: - https://github.com/kubernetes-sigs/aws-ebs-csi-driver -version: 0.10.0 +version: 1.2.4 diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/crds/snapshot-controller-crds.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/crds/snapshot-controller-crds.yaml new file mode 100644 index 0000000..6ca2443 --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/crds/snapshot-controller-crds.yaml @@ -0,0 +1,628 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/419" + creationTimestamp: null + name: volumesnapshotclasses.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotClass + listKind: VolumeSnapshotClassList + plural: volumesnapshotclasses + singular: volumesnapshotclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .driver + name: Driver + type: string + - description: Determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .deletionPolicy + name: DeletionPolicy + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: VolumeSnapshotClass specifies parameters that a underlying storage system uses when creating a volume snapshot. A specific VolumeSnapshotClass is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses are non-namespaced + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeSnapshotContent created through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the storage driver that handles this VolumeSnapshotClass. Required. + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific parameters for creating snapshots. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - driver + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/419" + creationTimestamp: null + name: volumesnapshotcontents.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshotContent + listKind: VolumeSnapshotContentList + plural: volumesnapshotcontents + singular: volumesnapshotcontent + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + oneOf: + - required: ["snapshotHandle"] + - required: ["volumeHandle"] + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + name: + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + type: string + namespace: + description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + type: string + resourceVersion: + description: "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" + type: string + uid: + description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the complete size of the snapshot in bytes + jsonPath: .status.restoreSize + name: RestoreSize + type: integer + - description: Determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. + jsonPath: .spec.deletionPolicy + name: DeletionPolicy + type: string + - description: Name of the CSI driver used to create the physical snapshot on the underlying storage system. + jsonPath: .spec.driver + name: Driver + type: string + - description: Name of the VolumeSnapshotClass to which this snapshot belongs. + jsonPath: .spec.volumeSnapshotClassName + name: VolumeSnapshotClass + type: string + - description: Name of the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. + jsonPath: .spec.volumeSnapshotRef.name + name: VolumeSnapshot + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: VolumeSnapshotContent represents the actual "on-disk" snapshot object in the underlying storage system + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: spec defines properties of a VolumeSnapshotContent created by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeSnapshotContent and its physical snapshot on the underlying storage system should be deleted when its bound VolumeSnapshot is deleted. Supported values are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are kept. "Delete" means that the VolumeSnapshotContent and its physical snapshot on underlying storage system are deleted. For dynamically provisioned snapshots, this field will automatically be filled in by the CSI snapshotter sidecar with the "DeletionPolicy" field defined in the corresponding VolumeSnapshotClass. For pre-existing snapshots, users MUST specify this field when creating the VolumeSnapshotContent object. Required. + enum: + - Delete + - Retain + type: string + driver: + description: driver is the name of the CSI driver used to create the physical snapshot on the underlying storage system. This MUST be the same as the name returned by the CSI GetPluginName() call for that driver. Required. + type: string + source: + description: source specifies whether the snapshot is (or should be) dynamically provisioned or already exists, and just requires a Kubernetes object representation. This field is immutable after creation. Required. + properties: + snapshotHandle: + description: snapshotHandle specifies the CSI "snapshot_id" of a pre-existing snapshot on the underlying storage system for which a Kubernetes object representation was (or should be) created. This field is immutable. + type: string + volumeHandle: + description: volumeHandle specifies the CSI "volume_id" of the volume from which a snapshot should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the VolumeSnapshotClass from which this snapshot was (or will be) created. Note that after provisioning, the VolumeSnapshotClass may be deleted or recreated with different set of values, and as such, should not be referenced post-snapshot creation. + type: string + volumeSnapshotRef: + description: volumeSnapshotRef specifies the VolumeSnapshot object to which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName field must reference to this VolumeSnapshotContent's name for the bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent object, name and namespace of the VolumeSnapshot object MUST be provided for binding to happen. This field is immutable after creation. Required. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + name: + description: "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names" + type: string + namespace: + description: "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/" + type: string + resourceVersion: + description: "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" + type: string + uid: + description: "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids" + type: string + type: object + required: + - deletionPolicy + - driver + - source + - volumeSnapshotRef + type: object + status: + description: status represents the current information of a snapshot. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it indicates the creation time is unknown. The format of this field is a Unix nanoseconds time encoded as an int64. On Unix, the command `date +%s%N` returns the current time in nanoseconds since 1970-01-01 00:00:00 UTC. + format: int64 + type: integer + error: + description: error is the last observed error during snapshot creation, if any. Upon success after retry, this error field will be cleared. + properties: + message: + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if a snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + description: restoreSize represents the complete size of the snapshot in bytes. In dynamic snapshot creation case, this field will be filled in by the CSI snapshotter sidecar with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + format: int64 + minimum: 0 + type: integer + snapshotHandle: + description: snapshotHandle is the CSI "snapshot_id" of a snapshot on the underlying storage system. If not specified, it indicates that dynamic snapshot creation has either failed or it is still in progress. + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/419" + creationTimestamp: null + name: volumesnapshots.snapshot.storage.k8s.io +spec: + group: snapshot.storage.k8s.io + names: + kind: VolumeSnapshot + listKind: VolumeSnapshotList + plural: volumesnapshots + singular: volumesnapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: "spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required." + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + oneOf: + - required: ["persistentVolumeClaimName"] + - required: ["volumeSnapshotContentName"] + volumeSnapshotClassName: + description: "VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field." + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: "boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurrs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicates if the snapshot is ready to be used to restore a volume. + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: If a new snapshot needs to be created, this contains the name of the source PVC from which this snapshot was (or will be) created. + jsonPath: .spec.source.persistentVolumeClaimName + name: SourcePVC + type: string + - description: If a snapshot already exists, this contains the name of the existing VolumeSnapshotContent object representing the existing snapshot. + jsonPath: .spec.source.volumeSnapshotContentName + name: SourceSnapshotContent + type: string + - description: Represents the minimum size of volume required to rehydrate from this snapshot. + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The name of the VolumeSnapshotClass requested by the VolumeSnapshot. + jsonPath: .spec.volumeSnapshotClassName + name: SnapshotClass + type: string + - description: Name of the VolumeSnapshotContent object to which the VolumeSnapshot object intends to bind to. Please note that verification of binding actually requires checking both VolumeSnapshot and VolumeSnapshotContent to ensure both are pointing at each other. Binding MUST be verified prior to usage of this object. + jsonPath: .status.boundVolumeSnapshotContentName + name: SnapshotContent + type: string + - description: Timestamp when the point-in-time snapshot was taken by the underlying storage system. + jsonPath: .status.creationTime + name: CreationTime + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: VolumeSnapshot is a user's request for either creating a point-in-time snapshot of a persistent volume, or binding to a pre-existing snapshot. + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + spec: + description: "spec defines the desired characteristics of a snapshot requested by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots Required." + properties: + source: + description: source specifies where a snapshot will be created from. This field is immutable after creation. Required. + properties: + persistentVolumeClaimName: + description: persistentVolumeClaimName specifies the name of the PersistentVolumeClaim object representing the volume from which a snapshot should be created. This PVC is assumed to be in the same namespace as the VolumeSnapshot object. This field should be set if the snapshot does not exists, and needs to be created. This field is immutable. + type: string + volumeSnapshotContentName: + description: volumeSnapshotContentName specifies the name of a pre-existing VolumeSnapshotContent object representing an existing volume snapshot. This field should be set if the snapshot already exists and only needs a representation in Kubernetes. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: "VolumeSnapshotClassName is the name of the VolumeSnapshotClass requested by the VolumeSnapshot. VolumeSnapshotClassName may be left nil to indicate that the default SnapshotClass should be used. A given cluster may have multiple default Volume SnapshotClasses: one default per CSI Driver. If a VolumeSnapshot does not specify a SnapshotClass, VolumeSnapshotSource will be checked to figure out what the associated CSI Driver is, and the default VolumeSnapshotClass associated with that CSI Driver will be used. If more than one VolumeSnapshotClass exist for a given CSI Driver and more than one have been marked as default, CreateSnapshot will fail and generate an event. Empty string is not allowed for this field." + type: string + required: + - source + type: object + status: + description: status represents the current information of a snapshot. Consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object. + properties: + boundVolumeSnapshotContentName: + description: "boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent object to which this VolumeSnapshot object intends to bind to. If not specified, it indicates that the VolumeSnapshot object has not been successfully bound to a VolumeSnapshotContent object yet. NOTE: To avoid possible security issues, consumers must verify binding between VolumeSnapshot and VolumeSnapshotContent objects is successful (by validating that both VolumeSnapshot and VolumeSnapshotContent point at each other) before using this object." + type: string + creationTime: + description: creationTime is the timestamp when the point-in-time snapshot is taken by the underlying storage system. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "creation_time" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "creation_time" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. If not specified, it may indicate that the creation time of the snapshot is unknown. + format: date-time + type: string + error: + description: error is the last observed error during snapshot creation, if any. This field could be helpful to upper level controllers(i.e., application controller) to decide whether they should continue on waiting for the snapshot to be created based on the type of error reported. The snapshot controller will keep retrying when an error occurrs during the snapshot creation. Upon success, this error field will be cleared. + properties: + message: + description: "message is a string detailing the encountered error during snapshot creation if specified. NOTE: message may be logged, and it should not contain sensitive information." + type: string + time: + description: time is the timestamp when the error was encountered. + format: date-time + type: string + type: object + readyToUse: + description: readyToUse indicates if the snapshot is ready to be used to restore a volume. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "ready_to_use" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "ready_to_use" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, this field will be set to "True". If not specified, it means the readiness of a snapshot is unknown. + type: boolean + restoreSize: + type: string + description: restoreSize represents the minimum size of volume required to create a volume from this snapshot. In dynamic snapshot creation case, this field will be filled in by the snapshot controller with the "size_bytes" value returned from CSI "CreateSnapshot" gRPC call. For a pre-existing snapshot, this field will be filled with the "size_bytes" value returned from the CSI "ListSnapshots" gRPC call if the driver supports it. When restoring a volume from this snapshot, the size of the volume MUST NOT be smaller than the restoreSize if it is specified, otherwise the restoration will fail. If not specified, it indicates that the size is unknown. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt index 3717647..8f6d02e 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/NOTES.txt @@ -1,3 +1,39 @@ To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" + + +WARNING: The following values have been deprecated in favor of moving them into the controller or node groups. They will be removed in a subsequent release. + +affinity: +extraCreateMetadata: +extraVolumeTags: +k8sTagClusterId: +nodeSelector: +podAnnotations: +priorityClassName: +region: +replicaCount: +resources: +tolerations: +topologySpreadConstraints: +volumeAttachLimit: + +are moving to + +controller: + affinity: + extraCreateMetadata: + extraVolumeTags: + k8sTagClusterId: + nodeSelector: + podAnnotations: + priorityClassName: + region: + replicaCount: + resources: + tolerations: + topologySpreadConstraints: + +node: + volumeAttachLimit: diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl index fdc77c4..ddf7b61 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/_helpers.tpl @@ -59,11 +59,24 @@ app.kubernetes.io/instance: {{ .Release.Name }} Convert the `--extra-volume-tags` command line arg from a map. */}} {{- define "aws-ebs-csi-driver.extra-volume-tags" -}} +{{- $evt := default .Values.extraVolumeTags .Values.controller.extraVolumeTags }} {{- $result := dict "pairs" (list) -}} -{{- range $key, $value := .Values.extraVolumeTags -}} +{{- range $key, $value := $evt -}} {{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}} {{- end -}} {{- if gt (len $result.pairs) 0 -}} {{- printf "%s=%s" "- --extra-volume-tags" (join "," $result.pairs) -}} {{- end -}} {{- end -}} + +{{/* +Handle http proxy env vars +*/}} +{{- define "aws-ebs-csi-driver.http-proxy" -}} +- name: HTTP_PROXY + value: {{ .Values.proxy.http_proxy | quote }} +- name: HTTPS_PROXY + value: {{ .Values.proxy.http_proxy | quote }} +- name: NO_PROXY + value: {{ .Values.proxy.no_proxy | quote }} +{{- end -}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml index e0919ce..816fdf6 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml @@ -6,18 +6,18 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "get", "list", "watch", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "nodes" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "csi.storage.k8s.io" ] + resources: [ "csinodeinfos" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "volumeattachments" ] + verbs: [ "get", "list", "watch", "update", "patch" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "volumeattachments/status" ] verbs: [ "patch" ] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml new file mode 100644 index 0000000..3ca368e --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml @@ -0,0 +1,11 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-node-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml index 9d85b97..065f3ab 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeResizing }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -12,22 +11,21 @@ rules: # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -{{- end}} + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "get", "list", "watch", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims/status" ] + verbs: [ "update", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml index ffdb1b7..b5b7978 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshot-controller.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -7,29 +6,27 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - -{{- end }} + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumeclaims" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshotclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshotcontents" ] + verbs: [ "create", "get", "list", "watch", "update", "delete" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshots" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshots/status" ] + verbs: [ "update" ] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml index 061b565..5fada8b 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -7,19 +6,18 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] -{{- end }} + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "list" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshotclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshotcontents" ] + verbs: [ "create", "get", "list", "watch", "update", "delete" ] + - apiGroups: [ "snapshot.storage.k8s.io" ] + resources: [ "volumesnapshotcontents/status" ] + verbs: [ "update" ] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml new file mode 100644 index 0000000..63d843e --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml @@ -0,0 +1,15 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ebs-csi-node-getter-binding + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node.name }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: ebs-csi-node-role + apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml index 6fe42d1..768e589 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeResizing }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -14,5 +13,3 @@ roleRef: kind: ClusterRole name: ebs-external-resizer-role apiGroup: rbac.authorization.k8s.io - -{{- end}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml index b74484f..55a634f 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshot-controller.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -14,5 +13,3 @@ roleRef: kind: ClusterRole name: ebs-snapshot-controller-role apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml index cbc1169..e9f3624 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -14,5 +13,3 @@ roleRef: kind: ClusterRole name: ebs-external-snapshotter-role apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml index 64c9233..6934902 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/controller.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ default .Values.replicaCount .Values.controller.replicaCount }} selector: matchLabels: app: ebs-csi-controller @@ -16,40 +16,46 @@ spec: labels: app: ebs-csi-controller {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.podAnnotations }} - annotations: {{ toYaml .Values.podAnnotations | nindent 8 }} + {{- if .Values.controller.podLabels }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- else if .Values.podAnnotations}} + annotations: + {{- toYaml .Values.podAnnotations | nindent 8 }} {{- end }} spec: nodeSelector: kubernetes.io/os: linux - {{- with .Values.nodeSelector }} -{{ toYaml . | indent 8 }} + {{- with default .Values.nodeSelector .Values.controller.nodeSelector }} + {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ .Values.serviceAccount.controller.name }} - priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }} - {{- with .Values.affinity }} - affinity: {{ toYaml . | nindent 8 }} + priorityClassName: {{ default .Values.priorityClassName .Values.controller.priorityClassName }} + {{- with default .Values.affinity .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} {{- end }} tolerations: - {{- if .Values.tolerateAllTaints }} - - operator: Exists - {{- else }} - key: CriticalAddonsOnly operator: Exists - operator: Exists effect: NoExecute tolerationSeconds: 300 + {{- with default .Values.tolerations .Values.controller.tolerations }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} -{{ toYaml . | indent 8 }} - {{- end }} -{{- if .Values.topologySpreadConstraints }} -{{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "ebs-csi-controller" ) ) }} + {{- if or .Values.controller.topologySpreadConstraints .Values.topologySpreadConstraints }} + {{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "ebs-csi-controller" ) ) }} + {{- $constraints := list }} + {{- range default .Values.topologySpreadConstraints .Values.controller.topologySpreadConstraints }} + {{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }} + {{- end }} topologySpreadConstraints: - {{- range .Values.topologySpreadConstraints }} - - {{ mergeOverwrite . $tscLabelSelector | toJson }} - {{- end }} -{{- end }} + {{- $constraints | toYaml | nindent 8 }} + {{- end }} containers: - name: ebs-plugin image: {{ .Values.image.repository }}:{{ .Values.image.tag }} @@ -61,17 +67,24 @@ spec: # - {all,controller,node} # specify the driver mode {{- end }} - --endpoint=$(CSI_ENDPOINT) - {{- if .Values.extraVolumeTags }} + {{- if or .Values.controller.extraVolumeTags .Values.extraVolumeTags }} {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} {{- end }} - {{- if .Values.k8sTagClusterId }} - - --k8s-tag-cluster-id={{ .Values.k8sTagClusterId }} + {{- with default .Values.k8sTagClusterId .Values.controller.k8sTagClusterId }} + - --k8s-tag-cluster-id={{ . }} + {{- end }} + {{- with .Values.controller.httpEndpoint }} + - --http-endpoint={{ . }} {{- end }} - --logtostderr - - --v={{ .Values.logLevel }} + - --v={{ .Values.controller.logLevel }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -84,9 +97,9 @@ spec: name: aws-secret key: access_key optional: true - {{- if .Values.region }} + {{- with default .Values.region .Values.controller.region }} - name: AWS_REGION - value: {{ .Values.region }} + value: {{ . }} {{- end }} {{- if .Values.controller.extraVars }} {{- range $key, $val := .Values.controller.extraVars }} @@ -94,17 +107,18 @@ spec: value: "{{ $val }}" {{- end }} {{- end }} -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.controller.env.ebsPlugin }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true ports: - name: healthz containerPort: 9808 @@ -125,111 +139,104 @@ spec: timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.ebsPlugin) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - name: csi-provisioner image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} args: - --csi-address=$(ADDRESS) - - --v={{ .Values.logLevel }} - {{- if .Values.enableVolumeScheduling }} + - --v={{ .Values.controller.logLevel }} - --feature-gates=Topology=true - {{- end}} - {{- if .Values.extraCreateMetadata }} + {{- if or .Values.controller.extraCreateMetadata .Values.extraCreateMetadata }} - --extra-create-metadata {{- end}} - - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} + - --leader-election=true - --default-fstype=ext4 env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.controller.env.provisioner }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.provisioner) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - name: csi-attacher image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} args: - --csi-address=$(ADDRESS) - - --v={{ .Values.logLevel }} - - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} + - --v={{ .Values.controller.logLevel }} + - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.controller.env.attacher }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.attacher) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.enableVolumeSnapshot }} +{{- if or .Values.enableVolumeSnapshot (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }} - name: csi-snapshotter image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} args: - --csi-address=$(ADDRESS) - - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} + - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.controller.env.snapshotter }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.snapshotter) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - {{- end }} - {{- if .Values.enableVolumeResizing }} +{{- end }} - name: csi-resizer image: {{ printf "%s:%s" .Values.sidecars.resizerImage.repository .Values.sidecars.resizerImage.tag }} imagePullPolicy: Always args: - --csi-address=$(ADDRESS) - - --v={{ .Values.logLevel }} + - --v={{ .Values.controller.logLevel }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.controller.env.resizer }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.resizer) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} args: @@ -237,8 +244,9 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + {{- with default .Values.resources (default .Values.controller.resources .Values.controller.containerResources.liveness) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -249,3 +257,10 @@ spec: volumes: - name: socket-dir emptyDir: {} + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml index 1858e39..6598355 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/csidriver.yaml @@ -1,4 +1,4 @@ -apiVersion: storage.k8s.io/v1beta1 +apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }} kind: CSIDriver metadata: name: ebs.csi.aws.com diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node-windows.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node-windows.yaml new file mode 100644 index 0000000..b6cde40 --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node-windows.yaml @@ -0,0 +1,185 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: ebs-csi-node-windows + namespace: kube-system + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: ebs-csi-node + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: ebs-csi-node + {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} + {{- if .Values.node.podAnnotations }} + annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} + {{- end }} + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate + nodeSelector: + kubernetes.io/os: windows + {{- with .Values.node.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount.node.name }} + priorityClassName: {{ .Values.node.priorityClassName | default "system-cluster-critical" }} + tolerations: + {{- if .Values.node.tolerateAllTaints }} + - operator: Exists + {{- else }} + - key: CriticalAddonsOnly + operator: Exists + - operator: Exists + effect: NoExecute + tolerationSeconds: 300 + {{- end }} + {{- with .Values.node.tolerations }} +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: ebs-plugin + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + args: + - node + - --endpoint=$(CSI_ENDPOINT) + {{- if .Values.volumeAttachLimit }} + - --volume-attach-limit={{ .Values.volumeAttachLimit }} + {{- end }} + - --logtostderr + - --v=5 + env: + - name: CSI_ENDPOINT + value: unix:/csi/csi.sock +{{- if .Values.proxy.http_proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy.http_proxy | quote }} + - name: HTTPS_PROXY + value: {{ .Values.proxy.http_proxy | quote }} + - name: NO_PROXY + value: {{ .Values.proxy.no_proxy | quote }} +{{- end }} + volumeMounts: + - name: kubelet-dir + mountPath: C:\var\lib\kubelet + mountPropagation: "None" + - name: plugin-dir + mountPath: C:\csi + - name: csi-proxy-disk-pipe + mountPath: \\.\pipe\csi-proxy-disk-v1beta2 + - name: csi-proxy-volume-pipe + mountPath: \\.\pipe\csi-proxy-volume-v1beta2 + - name: csi-proxy-filesystem-pipe + mountPath: \\.\pipe\csi-proxy-filesystem-v1beta1 + ports: + - name: healthz + containerPort: 9808 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + failureThreshold: 5 + {{- if .Values.node.resources }} + {{- with .Values.node.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- else }} + {{- with .Values.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- end }} + - name: node-driver-registrar + image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=5 + env: + - name: ADDRESS + value: unix:/csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: C:\var\lib\kubelet\plugins\ebs.csi.aws.com\csi.sock +{{- if .Values.proxy.http_proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy.http_proxy | quote }} + - name: HTTPS_PROXY + value: {{ .Values.proxy.http_proxy | quote }} + - name: NO_PROXY + value: {{ .Values.proxy.no_proxy | quote }} +{{- end }} + volumeMounts: + - name: plugin-dir + mountPath: C:\csi + - name: registration-dir + mountPath: C:\registration + {{- if .Values.node.resources }} + {{- with .Values.node.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- else }} + {{- with .Values.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- end }} + - name: liveness-probe + image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} + args: + - --csi-address=unix:/csi/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: C:\csi + {{- if .Values.node.resources }} + {{- with .Values.node.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- else }} + {{- with .Values.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + volumes: + - name: kubelet-dir + hostPath: + path: C:\var\lib\kubelet + type: Directory + - name: plugin-dir + hostPath: + path: C:\var\lib\kubelet\plugins\ebs.csi.aws.com + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: C:\var\lib\kubelet\plugins_registry + type: Directory + - name: csi-proxy-disk-pipe + hostPath: + path: \\.\pipe\csi-proxy-disk-v1beta2 + type: "" + - name: csi-proxy-volume-pipe + hostPath: + path: \\.\pipe\csi-proxy-volume-v1beta2 + type: "" + - name: csi-proxy-filesystem-pipe + hostPath: + path: \\.\pipe\csi-proxy-filesystem-v1beta1 + type: "" diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml index 5caeb33..c816adf 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/node.yaml @@ -15,8 +15,12 @@ spec: labels: app: ebs-csi-node {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.node.podAnnotations }} - annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} + {{- if .Values.node.podLabels }} + {{- toYaml .Values.node.podLabels | nindent 8 }} + {{- end }} + {{- with .Values.node.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} {{- end }} spec: affinity: @@ -31,11 +35,10 @@ spec: nodeSelector: kubernetes.io/os: linux {{- with .Values.node.nodeSelector }} -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - hostNetwork: true serviceAccountName: {{ .Values.serviceAccount.node.name }} - priorityClassName: {{ .Values.node.priorityClassName | default "system-cluster-critical" }} + priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }} tolerations: {{- if .Values.node.tolerateAllTaints }} - operator: Exists @@ -47,7 +50,7 @@ spec: tolerationSeconds: 300 {{- end }} {{- with .Values.node.tolerations }} -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: ebs-plugin @@ -57,22 +60,24 @@ spec: args: - node - --endpoint=$(CSI_ENDPOINT) - {{- if .Values.volumeAttachLimit }} - - --volume-attach-limit={{ .Values.volumeAttachLimit }} + {{- with default .Values.volumeAttachLimit .Values.node.volumeAttachLimit }} + - --volume-attach-limit={{ . }} {{- end }} - --logtostderr - - --v={{ .Values.logLevel }} + - --v={{ .Values.node.logLevel }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + - name: CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.node.env.ebsPlugin }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: kubelet-dir mountPath: /var/lib/kubelet @@ -93,47 +98,35 @@ spec: timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 - {{- if .Values.node.resources }} - {{- with .Values.node.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} - {{- else }} - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} + {{- with default .Values.resources (default .Values.node.resources .Values.node.containerResources.ebsPlugin) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - name: node-driver-registrar image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v={{ .Values.logLevel }} + - --v={{ .Values.node.logLevel }} env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- if .Values.proxy.http_proxy }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + {{- with .Values.node.env.nodeDriverRegistrar }} + {{- . | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration - {{- if .Values.node.resources }} - {{- with .Values.node.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} - {{- else }} - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} + {{- with default .Values.resources (default .Values.node.resources .Values.node.containerResources.nodeDriverRegistrar) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} @@ -142,14 +135,9 @@ spec: volumeMounts: - name: plugin-dir mountPath: /csi - {{- if .Values.node.resources }} - {{- with .Values.node.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} - {{- else }} - {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} - {{- end }} + {{- with default .Values.resources (default .Values.node.resources .Values.node.containerResources.liveness) }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -160,15 +148,15 @@ spec: volumes: - name: kubelet-dir hostPath: - path: /var/lib/kubelet + path: {{ .Values.node.kubeletPath }} type: Directory - name: plugin-dir hostPath: - path: /var/lib/kubelet/plugins/ebs.csi.aws.com/ + path: {{ printf "%s/plugins/ebs.csi.aws.com/" (trimSuffix "/" .Values.node.kubeletPath) }} type: DirectoryOrCreate - name: registration-dir hostPath: - path: /var/lib/kubelet/plugins_registry/ + path: {{ printf "%s/plugins_registry/" (trimSuffix "/" .Values.node.kubeletPath) }} type: Directory - name: device-dir hostPath: diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml new file mode 100644 index 0000000..373974a --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml @@ -0,0 +1,17 @@ +{{- $replicas := (default .Values.replicaCount .Values.controller.replicaCount) | int }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: ebs-csi-controller + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: ebs-csi-controller + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} + {{- if le $replicas 2 }} + maxUnavailable: 1 + {{- else }} + minAvailable: 2 +{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-snapshot-controller.yaml new file mode 100644 index 0000000..d9383bc --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-snapshot-controller.yaml @@ -0,0 +1,14 @@ +{{- if .Values.enableVolumeSnapshot }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: ebs-snapshot-controller + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: ebs-snapshot-controller + {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} + maxUnavailable: 1 +{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml index 4d09e4c..2b55a16 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/role-snapshot-controller-leaderelection.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 @@ -7,8 +6,6 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - -{{- end }} + - apiGroups: [ "coordination.k8s.io" ] + resources: [ "leases" ] + verbs: [ "get", "watch", "list", "delete", "update", "create" ] diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml index e8248bd..74095f3 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/rolebinding-snapshot-controller-leaderelection.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -14,5 +13,3 @@ roleRef: kind: Role name: ebs-snapshot-controller-leaderelection apiGroup: rbac.authorization.k8s.io - -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml index 0490c32..b465c3b 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml @@ -6,7 +6,8 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.controller.annotations }} - annotations: {{ toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 4 }} {{- end }} {{- if eq .Release.Name "kustomize" }} #Enable if EKS IAM for SA is used diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml index 2e93f72..4722b2a 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.node.annotations }} - annotations: {{ toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 4 }} {{- end }} {{- end -}} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml index 19d27cb..9d2c681 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/serviceaccount-snapshot-controller.yaml @@ -1,4 +1,3 @@ -{{- if .Values.enableVolumeSnapshot }} {{- if .Values.serviceAccount.snapshot.create }} --- apiVersion: v1 @@ -8,7 +7,7 @@ metadata: labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} {{- with .Values.serviceAccount.snapshot.annotations }} - annotations: {{ toYaml . | nindent 4 }} + annotations: + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -{{- end }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml similarity index 62% rename from charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml rename to charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml index e87aa30..bccfd13 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/statefulset.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml @@ -5,7 +5,7 @@ apiVersion: apps/v1 metadata: name: ebs-snapshot-controller labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: serviceName: ebs-snapshot-controller replicas: 1 @@ -18,41 +18,46 @@ spec: labels: app: ebs-snapshot-controller {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} + {{- if .Values.snapshotController.podLabels }} + {{- toYaml .Values.snapshotController.podLabels | nindent 8 }} + {{- end }} + {{- if .Values.snapshotController.podAnnotations }} + annotations: {{ toYaml .Values.snapshotController.podAnnotations | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ .Values.serviceAccount.snapshot.name }} nodeSelector: kubernetes.io/os: linux {{- with .Values.nodeSelector }} -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} priorityClassName: {{ .Values.priorityClassName | default "system-cluster-critical" }} {{- with .Values.affinity }} - affinity: {{ toYaml . | nindent 8 }} + affinity: + {{- toYaml . | nindent 8 }} {{- end }} tolerations: - {{- if .Values.tolerateAllTaints }} + - key: CriticalAddonsOnly + operator: Exists - operator: Exists - {{- end }} + effect: NoExecute + tolerationSeconds: 300 {{- with .Values.tolerations }} -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} containers: - name: snapshot-controller image: {{ printf "%s:%s" .Values.snapshotController.repository .Values.snapshotController.tag }} {{- with .Values.resources }} - resources: {{ toYaml . | nindent 12 }} + resources: + {{- toYaml . | nindent 12 }} {{- end }} + {{- if .Values.proxy.http_proxy }} env: -{{- if .Values.proxy.http_proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} - - name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end }} + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} args: - - --v={{ .Values.logLevel }} + - --v=2 - --leader-election=false {{- if .Values.imagePullSecrets }} imagePullSecrets: @@ -60,4 +65,4 @@ spec: - name: {{ . }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/storageclass.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/storageclass.yaml index 3da90e3..847f5e2 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/storageclass.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/storageclass.yaml @@ -4,11 +4,11 @@ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: {{ .name }} - {{- if .annotations }} - annotations: {{- .annotations | toYaml | trim | nindent 4 }} + {{- with .annotations }} + annotations: {{- . | toYaml | trim | nindent 4 }} {{- end }} - {{- if .labels }} - labels: {{- .labels | toYaml | trim | nindent 4 }} + {{- with .labels }} + labels: {{- . | toYaml | trim | nindent 4 }} {{- end }} provisioner: ebs.csi.aws.com {{ omit (dict "volumeBindingMode" "WaitForFirstConsumer" | merge .) "name" "annotations" "labels" | toYaml }} diff --git a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml index 0710d18..8a6e62a 100644 --- a/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/charts/aws-ebs-csi-driver/values.yaml @@ -2,22 +2,18 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 2 - image: repository: k8s.gcr.io/provider-aws/aws-ebs-csi-driver - tag: "v0.10.0" + tag: "v1.1.1" pullPolicy: IfNotPresent -logLevel: 5 - sidecars: provisionerImage: repository: k8s.gcr.io/sig-storage/csi-provisioner - tag: "v2.0.2" + tag: "v2.1.1" attacherImage: repository: k8s.gcr.io/sig-storage/csi-attacher - tag: "v3.0.0" + tag: "v3.1.0" snapshotterImage: repository: k8s.gcr.io/sig-storage/csi-snapshotter tag: "v3.0.3" @@ -29,97 +25,128 @@ sidecars: tag: "v1.0.0" nodeDriverRegistrarImage: repository: k8s.gcr.io/sig-storage/csi-node-driver-registrar - tag: "v2.0.1" + tag: "v2.1.0" snapshotController: repository: k8s.gcr.io/sig-storage/snapshot-controller tag: "v3.0.3" + podAnnotations: {} + podLabels: {} -proxy: {} -# http_proxy: -# no_proxy: +proxy: + http_proxy: + no_proxy: imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} - -# True if enable volume scheduling for dynamic volume provisioning -enableVolumeScheduling: true - -# True if enable volume resizing -enableVolumeResizing: false +nameOverride: +fullnameOverride: # True if enable volume snapshot enableVolumeSnapshot: false -# The "maximum number of attachable volumes" per node -volumeAttachLimit: "" +# Moving to values under controller +affinity: {} +extraCreateMetadata: true +extraVolumeTags: {} +k8sTagClusterId: +nodeSelector: {} +podAnnotations: {} +priorityClassName: "system-cluster-critical" +region: +replicaCount: 2 +resources: {} +tolerations: [] +topologySpreadConstraints: [] -resources: - {} +controller: + affinity: {} + # True if enable volume scheduling for dynamic volume provisioning + env: + ebsPlugin: [] + provisioner: [] + attacher: [] + snapshotter: [] + resizer: [] + # If set, add pv/pvc metadata to plugin create requests as parameters. + extraCreateMetadata: true + # Will be removed in later version in favor of env.ebsPlugin + extraVars: {} + # Extra volume tags to attach to each dynamically provisioned volume. + # --- + # extraVolumeTags: + # key1: value1 + # key2: value2 + extraVolumeTags: {} + httpEndpoint: + # ID of the Kubernetes cluster used for tagging provisioned EBS volumes (optional). + k8sTagClusterId: + logLevel: 2 + nodeSelector: {} + podAnnotations: {} + podLabels: {} + priorityClassName: + # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata + # service. + # --- + # region: us-east-1 + region: + replicaCount: + resources: {} + containerResources: + ebsPlugin: {} + provisioner: {} + attacher: {} + snapshotter: {} + resizer: {} + liveness: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # Note that you will need to set resource requests if you want the cluster autoscaler to + # scale your nodes when you increase/decrease the number of ebs-csi-controller replicas. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi + tolerations: [] + # TSCs without the label selector stanza + # + # Example: + # + # topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # - maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + topologySpreadConstraints: [] -priorityClassName: "" -nodeSelector: {} -tolerateAllTaints: false -tolerations: [] -affinity: {} - -# TSCs without the label selector stanza -# -# Example: -# -# topologySpreadConstraints: -# - maxSkew: 1 -# topologyKey: topology.kubernetes.io/zone -# whenUnsatisfiable: ScheduleAnyway -# - maxSkew: 1 -# topologyKey: kubernetes.io/hostname -# whenUnsatisfiable: ScheduleAnyway - -topologySpreadConstraints: [] - -# Extra volume tags to attach to each dynamically provisioned volume. -# --- -# extraVolumeTags: -# key1: value1 -# key2: value2 -extraVolumeTags: {} - -# If set, add pv/pvc metadata to plugin create requests as parameters. -extraCreateMetadata: false - -# ID of the Kubernetes cluster used for tagging provisioned EBS volumes (optional). -k8sTagClusterId: "" - -# AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata -# service. -# --- -# region: us-east-1 -region: "" - -# Additonal environment variables for the controller -controller: - extraVars: {} +# Moving to values under node +# The "maximum number of attachable volumes" per node +volumeAttachLimit: node: - priorityClassName: "" + env: + ebsPlugin: [] + nodeDriverRegistrar: [] + kubeletPath: /var/lib/kubelet + logLevel: 2 + priorityClassName: nodeSelector: {} podAnnotations: {} + podLabels: {} tolerateAllTaints: false tolerations: [] resources: {} + containerResources: + ebsPlugin: {} + nodeDriverRegistrar: {} + liveness: {} + volumeAttachLimit: serviceAccount: controller: diff --git a/charts/kubezero-aws-ebs-csi-driver/crds/crd_snapshotter.yaml b/charts/kubezero-aws-ebs-csi-driver/crds/crd_snapshotter.yaml deleted file mode 100644 index aff837a..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/crds/crd_snapshotter.yaml +++ /dev/null @@ -1,420 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" - creationTimestamp: null - name: volumesnapshotclasses.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotClass - listKind: VolumeSnapshotClassList - plural: volumesnapshotclasses - singular: volumesnapshotclass - scope: Cluster - preserveUnknownFields: false - validation: - openAPIV3Schema: - description: VolumeSnapshotClass specifies parameters that a underlying storage - system uses when creating a volume snapshot. A specific VolumeSnapshotClass - is used by specifying its name in a VolumeSnapshot object. VolumeSnapshotClasses - are non-namespaced - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - deletionPolicy: - description: deletionPolicy determines whether a VolumeSnapshotContent created - through the VolumeSnapshotClass should be deleted when its bound VolumeSnapshot - is deleted. Supported values are "Retain" and "Delete". "Retain" means - that the VolumeSnapshotContent and its physical snapshot on underlying - storage system are kept. "Delete" means that the VolumeSnapshotContent - and its physical snapshot on underlying storage system are deleted. Required. - enum: - - Delete - - Retain - type: string - driver: - description: driver is the name of the storage driver that handles this - VolumeSnapshotClass. Required. - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - parameters: - additionalProperties: - type: string - description: parameters is a key-value map with storage driver specific - parameters for creating snapshots. These values are opaque to Kubernetes. - type: object - required: - - deletionPolicy - - driver - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" - creationTimestamp: null - name: volumesnapshotcontents.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotContent - listKind: VolumeSnapshotContentList - plural: volumesnapshotcontents - singular: volumesnapshotcontent - scope: Cluster - subresources: - status: {} - preserveUnknownFields: false - validation: - openAPIV3Schema: - description: VolumeSnapshotContent represents the actual "on-disk" snapshot - object in the underlying storage system - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - spec: - description: spec defines properties of a VolumeSnapshotContent created - by the underlying storage system. Required. - properties: - deletionPolicy: - description: deletionPolicy determines whether this VolumeSnapshotContent - and its physical snapshot on the underlying storage system should - be deleted when its bound VolumeSnapshot is deleted. Supported values - are "Retain" and "Delete". "Retain" means that the VolumeSnapshotContent - and its physical snapshot on underlying storage system are kept. "Delete" - means that the VolumeSnapshotContent and its physical snapshot on - underlying storage system are deleted. In dynamic snapshot creation - case, this field will be filled in with the "DeletionPolicy" field - defined in the VolumeSnapshotClass the VolumeSnapshot refers to. For - pre-existing snapshots, users MUST specify this field when creating - the VolumeSnapshotContent object. Required. - enum: - - Delete - - Retain - type: string - driver: - description: driver is the name of the CSI driver used to create the - physical snapshot on the underlying storage system. This MUST be the - same as the name returned by the CSI GetPluginName() call for that - driver. Required. - type: string - source: - description: source specifies from where a snapshot will be created. - This field is immutable after creation. Required. - properties: - snapshotHandle: - description: snapshotHandle specifies the CSI "snapshot_id" of a - pre-existing snapshot on the underlying storage system. This field - is immutable. - type: string - volumeHandle: - description: volumeHandle specifies the CSI "volume_id" of the volume - from which a snapshot should be dynamically taken from. This field - is immutable. - type: string - type: object - volumeSnapshotClassName: - description: name of the VolumeSnapshotClass to which this snapshot - belongs. - type: string - volumeSnapshotRef: - description: volumeSnapshotRef specifies the VolumeSnapshot object to - which this VolumeSnapshotContent object is bound. VolumeSnapshot.Spec.VolumeSnapshotContentName - field must reference to this VolumeSnapshotContent's name for the - bidirectional binding to be valid. For a pre-existing VolumeSnapshotContent - object, name and namespace of the VolumeSnapshot object MUST be provided - for binding to happen. This field is immutable after creation. Required. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of an - entire object, this string should contain a valid JSON/Go field - access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen only - to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change - in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - required: - - deletionPolicy - - driver - - source - - volumeSnapshotRef - type: object - status: - description: status represents the current information of a snapshot. - properties: - creationTime: - description: creationTime is the timestamp when the point-in-time snapshot - is taken by the underlying storage system. In dynamic snapshot creation - case, this field will be filled in with the "creation_time" value - returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing - snapshot, this field will be filled with the "creation_time" value - returned from the CSI "ListSnapshots" gRPC call if the driver supports - it. If not specified, it indicates the creation time is unknown. The - format of this field is a Unix nanoseconds time encoded as an int64. - On Unix, the command `date +%s%N` returns the current time in nanoseconds - since 1970-01-01 00:00:00 UTC. - format: int64 - type: integer - error: - description: error is the latest observed error during snapshot creation, - if any. - properties: - message: - description: 'message is a string detailing the encountered error - during snapshot creation if specified. NOTE: message may be logged, - and it should not contain sensitive information.' - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: readyToUse indicates if a snapshot is ready to be used - to restore a volume. In dynamic snapshot creation case, this field - will be filled in with the "ready_to_use" value returned from CSI - "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this - field will be filled with the "ready_to_use" value returned from the - CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, - this field will be set to "True". If not specified, it means the readiness - of a snapshot is unknown. - type: boolean - restoreSize: - description: restoreSize represents the complete size of the snapshot - in bytes. In dynamic snapshot creation case, this field will be filled - in with the "size_bytes" value returned from CSI "CreateSnapshotRequest" - gRPC call. For a pre-existing snapshot, this field will be filled - with the "size_bytes" value returned from the CSI "ListSnapshots" - gRPC call if the driver supports it. When restoring a volume from - this snapshot, the size of the volume MUST NOT be smaller than the - restoreSize if it is specified, otherwise the restoration will fail. - If not specified, it indicates that the size is unknown. - format: int64 - minimum: 0 - type: integer - snapshotHandle: - description: snapshotHandle is the CSI "snapshot_id" of a snapshot on - the underlying storage system. If not specified, it indicates that - dynamic snapshot creation has either failed or it is still in progress. - type: string - type: object - required: - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - api-approved.kubernetes.io: "https://github.com/kubernetes-csi/external-snapshotter/pull/139" - creationTimestamp: null - name: volumesnapshots.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshot - listKind: VolumeSnapshotList - plural: volumesnapshots - singular: volumesnapshot - scope: Namespaced - subresources: - status: {} - preserveUnknownFields: false - validation: - openAPIV3Schema: - description: VolumeSnapshot is a user's request for either creating a point-in-time - snapshot of a persistent volume, or binding to a pre-existing snapshot. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' - type: string - spec: - description: 'spec defines the desired characteristics of a snapshot requested - by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots - Required.' - properties: - source: - description: source specifies where a snapshot will be created from. - This field is immutable after creation. Required. - properties: - persistentVolumeClaimName: - description: persistentVolumeClaimName specifies the name of the - PersistentVolumeClaim object in the same namespace as the VolumeSnapshot - object where the snapshot should be dynamically taken from. This - field is immutable. - type: string - volumeSnapshotContentName: - description: volumeSnapshotContentName specifies the name of a pre-existing - VolumeSnapshotContent object. This field is immutable. - type: string - type: object - volumeSnapshotClassName: - description: 'volumeSnapshotClassName is the name of the VolumeSnapshotClass - requested by the VolumeSnapshot. If not specified, the default snapshot - class will be used if one exists. If not specified, and there is no - default snapshot class, dynamic snapshot creation will fail. Empty - string is not allowed for this field. TODO(xiangqian): a webhook validation - on empty string. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes' - type: string - required: - - source - type: object - status: - description: 'status represents the current information of a snapshot. NOTE: - status can be modified by sources other than system controllers, and must - not be depended upon for accuracy. Controllers should only use information - from the VolumeSnapshotContent object after verifying that the binding - is accurate and complete.' - properties: - boundVolumeSnapshotContentName: - description: 'boundVolumeSnapshotContentName represents the name of - the VolumeSnapshotContent object to which the VolumeSnapshot object - is bound. If not specified, it indicates that the VolumeSnapshot object - has not been successfully bound to a VolumeSnapshotContent object - yet. NOTE: Specified boundVolumeSnapshotContentName alone does not - mean binding is valid. Controllers MUST always verify bidirectional - binding between VolumeSnapshot and VolumeSnapshotContent to - avoid possible security issues.' - type: string - creationTime: - description: creationTime is the timestamp when the point-in-time snapshot - is taken by the underlying storage system. In dynamic snapshot creation - case, this field will be filled in with the "creation_time" value - returned from CSI "CreateSnapshotRequest" gRPC call. For a pre-existing - snapshot, this field will be filled with the "creation_time" value - returned from the CSI "ListSnapshots" gRPC call if the driver supports - it. If not specified, it indicates that the creation time of the snapshot - is unknown. - format: date-time - type: string - error: - description: error is the last observed error during snapshot creation, - if any. This field could be helpful to upper level controllers(i.e., - application controller) to decide whether they should continue on - waiting for the snapshot to be created based on the type of error - reported. - properties: - message: - description: 'message is a string detailing the encountered error - during snapshot creation if specified. NOTE: message may be logged, - and it should not contain sensitive information.' - type: string - time: - description: time is the timestamp when the error was encountered. - format: date-time - type: string - type: object - readyToUse: - description: readyToUse indicates if a snapshot is ready to be used - to restore a volume. In dynamic snapshot creation case, this field - will be filled in with the "ready_to_use" value returned from CSI - "CreateSnapshotRequest" gRPC call. For a pre-existing snapshot, this - field will be filled with the "ready_to_use" value returned from the - CSI "ListSnapshots" gRPC call if the driver supports it, otherwise, - this field will be set to "True". If not specified, it means the readiness - of a snapshot is unknown. - type: boolean - restoreSize: - description: restoreSize represents the complete size of the snapshot - in bytes. In dynamic snapshot creation case, this field will be filled - in with the "size_bytes" value returned from CSI "CreateSnapshotRequest" - gRPC call. For a pre-existing snapshot, this field will be filled - with the "size_bytes" value returned from the CSI "ListSnapshots" - gRPC call if the driver supports it. When restoring a volume from - this snapshot, the size of the volume MUST NOT be smaller than the - restoreSize if it is specified, otherwise the restoration will fail. - If not specified, it indicates that the size is unknown. - type: string - type: object - required: - - spec - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/kubezero-aws-ebs-csi-driver/loglevel_leader.patch b/charts/kubezero-aws-ebs-csi-driver/loglevel_leader.patch deleted file mode 100644 index 349eea0..0000000 --- a/charts/kubezero-aws-ebs-csi-driver/loglevel_leader.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -rtubN aws-ebs-csi-driver.orig/templates/controller.yaml aws-ebs-csi-driver/templates/controller.yaml ---- aws-ebs-csi-driver.orig/templates/controller.yaml 2021-03-05 03:10:41.000000000 +0100 -+++ aws-ebs-csi-driver/templates/controller.yaml 2021-03-05 10:29:31.878615411 +0100 -@@ -68,7 +68,7 @@ - - --k8s-tag-cluster-id={{ .Values.k8sTagClusterId }} - {{- end }} - - --logtostderr -- - --v=5 -+ - --v={{ .Values.logLevel }} - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock -@@ -126,14 +126,14 @@ - image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} - args: - - --csi-address=$(ADDRESS) -- - --v=5 -+ - --v={{ .Values.logLevel }} - {{- if .Values.enableVolumeScheduling }} - - --feature-gates=Topology=true - {{- end}} - {{- if .Values.extraCreateMetadata }} - - --extra-create-metadata - {{- end}} -- - --leader-election=true -+ - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} - - --default-fstype=ext4 - env: - - name: ADDRESS -@@ -156,8 +156,8 @@ - image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} - args: - - --csi-address=$(ADDRESS) -- - --v=5 -- - --leader-election=true -+ - --v={{ .Values.logLevel }} -+ - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock -@@ -180,7 +180,7 @@ - image: {{ printf "%s:%s" .Values.sidecars.snapshotterImage.repository .Values.sidecars.snapshotterImage.tag }} - args: - - --csi-address=$(ADDRESS) -- - --leader-election=true -+ - --leader-election={{ ternary "true" "false" ( gt (.Values.replicaCount|int) 1 ) }} - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock -@@ -205,7 +205,7 @@ - imagePullPolicy: Always - args: - - --csi-address=$(ADDRESS) -- - --v=5 -+ - --v={{ .Values.logLevel }} - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock -diff -rtubN aws-ebs-csi-driver.orig/templates/node.yaml aws-ebs-csi-driver/templates/node.yaml ---- aws-ebs-csi-driver.orig/templates/node.yaml 2021-03-05 03:10:41.000000000 +0100 -+++ aws-ebs-csi-driver/templates/node.yaml 2021-03-05 10:30:07.391950366 +0100 -@@ -61,7 +61,7 @@ - - --volume-attach-limit={{ .Values.volumeAttachLimit }} - {{- end }} - - --logtostderr -- - --v=5 -+ - --v={{ .Values.logLevel }} - env: - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock -@@ -107,7 +107,7 @@ - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) -- - --v=5 -+ - --v={{ .Values.logLevel }} - env: - - name: ADDRESS - value: /csi/csi.sock -diff -rtubN aws-ebs-csi-driver.orig/templates/statefulset.yaml aws-ebs-csi-driver/templates/statefulset.yaml ---- aws-ebs-csi-driver.orig/templates/statefulset.yaml 2021-03-05 03:10:41.000000000 +0100 -+++ aws-ebs-csi-driver/templates/statefulset.yaml 2021-03-05 10:29:31.881948744 +0100 -@@ -49,7 +49,7 @@ - value: {{ .Values.proxy.no_proxy | quote }} - {{- end }} - args: -- - --v=5 -+ - --v={{ .Values.logLevel }} - - --leader-election=false - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -diff -rtubN aws-ebs-csi-driver.orig/values.yaml aws-ebs-csi-driver/values.yaml ---- aws-ebs-csi-driver.orig/values.yaml 2021-03-05 03:10:41.000000000 +0100 -+++ aws-ebs-csi-driver/values.yaml 2021-03-05 10:29:31.881948744 +0100 -@@ -9,6 +9,8 @@ - tag: "v0.9.0" - pullPolicy: IfNotPresent - -+logLevel: 5 -+ - sidecars: - provisionerImage: - repository: k8s.gcr.io/sig-storage/csi-provisioner diff --git a/charts/kubezero-aws-ebs-csi-driver/patch b/charts/kubezero-aws-ebs-csi-driver/patch new file mode 100644 index 0000000..71fb008 --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/patch @@ -0,0 +1,87 @@ +diff -rtubN charts/aws-ebs-csi-driver/templates/controller.yaml charts/aws-ebs-csi-driver.zdt/templates/controller.yaml +--- charts/aws-ebs-csi-driver/templates/controller.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/controller.yaml 2021-06-24 16:31:37.042386198 +0200 +@@ -116,6 +116,9 @@ + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ ++ - name: aws-token ++ mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" ++ readOnly: true + ports: + - name: healthz + containerPort: 9808 +@@ -144,7 +147,7 @@ + image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + - --feature-gates=Topology=true + {{- if or .Values.controller.extraCreateMetadata .Values.extraCreateMetadata }} + - --extra-create-metadata +@@ -171,7 +174,7 @@ + image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + - --leader-election=true + env: + - name: ADDRESS +@@ -215,7 +218,7 @@ + imagePullPolicy: Always + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock +@@ -252,3 +255,10 @@ + volumes: + - name: socket-dir + emptyDir: {} ++ - name: aws-token ++ projected: ++ sources: ++ - serviceAccountToken: ++ path: token ++ expirationSeconds: 86400 ++ audience: "sts.amazonaws.com" +diff -rtubN charts/aws-ebs-csi-driver/templates/node.yaml charts/aws-ebs-csi-driver.zdt/templates/node.yaml +--- charts/aws-ebs-csi-driver/templates/node.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/node.yaml 2021-06-24 15:03:44.532351851 +0200 +@@ -107,7 +107,7 @@ + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) +- - --v=5 ++ - --v={{ .Values.node.logLevel }} + env: + - name: ADDRESS + value: /csi/csi.sock +diff -rtubN charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml charts/aws-ebs-csi-driver.zdt/templates/snapshot-controller.yaml +--- charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/snapshot-controller.yaml 2021-06-24 15:04:17.999018733 +0200 +@@ -57,7 +57,7 @@ + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + args: +- - --v=5 ++ - --v=2 + - --leader-election=false + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +diff -rtubN charts/aws-ebs-csi-driver/values.yaml charts/aws-ebs-csi-driver.zdt/values.yaml +--- charts/aws-ebs-csi-driver/values.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/values.yaml 2021-06-22 17:08:52.501232371 +0200 +@@ -56,7 +56,7 @@ + replicaCount: 2 + resources: {} + tolerations: [] +-topologySpreadConstraints: [] ++topolk8sTagClusterIdogySpreadConstraints: [] + + controller: + affinity: {} diff --git a/charts/kubezero-aws-ebs-csi-driver/update.sh b/charts/kubezero-aws-ebs-csi-driver/update.sh index 1641beb..3908a3d 100755 --- a/charts/kubezero-aws-ebs-csi-driver/update.sh +++ b/charts/kubezero-aws-ebs-csi-driver/update.sh @@ -1,8 +1,11 @@ #!/bin/bash -VERSION=0.10.0 +VERSION=1.2.4 rm -rf charts/aws-ebs-csi-driver curl -L -s -o - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/helm-chart-aws-ebs-csi-driver-${VERSION}/aws-ebs-csi-driver-${VERSION}.tgz | tar xfz - -C charts -patch -d charts -i ../loglevel_leader.patch -p0 --no-backup-if-mismatch +patch -i zdt.patch -p0 --no-backup-if-mismatch + +# Remove duplicated CRDs +rm -f charts/aws-ebs-csi-driver/templates/crds.yml diff --git a/charts/kubezero-aws-ebs-csi-driver/values.yaml b/charts/kubezero-aws-ebs-csi-driver/values.yaml index 8519805..44489ef 100644 --- a/charts/kubezero-aws-ebs-csi-driver/values.yaml +++ b/charts/kubezero-aws-ebs-csi-driver/values.yaml @@ -1,33 +1,39 @@ aws-ebs-csi-driver: - replicaCount: 1 - logLevel: 1 - - enableVolumeScheduling: true - enableVolumeResizing: true enableVolumeSnapshot: true - nodeSelector: - node-role.kubernetes.io/master: "" + controller: + replicaCount: 1 + logLevel: 1 - tolerations: + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - # aws-ebs-csi-driver.podAnnotations -- iam.amazonaws.com/role: to assume - podAnnotations: {} - # iam.amazonaws.com/role: '' + # k8sTagClusterId: - # aws-ebs-csi-driver.extraVolumeTags -- Optional tags to be added to each EBS volume - extraVolumeTags: {} - # Name: KubeZero-Cluster + #env: + # ebsPlugin: + #- name: AWS_ROLE_ARN + # value: "" + #- name: AWS_WEB_IDENTITY_TOKEN_FILE + # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + #- name: AWS_STS_REGIONAL_ENDPOINTS + # value: regional + resources: + requests: + cpu: 10m + memory: 24Mi + limits: + # cpu: 50m + memory: 40Mi - resources: - requests: - cpu: 10m - memory: 24Mi - limits: - # cpu: 50m - memory: 40Mi + node: + tolerations: + - key: kubezero-workergroup + effect: NoSchedule + operator: Exists storageClasses: - name: ebs-sc-gp2-xfs @@ -46,3 +52,10 @@ aws-ebs-csi-driver: csi.storage.k8s.io/fstype: xfs type: gp3 encrypted: "true" + + # This will probably move to snapshot later on + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule diff --git a/charts/kubezero-aws-ebs-csi-driver/zdt.patch b/charts/kubezero-aws-ebs-csi-driver/zdt.patch new file mode 100644 index 0000000..ecddbcc --- /dev/null +++ b/charts/kubezero-aws-ebs-csi-driver/zdt.patch @@ -0,0 +1,75 @@ +diff -rtubN charts/aws-ebs-csi-driver/templates/controller.yaml charts/aws-ebs-csi-driver.zdt/templates/controller.yaml +--- charts/aws-ebs-csi-driver/templates/controller.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/controller.yaml 2021-06-24 16:31:37.042386198 +0200 +@@ -116,6 +116,9 @@ + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ ++ - name: aws-token ++ mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" ++ readOnly: true + ports: + - name: healthz + containerPort: 9808 +@@ -144,7 +147,7 @@ + image: {{ printf "%s:%s" .Values.sidecars.provisionerImage.repository .Values.sidecars.provisionerImage.tag }} + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + - --feature-gates=Topology=true + {{- if or .Values.controller.extraCreateMetadata .Values.extraCreateMetadata }} + - --extra-create-metadata +@@ -171,7 +174,7 @@ + image: {{ printf "%s:%s" .Values.sidecars.attacherImage.repository .Values.sidecars.attacherImage.tag }} + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + - --leader-election=true + env: + - name: ADDRESS +@@ -215,7 +218,7 @@ + imagePullPolicy: Always + args: + - --csi-address=$(ADDRESS) +- - --v=5 ++ - --v={{ .Values.controller.logLevel }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock +@@ -252,3 +255,10 @@ + volumes: + - name: socket-dir + emptyDir: {} ++ - name: aws-token ++ projected: ++ sources: ++ - serviceAccountToken: ++ path: token ++ expirationSeconds: 86400 ++ audience: "sts.amazonaws.com" +diff -rtubN charts/aws-ebs-csi-driver/templates/node.yaml charts/aws-ebs-csi-driver.zdt/templates/node.yaml +--- charts/aws-ebs-csi-driver/templates/node.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/node.yaml 2021-06-24 15:03:44.532351851 +0200 +@@ -107,7 +107,7 @@ + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) +- - --v=5 ++ - --v={{ .Values.node.logLevel }} + env: + - name: ADDRESS + value: /csi/csi.sock +diff -rtubN charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml charts/aws-ebs-csi-driver.zdt/templates/snapshot-controller.yaml +--- charts/aws-ebs-csi-driver/templates/snapshot-controller.yaml 2021-06-17 22:22:22.000000000 +0200 ++++ charts/aws-ebs-csi-driver.zdt/templates/snapshot-controller.yaml 2021-06-24 15:04:17.999018733 +0200 +@@ -57,7 +57,7 @@ + {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} + {{- end }} + args: +- - --v=5 ++ - --v=2 + - --leader-election=false + {{- if .Values.imagePullSecrets }} + imagePullSecrets: diff --git a/charts/kubezero-aws-efs-csi-driver/Chart.yaml b/charts/kubezero-aws-efs-csi-driver/Chart.yaml index 8bd4a5d..7978af0 100644 --- a/charts/kubezero-aws-efs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-efs-csi-driver/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: kubezero-aws-efs-csi-driver description: KubeZero Umbrella Chart for aws-efs-csi-driver -version: 0.3.5 -appVersion: 1.2.0 +version: 0.4.2 +appVersion: 1.3.2 kubeVersion: ">=1.18.0-0" home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -21,5 +21,5 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: aws-efs-csi-driver - version: 1.2.2 + version: 2.1.3 # repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/ diff --git a/charts/kubezero-aws-efs-csi-driver/README.md b/charts/kubezero-aws-efs-csi-driver/README.md index 0f393ce..01843b5 100644 --- a/charts/kubezero-aws-efs-csi-driver/README.md +++ b/charts/kubezero-aws-efs-csi-driver/README.md @@ -1,6 +1,6 @@ # kubezero-aws-efs-csi-driver -![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 1.3.1](https://img.shields.io/badge/AppVersion-1.3.1-informational?style=flat-square) KubeZero Umbrella Chart for aws-efs-csi-driver @@ -23,7 +23,7 @@ Kubernetes: `>=1.18.0-0` | Repository | Name | Version | |------------|------|---------| -| | aws-efs-csi-driver | 1.2.1 | +| | aws-efs-csi-driver | 2.1.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Storage Class @@ -37,11 +37,16 @@ Details also see: [Reserve PV](https://kubernetes.io/docs/concepts/storage/persi | Key | Type | Default | Description | |-----|------|---------|-------------| -| StorageClass.create | bool | `true` | | -| StorageClass.default | bool | `false` | | -| aws-efs-csi-driver.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/csi.efs.fs"` | | -| aws-efs-csi-driver.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"Exists"` | | -| aws-efs-csi-driver.logLevel | int | `1` | | -| aws-efs-csi-driver.resources.limits.memory | string | `"128Mi"` | | -| aws-efs-csi-driver.resources.requests.cpu | string | `"20m"` | | -| aws-efs-csi-driver.resources.requests.memory | string | `"64Mi"` | | +| aws-efs-csi-driver.controller.create | bool | `true` | | +| aws-efs-csi-driver.controller.logLevel | int | `1` | | +| aws-efs-csi-driver.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| aws-efs-csi-driver.controller.tolerations[0].effect | string | `"NoSchedule"` | | +| aws-efs-csi-driver.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| aws-efs-csi-driver.node.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/csi.efs.fs"` | | +| aws-efs-csi-driver.node.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"Exists"` | | +| aws-efs-csi-driver.node.logLevel | int | `1` | | +| aws-efs-csi-driver.node.resources.limits.memory | string | `"128Mi"` | | +| aws-efs-csi-driver.node.resources.requests.cpu | string | `"20m"` | | +| aws-efs-csi-driver.node.resources.requests.memory | string | `"64Mi"` | | +| aws-efs-csi-driver.replicaCount | int | `1` | | +| aws-efs-csi-driver.storageClasses[0].name | string | `"efs-sc"` | | diff --git a/charts/kubezero-aws-efs-csi-driver/affinity_resources.patch b/charts/kubezero-aws-efs-csi-driver/affinity_resources.patch deleted file mode 100644 index 60c546a..0000000 --- a/charts/kubezero-aws-efs-csi-driver/affinity_resources.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -tubrN charts/aws-efs-csi-driver/templates/node-daemonset.yaml charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml ---- charts/aws-efs-csi-driver/templates/node-daemonset.yaml 2021-03-23 14:34:03.000000000 +0100 -+++ charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml 2021-04-01 14:31:36.427375803 +0200 -@@ -40,15 +40,10 @@ - {{- with .Values.nodeSelector }} - {{- . | toYaml | nindent 8 }} - {{- end }} -+ {{- with .Values.affinity }} - affinity: -- nodeAffinity: -- requiredDuringSchedulingIgnoredDuringExecution: -- nodeSelectorTerms: -- - matchExpressions: -- - key: eks.amazonaws.com/compute-type -- operator: NotIn -- values: -- - fargate -+ {{- . | toYaml | nindent 8 }} -+ {{- end }} - hostNetwork: true - {{- if .Values.dnsPolicy }} - dnsPolicy: "{{ .Values.dnsPolicy }}" -@@ -99,6 +94,10 @@ - timeoutSeconds: 3 - periodSeconds: 2 - failureThreshold: 5 -+ {{- with .Values.resources }} -+ resources: -+ {{- . | toYaml | nindent 12 }} -+ {{- end }} - - name: csi-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} - args: -diff -tubrN charts/aws-efs-csi-driver/values.yaml charts/aws-efs-csi-driver.zdt/values.yaml ---- charts/aws-efs-csi-driver/values.yaml 2021-03-23 14:34:03.000000000 +0100 -+++ charts/aws-efs-csi-driver.zdt/values.yaml 2021-04-01 14:37:21.290724721 +0200 -@@ -11,8 +11,8 @@ - - sidecars: - livenessProbeImage: -- repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe -- tag: v2.1.0-eks-1-18-1 -+ repository: k8s.gcr.io/sig-storage/livenessprobe -+ tag: "v2.2.0" - nodeDriverRegistrarImage: - repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar - tag: v2.0.1-eks-1-18-1 -@@ -43,7 +43,15 @@ - - tolerations: [] - --affinity: {} -+affinity: -+ nodeAffinity: -+ requiredDuringSchedulingIgnoredDuringExecution: -+ nodeSelectorTerms: -+ - matchExpressions: -+ - key: eks.amazonaws.com/compute-type -+ operator: NotIn -+ values: -+ - fargate - - node: - podAnnotations: {} diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/CHANGELOG.md b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/CHANGELOG.md new file mode 100644 index 0000000..0e499d8 --- /dev/null +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/CHANGELOG.md @@ -0,0 +1,112 @@ +# Helm chart + +# v2.1.3 +* Bump app/driver version to `v1.3.2` + +# v2.1.2 +* Add extra-create-metadata + +# v2.1.1 +* Update app/driver version to `v1.3.1` + +# v2.1.0 + +## New features +* Update app/driver version to `v1.3.0` + +## Bug fixes +* Put comments back in place inside the values file ([#475](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/475), [@pierluigilenoci](https://github.com/pierluigilenoci)) + +# v2.0.1 + +## Bug fixes +* Helm chart: fix reclaimPolicy and volumeBindingMode ([#464](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/464), [@devinsmith911](https://github.com/devinsmith911)) + + +# v2.0.0 + +## Breaking changes + +Multiple changes in values file at `sidecars`, `controller` and `node` + +--- +```yaml +sidecars: + xxxxxxxxx: + repository: + tag: +``` + +Moving to + +```yaml +sidecars: + xxxxxxxxx: + image: + repository: + tag: +``` + +--- +```yaml +podAnnotations: +resources: +nodeSelector: +tolerations: +affinity: +``` + +Moving to + +```yaml +controller: + podAnnotations: + resources: + nodeSelector: + tolerations: + affinity: +``` + +--- +```yaml +hostAliases: +dnsPolicy: +dnsConfig: +``` + +Moving to + +```yaml +node: + hostAliases: + dnsPolicy: + dnsConfig: +``` + +--- +```yaml +serviceAccount: + controller: +``` + +Moving to + +```yaml +controller: + serviceAccount: +``` + +## New features + +* Chart API `v2` (requires Helm 3) +* Set `resources` and `imagePullPolicy` fields independently for containers +* Set `logLevel`, `affinity`, `nodeSelector`, `podAnnotations` and `tolerations` fields independently +for Controller deployment and Node daemonset +* Set `reclaimPolicy` and `volumeBindingMode` fields in storage class + +## Fixes + +* Fixing Controller deployment using `podAnnotations` and `tolerations` values from Node daemonset +* Let the user define the whole `tolerations` array, default to `- operator: Exists` +* Default `logLevel` lowered from `5` to `2` +* Default `imagePullPolicy` everywhere set to `IfNotPresent` diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/Chart.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/Chart.yaml index 4f1b11d..9c0b3b2 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/Chart.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/Chart.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 -appVersion: 1.2.0 +apiVersion: v2 +appVersion: 1.3.2 description: A Helm chart for AWS EFS CSI Driver home: https://github.com/kubernetes-sigs/aws-efs-csi-driver keywords: @@ -15,4 +15,4 @@ maintainers: name: aws-efs-csi-driver sources: - https://github.com/kubernetes-sigs/aws-efs-csi-driver -version: 1.2.2 +version: 2.1.3 diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/_helpers.tpl b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/_helpers.tpl index 2b4ed0b..3a74fef 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/_helpers.tpl +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/_helpers.tpl @@ -49,8 +49,19 @@ Create the name of the service account to use */}} {{- define "aws-efs-csi-driver.serviceAccountName" -}} {{- if .Values.controller.create -}} - {{ default (include "aws-efs-csi-driver.fullname" .) .Values.serviceAccount.controller.name }} + {{ default (include "aws-efs-csi-driver.fullname" .) .Values.controller.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.serviceAccount.controller.name }} + {{ default "default" .Values.controller.serviceAccount.name }} {{- end -}} {{- end -}} + +{{/* +Create a string out of the map for controller tags flag +*/}} +{{- define "aws-efs-csi-driver.tags" -}} +{{- $tags := list -}} +{{ range $key, $val := . }} +{{- $tags = print $key ":" $val | append $tags -}} +{{- end -}} +{{- join " " $tags -}} +{{- end -}} diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-deployment.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-deployment.yaml index 122ffe2..c1beb69 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-deployment.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-deployment.yaml @@ -19,8 +19,8 @@ spec: app: efs-csi-controller app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} - {{- if .Values.node.podAnnotations }} - annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} + {{- with .Values.controller.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} {{- end }} spec: {{- if .Values.imagePullSecrets }} @@ -31,37 +31,42 @@ spec: {{- end }} nodeSelector: kubernetes.io/os: linux - {{- with .Values.nodeSelector }} - {{- . | toYaml | nindent 8 }} + {{- with .Values.controller.nodeSelector }} + {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "aws-efs-csi-driver.serviceAccountName" . }} priorityClassName: system-cluster-critical - tolerations: - - operator: Exists - {{- with .Values.node.tolerations }} - {{- . | toYaml | nindent 8 }} - {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: efs-plugin securityContext: privileged: true image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: IfNotPresent + imagePullPolicy: {{ .Values.image.pullPolicy }} args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - - --v=5 - # Uncomment below line to allow access point root directory to be deleted by controller. - #- --delete-access-point-root-dir + {{- if .Values.controller.tags }} + - --tags={{ include "aws-efs-csi-driver.tags" .Values.controller.tags }} + {{- end }} + - --v={{ .Values.controller.logLevel }} + - --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + {{- if .Values.controller.extraEnv }} +{{ toYaml .Values.controller.extraEnv | indent 12 }} + {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" ports: - name: healthz - containerPort: 9808 + containerPort: 9909 protocol: TCP livenessProbe: httpGet: @@ -71,12 +76,19 @@ spec: timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 + {{- with .Values.controller.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} - name: csi-provisioner - image: {{ printf "%s:%s" .Values.sidecars.csiProvisionerImage.repository .Values.sidecars.csiProvisionerImage.tag }} + image: {{ printf "%s:%s" .Values.sidecars.csiProvisioner.image.repository .Values.sidecars.csiProvisioner.image.tag }} + imagePullPolicy: {{ .Values.sidecars.csiProvisioner.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - - --v=5 + - --v={{ .Values.controller.logLevel }} - --feature-gates=Topology=true + {{- if .Values.controller.extraCreateMetadata }} + - --extra-create-metadata + {{- end }} - --leader-election env: - name: ADDRESS @@ -84,15 +96,32 @@ spec: volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ + {{- with .Values.sidecars.csiProvisioner.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} + image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} + imagePullPolicy: {{ .Values.sidecars.livenessProbe.image.pullPolicy }} args: - --csi-address=/csi/csi.sock - - --health-port=9808 + - --health-port=9909 volumeMounts: - name: socket-dir mountPath: /csi + {{- with .Values.sidecars.livenessProbe.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} volumes: - name: socket-dir emptyDir: {} + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + {{- with .Values.controller.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml index 5a08044..63d45b6 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml @@ -1,11 +1,11 @@ -{{- if .Values.serviceAccount.controller.create }} +{{- if .Values.controller.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "aws-efs-csi-driver.serviceAccountName" . }} labels: app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }} - {{- with .Values.serviceAccount.controller.annotations }} + {{- with .Values.controller.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} @@ -40,6 +40,9 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "watch", "list" ] --- diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/csidriver.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/csidriver.yaml index 33247d5..e6b4d41 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/csidriver.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/csidriver.yaml @@ -1,4 +1,4 @@ -apiVersion: storage.k8s.io/v1beta1 +apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }} kind: CSIDriver metadata: name: efs.csi.aws.com diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/node-daemonset.yaml index a8cd9a7..df10a2d 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/node-daemonset.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/node-daemonset.yaml @@ -21,9 +21,9 @@ spec: annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }} {{- end }} spec: - {{- if .Values.hostAliases }} + {{- with .Values.node.hostAliases }} hostAliases: - {{- range $k, $v := .Values.hostAliases }} + {{- range $k, $v := . }} - ip: {{ $v.ip }} hostnames: - {{ $k }}.efs.{{ $v.region }}.amazonaws.com @@ -37,36 +37,32 @@ spec: {{- end }} nodeSelector: beta.kubernetes.io/os: linux - {{- with .Values.nodeSelector }} - {{- . | toYaml | nindent 8 }} + {{- with .Values.node.nodeSelector }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.node.affinity }} affinity: {{- . | toYaml | nindent 8 }} {{- end }} hostNetwork: true - {{- if .Values.dnsPolicy }} - dnsPolicy: "{{ .Values.dnsPolicy }}" - {{- end }} - {{- with .Values.dnsConfig }} - dnsConfig: - {{- toYaml . | nindent 8 }} + dnsPolicy: {{ .Values.node.dnsPolicy }} + {{- with .Values.node.dnsConfig }} + dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} priorityClassName: system-node-critical - tolerations: - - operator: Exists - {{- with .Values.node.tolerations }} - {{- . | toYaml | nindent 8 }} - {{- end }} + {{- with .Values.node.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: efs-plugin securityContext: privileged: true image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} args: - --endpoint=$(CSI_ENDPOINT) - --logtostderr - - --v={{ .Values.logLevel }} + - --v={{ .Values.node.logLevel }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock @@ -94,16 +90,16 @@ spec: timeoutSeconds: 3 periodSeconds: 2 failureThreshold: 5 - {{- with .Values.resources }} - resources: - {{- . | toYaml | nindent 12 }} + {{- with .Values.node.resources }} + resources: {{ toYaml . | nindent 12 }} {{- end }} - name: csi-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrarImage.repository .Values.sidecars.nodeDriverRegistrarImage.tag }} + image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }} + imagePullPolicy: {{ .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v={{ .Values.logLevel }} + - --v={{ .Values.node.logLevel }} env: - name: ADDRESS value: /csi/csi.sock @@ -118,15 +114,22 @@ spec: mountPath: /csi - name: registration-dir mountPath: /registration + {{- with .Values.sidecars.nodeDriverRegistrar.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbeImage.repository .Values.sidecars.livenessProbeImage.tag }} + image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} + imagePullPolicy: {{ .Values.sidecars.livenessProbe.image.pullPolicy }} args: - --csi-address=/csi/csi.sock - --health-port=9809 - - --v={{ .Values.logLevel }} + - --v={{ .Values.node.logLevel }} volumeMounts: - name: plugin-dir mountPath: /csi + {{- with .Values.sidecars.livenessProbe.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} volumes: - name: kubelet-dir hostPath: diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/storageclass.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/storageclass.yaml index 39f1fae..8ce1ec8 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/storageclass.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/templates/storageclass.yaml @@ -3,13 +3,24 @@ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: {{ .name }} + {{- with .annotations }} + annotations: + {{ toYaml . | indent 4 }} + {{- end }} provisioner: efs.csi.aws.com {{- with .mountOptions }} -mountOptions: +mountOptions: {{ toYaml . }} {{- end }} {{- with .parameters }} parameters: {{ toYaml . | indent 2 }} {{- end }} +{{- with .reclaimPolicy }} +reclaimPolicy: {{ . }} {{- end }} +{{- with .volumeBindingMode }} +volumeBindingMode: {{ . }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/values.yaml b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/values.yaml index b175d57..6afb5d6 100644 --- a/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/values.yaml +++ b/charts/kubezero-aws-efs-csi-driver/charts/aws-efs-csi-driver/values.yaml @@ -2,98 +2,116 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +nameOverride: "" +fullnameOverride: "" + replicaCount: 2 image: repository: amazon/aws-efs-csi-driver - tag: "v1.2.0" + tag: "v1.3.2" pullPolicy: IfNotPresent sidecars: - livenessProbeImage: - repository: k8s.gcr.io/sig-storage/livenessprobe - tag: "v2.2.0" - nodeDriverRegistrarImage: - repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar - tag: v2.0.1-eks-1-18-1 - csiProvisionerImage: - repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner - tag: v2.0.3-eks-1-18-1 + livenessProbe: + image: + repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe + tag: v2.2.0-eks-1-18-2 + pullPolicy: IfNotPresent + resources: {} + nodeDriverRegistrar: + image: + repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar + tag: v2.1.0-eks-1-18-2 + pullPolicy: IfNotPresent + resources: {} + csiProvisioner: + image: + repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner + tag: v2.1.1-eks-1-18-2 + pullPolicy: IfNotPresent + resources: {} imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -podAnnotations: {} +## Controller deployment variables -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - -node: +controller: + # Specifies whether a deployment should be created + create: true + # Number for the log level verbosity + logLevel: 2 + # If set, add pv/pvc metadata to plugin create requests as parameters. + extraCreateMetadata: true + # Add additional tags to access points + tags: {} + # environment: prod + # region: us-east-1 + # Enable if you want the controller to also delete the + # path on efs when deleteing an access point + deleteAccessPointRootDir: false podAnnotations: {} + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + nodeSelector: {} tolerations: [] - -logLevel: 5 - -hostAliases: - {} - # for cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per - # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 - # implementing the suggested solution found here: - # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 - # EFS Vol ID, IP, Region - # "fs-01234567": - # ip: 10.10.2.2 - # region: us-east-2 - -dnsPolicy: "" -dnsConfig: - {} - # Example config which uses the AWS nameservers - # dnsPolicy: "None" - # dnsConfig: - # nameservers: - # - 169.254.169.253 - -serviceAccount: - controller: - # Specifies whether a service account should be created + affinity: {} + # Specifies whether a service account should be created + serviceAccount: create: true + name: efs-csi-controller-sa annotations: {} ## Enable if EKS IAM for SA is used # eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role - name: efs-csi-controller-sa -controller: - create: true +## Node daemonset variables + +node: + # Number for the log level verbosity + logLevel: 2 + hostAliases: {} + # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per + # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3 + # implementing the suggested solution found here: + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346 + # EFS Vol ID, IP, Region + # "fs-01234567": + # ip: 10.10.2.2 + # region: us-east-2 + dnsPolicy: ClusterFirst + dnsConfig: {} + # Example config which uses the AWS nameservers + # dnsPolicy: "None" + # dnsConfig: + # nameservers: + # - 169.254.169.253 + podAnnotations: {} + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + nodeSelector: {} + tolerations: + - operator: Exists storageClasses: [] # Add StorageClass resources like: # - name: efs-sc +# annotations: +# # Use that annotation if you want this to your default storageclass +# storageclass.kubernetes.io/is-default-class: "true" # mountOptions: # - tls # parameters: @@ -103,3 +121,5 @@ storageClasses: [] # gidRangeStart: "1000" # gidRangeEnd: "2000" # basePath: "/dynamic_provisioning" +# reclaimPolicy: Delete +# volumeBindingMode: Immediate diff --git a/charts/kubezero-aws-efs-csi-driver/templates/storage-class.yaml b/charts/kubezero-aws-efs-csi-driver/templates/storage-class.yaml deleted file mode 100644 index 7559e4b..0000000 --- a/charts/kubezero-aws-efs-csi-driver/templates/storage-class.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.StorageClass.create }} -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: efs-sc - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} - {{- if .Values.StorageClass.default }} - annotations: - storageclass.kubernetes.io/is-default-class: "true" - {{- end }} -provisioner: efs.csi.aws.com -{{- end }} diff --git a/charts/kubezero-aws-efs-csi-driver/update.sh b/charts/kubezero-aws-efs-csi-driver/update.sh index 3b19ef3..ea3e8fb 100755 --- a/charts/kubezero-aws-efs-csi-driver/update.sh +++ b/charts/kubezero-aws-efs-csi-driver/update.sh @@ -1,8 +1,8 @@ #!/bin/bash -VERSION=1.2.2 +VERSION=2.1.3 rm -rf charts/aws-efs-csi-driver curl -L -s -o - https://github.com/kubernetes-sigs/aws-efs-csi-driver/releases/download/helm-chart-aws-efs-csi-driver-${VERSION}/aws-efs-csi-driver-${VERSION}.tgz | tar xfz - -C charts -patch -i affinity_resources.patch -p0 --no-backup-if-mismatch +patch -i zdt.patch -p0 --no-backup-if-mismatch diff --git a/charts/kubezero-aws-efs-csi-driver/values.yaml b/charts/kubezero-aws-efs-csi-driver/values.yaml index 5ad6088..8a33534 100644 --- a/charts/kubezero-aws-efs-csi-driver/values.yaml +++ b/charts/kubezero-aws-efs-csi-driver/values.yaml @@ -1,24 +1,48 @@ aws-efs-csi-driver: - logLevel: 1 + replicaCount: 1 - resources: - requests: - cpu: 20m - memory: 64Mi - limits: - memory: 128Mi + controller: + create: true + logLevel: 1 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/csi.efs.fs - operator: Exists + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/master: "" -StorageClass: - create: true - default: false + #extraEnv: + #- name: AWS_ROLE_ARN + # value: "" + #- name: AWS_WEB_IDENTITY_TOKEN_FILE + # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + #- name: AWS_STS_REGIONAL_ENDPOINTS + # value: regional + + node: + logLevel: 1 + + resources: + requests: + cpu: 20m + memory: 64Mi + limits: + memory: 128Mi + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/csi.efs.fs + operator: Exists + tolerations: + - key: kubezero-workergroup + effect: NoSchedule + operator: Exists + + storageClasses: + - name: efs-sc #PersistentVolumes: # - name: example-pv diff --git a/charts/kubezero-aws-efs-csi-driver/zdt.patch b/charts/kubezero-aws-efs-csi-driver/zdt.patch new file mode 100644 index 0000000..d5978c8 --- /dev/null +++ b/charts/kubezero-aws-efs-csi-driver/zdt.patch @@ -0,0 +1,62 @@ +diff -tubNr charts/aws-efs-csi-driver/templates/controller-deployment.yaml charts/aws-efs-csi-driver.zdt/templates/controller-deployment.yaml +--- charts/aws-efs-csi-driver/templates/controller-deployment.yaml 2021-06-25 22:43:06.000000000 +0200 ++++ charts/aws-efs-csi-driver.zdt/templates/controller-deployment.yaml 2021-07-15 00:37:28.960305011 +0200 +@@ -23,7 +23,6 @@ + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: +- hostNetwork: true + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} +@@ -57,9 +56,14 @@ + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock ++ {{- if .Values.controller.extraEnv }} ++{{ toYaml .Values.controller.extraEnv | indent 12 }} ++ {{- end }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ ++ - name: aws-token ++ mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + ports: + - name: healthz + containerPort: 9909 +@@ -110,6 +114,13 @@ + volumes: + - name: socket-dir + emptyDir: {} ++ - name: aws-token ++ projected: ++ sources: ++ - serviceAccountToken: ++ path: token ++ expirationSeconds: 86400 ++ audience: "sts.amazonaws.com" + {{- with .Values.controller.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} +diff -tubNr charts/aws-efs-csi-driver/templates/node-daemonset.yaml charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml +--- charts/aws-efs-csi-driver/templates/node-daemonset.yaml 2021-06-25 22:43:06.000000000 +0200 ++++ charts/aws-efs-csi-driver.zdt/templates/node-daemonset.yaml 2021-07-15 00:14:58.680295564 +0200 +@@ -40,15 +40,10 @@ + {{- with .Values.node.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} ++ {{- with .Values.node.affinity }} + affinity: +- nodeAffinity: +- requiredDuringSchedulingIgnoredDuringExecution: +- nodeSelectorTerms: +- - matchExpressions: +- - key: eks.amazonaws.com/compute-type +- operator: NotIn +- values: +- - fargate ++ {{- . | toYaml | nindent 8 }} ++ {{- end }} + hostNetwork: true + dnsPolicy: {{ .Values.node.dnsPolicy }} + {{- with .Values.node.dnsConfig }} diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index bb8ab08..8e47ceb 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,20 +2,20 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.5.0 +version: 0.6.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: - kubezero - cert-manager maintainers: - - name: Quarky9 + dependencies: - name: kubezero-lib version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: cert-manager - version: 1.2.0 - repository: https://charts.jetstack.io + version: 1.4.0 condition: cert-manager.enabled + repository: https://charts.jetstack.io kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index bfab896..c985dd6 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,24 +1,18 @@ # kubezero-cert-manager -![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager **Homepage:** -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Quarky9 | | | - ## Requirements Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.jetstack.io | cert-manager | 1.2.0 | +| https://charts.jetstack.io | cert-manager | 1.4.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## AWS - IAM Role @@ -44,7 +38,6 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | | | cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | | | cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| cert-manager.podAnnotations | object | `{}` | | | cert-manager.prometheus.servicemonitor.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index 9a7bade..3fb9601 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -23,8 +23,28 @@ cert-manager: leaderElection: namespace: "cert-manager" - podAnnotations: {} - # iam.amazonaws.com/role: "" + # On AWS enable Projected Service Accounts to assume IAM role + #extraEnv: + #- name: AWS_ROLE_ARN + # value: "" + #- name: AWS_WEB_IDENTITY_TOKEN_FILE + # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + #- name: AWS_STS_REGIONAL_ENDPOINTS + # value: regional + + #volumes: + #- name: aws-token + # projected: + # sources: + # - serviceAccountToken: + # path: token + # expirationSeconds: 86400 + # audience: "sts.amazonaws.com" + + #volumeMounts: + #- name: aws-token + # mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + # readOnly: true tolerations: - key: node-role.kubernetes.io/master diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index 645462c..9905182 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.5.6 -appVersion: 1.9.3 +version: 0.6.1 +appVersion: 1.10.3 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,9 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-ingress - version: 1.9.3 + version: 1.10.3 condition: istio-ingress.enabled - name: istio-private-ingress - version: 1.9.3 + version: 1.10.3 condition: istio-private-ingress.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md index 7caa87a..5ba6c9f 100644 --- a/charts/kubezero-istio-ingress/README.md +++ b/charts/kubezero-istio-ingress/README.md @@ -1,6 +1,6 @@ # kubezero-istio-ingress -![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) KubeZero Umbrella Chart for Istio based Ingress @@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | istio-ingress | 1.9.3 | -| | istio-private-ingress | 1.9.3 | +| | istio-ingress | 1.10.2 | +| | istio-private-ingress | 1.10.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0` |-----|------|---------|-------------| | global.arch.amd64 | int | `2` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.jwtPolicy | string | `"first-party-jwt"` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | -| istio-ingress.dnsNames | list | `[]` | | +| istio-ingress.certificates[0].dnsNames | list | `[]` | | +| istio-ingress.certificates[0].name | string | `"ingress-cert"` | | | istio-ingress.enabled | bool | `false` | | | istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | @@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0` | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | +| istio-ingress.proxyProtocol | bool | `false` | | | istio-ingress.telemetry.enabled | bool | `false` | | -| istio-private-ingress.dnsNames | list | `[]` | | +| istio-private-ingress.certificates[0].dnsNames | list | `[]` | | +| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | | | istio-private-ingress.enabled | bool | `false` | | | istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | +| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | | istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | @@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` | | | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | @@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | +| istio-private-ingress.proxyProtocol | bool | `false` | | | istio-private-ingress.telemetry.enabled | bool | `false` | | ## Resources diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml index 75fb402..0c7fc03 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-ingress -version: 1.9.3 +version: 1.10.3 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml index 0c10978..c7435d0 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -1,4 +1,3 @@ - {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 @@ -45,17 +44,14 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" - {{- if ne $gateway.injectionTemplate "" }} - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" - {{- end}} + sidecar.istio.io/inject: "false" {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -219,13 +215,13 @@ spec: {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" - {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- else if .Values.meshConfig.trustDomain }} - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} - {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- if .Values.meshConfig.trustDomain }} - name: TRUST_DOMAIN - value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} {{- if not $gateway.runAsRoot }} - name: ISTIO_META_UNPRIVILEGED_POD @@ -233,7 +229,7 @@ spec: {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} - value: {{ $val }} + value: "{{ $val }}" {{- end }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - name: {{ $key }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml index 4aa40af..22bdc65 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -24,17 +24,8 @@ gateways: targetPort: 8443 name: https protocol: TCP - - port: 15012 - targetPort: 15012 - name: tcp-istiod - protocol: TCP - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - protocol: TCP - # Scalability tunning + # Scalability tuning # replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% @@ -174,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.3 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -310,11 +301,14 @@ global: # Setting this port to a non-zero value enables STS server. servicePort: 0 - # Deprecated, use meshConfig.trustDomain - trustDomain: "" meshConfig: enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml index 39cecad..e5f551f 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-private-ingress -version: 1.9.3 +version: 1.10.3 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml index 0c10978..c7435d0 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -1,4 +1,3 @@ - {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 @@ -45,17 +44,14 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" - {{- if ne $gateway.injectionTemplate "" }} - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" - {{- end}} + sidecar.istio.io/inject: "false" {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -219,13 +215,13 @@ spec: {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" - {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- else if .Values.meshConfig.trustDomain }} - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} - {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- if .Values.meshConfig.trustDomain }} - name: TRUST_DOMAIN - value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} {{- if not $gateway.runAsRoot }} - name: ISTIO_META_UNPRIVILEGED_POD @@ -233,7 +229,7 @@ spec: {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} - value: {{ $val }} + value: "{{ $val }}" {{- end }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - name: {{ $key }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml index 4aa40af..22bdc65 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -24,17 +24,8 @@ gateways: targetPort: 8443 name: https protocol: TCP - - port: 15012 - targetPort: 15012 - name: tcp-istiod - protocol: TCP - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - protocol: TCP - # Scalability tunning + # Scalability tuning # replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% @@ -174,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.3 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -310,11 +301,14 @@ global: # Setting this port to a non-zero value enables STS server. servicePort: 0 - # Deprecated, use meshConfig.trustDomain - trustDomain: "" meshConfig: enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml index 7117673..aa6ec25 100644 --- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml +++ b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml @@ -1,6 +1,6 @@ +{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://github.com/istio/istio/issues/24715 -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml index 402b38e..d72d34a 100644 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml @@ -1,4 +1,4 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} +{{- if index .Values "istio-ingress" "enabled" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: @@ -7,6 +7,47 @@ metadata: labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + socket_options: + # SOL_SOCKET = 1 + # SO_KEEPALIVE = 9 + - level: 1 + name: 9 + int_value: 1 + state: STATE_LISTENING + # IPPROTO_TCP = 6 + # TCP_KEEPIDLE = 4 + - level: 6 + name: 4 + int_value: 120 + state: STATE_LISTENING + # TCP_KEEPINTVL = 5 + - level: 6 + name: 5 + int_value: 60 + state: STATE_LISTENING +{{- end }} + +{{- if index .Values "istio-private-ingress" "enabled" }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: private-ingressgateway-listener-tcp-keepalive + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: private-ingressgateway configPatches: - applyTo: LISTENER patch: diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml new file mode 100644 index 0000000..e3d4fe4 --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml @@ -0,0 +1,44 @@ +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector +{{- end }} + +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: private-ingressgateway-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: private-ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml index fbb2fee..53d05a6 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml @@ -1,35 +1,39 @@ -{{- if index .Values "istio-ingress" "dnsNames" }} +{{- range $cert := (index .Values "istio-ingress" "certificates") }} +{{- if $cert.dnsNames }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: ingress-cert - namespace: {{ .Release.Namespace }} + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: - secretName: ingress-cert + secretName: {{ $cert.name }} issuerRef: - name: letsencrypt-dns-prod + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} kind: ClusterIssuer dnsNames: -{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} {{- end }} -{{- if index .Values "istio-private-ingress" "dnsNames" }} ---- +{{- range $cert := (index .Values "istio-private-ingress" "certificates") }} +{{- if $cert.dnsNames }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: private-ingress-cert - namespace: {{ .Release.Namespace }} + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: secretName: private-ingress-cert issuerRef: - name: letsencrypt-dns-prod + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} kind: ClusterIssuer dnsNames: -{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }} +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} {{- end }} - diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index cd35cb2..64d9b34 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -1,6 +1,6 @@ +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }} # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts -{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }} apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: @@ -17,23 +17,25 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} + {{- range $cert := (index .Values "istio-ingress" "certificates") }} + {{- toYaml $cert.dnsNames | nindent 4 }} + {{- end }} tls: httpsRedirect: true + {{- range $cert := (index .Values "istio-ingress" "certificates") }} - port: number: 443 name: https protocol: HTTPS hosts: - {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: ingress-cert + credentialName: {{ $cert.name }} + {{- end }} {{- end }} -{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -51,53 +53,62 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} tls: httpsRedirect: true + # All SSL hosts one entry per ingress-certificate + {{- range $cert := (index .Values "istio-private-ingress" "certificates") }} - port: number: 443 name: https protocol: HTTPS hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: private-ingress-cert - - port: - number: 5672 - name: amqp - protocol: TCP - hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - - port: - number: 5671 - name: amqps - protocol: TCP - hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + credentialName: {{ $cert.name }} - port: number: 24224 name: fluentd-forward protocol: TLS hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: private-ingress-cert + credentialName: {{ $cert.name }} + {{- end }} + - port: + number: 5672 + name: amqp + protocol: TCP + hosts: + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} + - port: + number: 5671 + name: amqps + protocol: TCP + hosts: + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} - port: number: 6379 name: redis protocol: TCP hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} - port: number: 6380 name: redis-1 protocol: TCP hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index 5583418..5e83d22 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -1,10 +1,9 @@ # Make sure these values match kuberzero-istio !!! global: #hub: docker.io/istio - #tag: 1.9.3 + #tag: 1.10.2 logAsJson: true - jwtPolicy: first-party-jwt priorityClassName: "system-cluster-critical" @@ -69,21 +68,13 @@ istio-ingress: targetPort: 8443 nodePort: 30443 protocol: TCP - ## multi-cluster - disabled on public LBs - #- name: tcp-istiod - # port: 15012 - # targetPort: 15012 - # nodePort: 30012 - # protocol: TCP - ## multi-cluster sni east-west - #- name: tls - # port: 15443 - # targetPort: 15443 - # nodePort: 30044 - # protocol: TCP - dnsNames: [] -# - '*.example.com' + certificates: + - name: ingress-cert + dnsNames: [] + # - '*.example.com' + + proxyProtocol: false meshConfig: defaultConfig: @@ -123,8 +114,16 @@ istio-private-ingress: values: istio-private-ingressgateway type: NodePort podAnnotations: - # sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' + + # custom hardened bootstrap config + env: + ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + configVolumes: + - name: custom-bootstrap-volume + mountPath: /etc/istio/custom-bootstrap + configMapName: istio-gateway-bootstrap-config + nodeSelector: node.kubernetes.io/ingress.private: "31080_31443" #nodeSelector: "31080_31443_31671_31672_31224" @@ -143,18 +142,6 @@ istio-private-ingress: targetPort: 8443 nodePort: 31443 protocol: TCP - # multi-cluster - - name: tcp-istiod - port: 15012 - targetPort: 15012 - nodePort: 31012 - protocol: TCP - # multi-cluster sni east-west - - name: tls - port: 15443 - targetPort: 15443 - nodePort: 31044 - protocol: TCP #- name: fluentd-forward # port: 24224 # nodePort: 31224 @@ -168,8 +155,12 @@ istio-private-ingress: # port: 6379 # nodePort: 31379 - dnsNames: [] -# - '*.example.com' + certificates: + - name: private-ingress-cert + dnsNames: [] + #- '*.example.com' + + proxyProtocol: false meshConfig: defaultConfig: diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 5c2a70a..ec52659 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.5.6 -appVersion: 1.9.3 +version: 0.6.1 +appVersion: 1.10.3 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: base - version: 1.9.3 + version: 1.10.3 - name: istio-discovery - version: 1.9.3 + version: 1.10.3 kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 0041be0..cc3a2be 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | base | 1.9.3 | -| | istio-discovery | 1.9.3 | +| | base | 1.10.2 | +| | istio-discovery | 1.10.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0` | Key | Type | Default | Description | |-----|------|---------|-------------| | global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.jwtPolicy | string | `"first-party-jwt"` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml index 1ed5b5c..50041cd 100644 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: base -version: 1.9.3 +version: 1.10.3 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio cluster resources and CRDs keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index 0f64904..0387315 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -1,5 +1,5 @@ # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -11,19 +11,6 @@ metadata: release: istio name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -35,376 +22,126 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. format: string type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. format: string type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: properties: - connectionPool: + http: + description: HTTP connection pool settings. properties: - http: - description: HTTP connection pool settings. + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + interval: + description: The time duration between keep-alive + probes. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 + probes: type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. + time: type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -430,277 +167,21 @@ spec: - httpQueryParameterName required: - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -709,231 +190,237 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. + required: + - consistentHash properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. items: properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from - the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. + connectionPool: properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -942,16 +429,275 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -977,210 +723,1622 @@ spec: - httpQueryParameterName required: - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: properties: - consistentHash: + httpCookie: + description: Hash based on HTTP cookie. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + name: + description: Name of the cookie. format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + path: + description: Path to set for the cookie. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean + ttl: + description: Lifetime of the cookie. + type: string type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - outlierDetection: + localityLbSetting: properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' items: - format: string - type: string + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object type: array type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: format: string type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1201,238 +2359,238 @@ spec: listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter - preserveUnknownFields: true scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a - filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1455,146 +2613,273 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1606,28 +2891,6 @@ metadata: release: istio name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -1639,26 +2902,2457 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: format: string type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. properties: address: format: string @@ -1688,1328 +5382,18 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 - served: true - storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate - VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry - to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more - details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - format: string - type: string - type: object - labels: - additionalProperties: - format: string - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered - failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before - readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered - successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3031,217 +5415,216 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - format: string - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3254,19 +5637,6 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -3278,31 +5648,31 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. properties: mode: description: Defines the mTLS mode used for peer authentication. @@ -3313,30 +5683,42 @@ spec: - STRICT type: string type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3360,90 +5742,233 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods - are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected - workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for - the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before decoding - the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract + the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} --- diff --git a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml index d0be4c3..2a80f41 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml @@ -1,66 +1,48 @@ # SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io labels: release: istio spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index 365ca20..aec8e17 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -1,7 +1,7 @@ --- # Source: crds/crd-all.gen.yaml # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -13,19 +13,6 @@ metadata: release: istio name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -37,376 +24,126 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. format: string type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. format: string type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: properties: - connectionPool: + http: + description: HTTP connection pool settings. properties: - http: - description: HTTP connection pool settings. + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + interval: + description: The time duration between keep-alive + probes. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 + probes: type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. + time: type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -432,277 +169,21 @@ spec: - httpQueryParameterName required: - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -711,231 +192,237 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. + required: + - consistentHash properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. items: properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from - the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. + connectionPool: properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -944,16 +431,275 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -979,210 +725,1622 @@ spec: - httpQueryParameterName required: - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: properties: - consistentHash: + httpCookie: + description: Hash based on HTTP cookie. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + name: + description: Name of the cookie. format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + path: + description: Path to set for the cookie. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean + ttl: + description: Lifetime of the cookie. + type: string type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - outlierDetection: + localityLbSetting: properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' items: - format: string - type: string + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object type: array type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: format: string type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1203,238 +2361,238 @@ spec: listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter - preserveUnknownFields: true scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a - filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1457,146 +2615,273 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1608,28 +2893,6 @@ metadata: release: istio name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -1641,26 +2904,2457 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: format: string type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. properties: address: format: string @@ -1690,1328 +5384,18 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 - served: true - storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate - VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry - to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more - details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - format: string - type: string - type: object - labels: - additionalProperties: - format: string - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered - failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before - readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered - successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3033,217 +5417,216 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - format: string - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3256,19 +5639,6 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -3280,31 +5650,31 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. properties: mode: description: Defines the mTLS mode used for peer authentication. @@ -3315,30 +5685,42 @@ spec: - STRICT type: string type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3362,159 +5744,284 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods - are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected - workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for - the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before decoding - the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract + the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} --- --- # Source: crds/crd-operator.yaml # SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io labels: release: istio spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- @@ -3562,7 +6069,7 @@ rules: # istio configuration # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] - apiGroups: ["networking.istio.io"] @@ -3626,11 +6133,19 @@ rules: - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] --- # Source: base/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -3746,7 +6261,7 @@ subjects: namespace: istio-system --- # Source: base/templates/validatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml index e4176d5..014970c 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -19,11 +19,11 @@ rules: # istio configuration # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["update"] # TODO: should be on just */status but wildcard is not supported resources: ["*"] @@ -97,12 +97,20 @@ rules: - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml index 80124a9..bd5d1cf 100644 --- a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml +++ b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-{{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml index 06bd7e2..17a1f8e 100644 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-discovery -version: 1.9.3 +version: 1.10.3 tillerVersion: ">=2.7.2" description: Helm chart for istio control plane keywords: diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt index 997f4ac..620f3e1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt +++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt @@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included. MCP and injector should optionally be installed in the same namespace. Alternatively remote address of an MCP server can be set. + +Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience! + https://forms.gle/KjkrDnMPByq7akrYA" + diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml index ab3e652..865d2c1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml @@ -8,6 +8,7 @@ metadata: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml index 71d892c..817cce5 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -167,7 +167,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "revision": "", @@ -183,7 +182,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } @@ -215,6 +214,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -286,7 +286,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -355,7 +355,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -417,6 +417,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -519,7 +523,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -706,6 +710,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -1063,8 +1068,6 @@ spec: value: "false" - name: CLUSTER_ID value: "Kubernetes" - - name: EXTERNAL_ISTIOD - value: "false" resources: requests: cpu: 500m @@ -1077,8 +1080,6 @@ spec: drop: - ALL volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true @@ -1090,9 +1091,6 @@ spec: - name: istio-kubeconfig mountPath: /var/run/secrets/remote readOnly: true - - name: inject - mountPath: /var/lib/istio/inject - readOnly: true volumes: # Technically not needed on this pod - but it helps debugging/testing SDS # Should be removed after everything works. @@ -1115,13 +1113,6 @@ spec: secret: secretName: istio-kubeconfig optional: true - # Optional - image should have - - name: inject - configMap: - name: istio-sidecar-injector - - name: config-volume - configMap: - name: istio --- # Source: istio-discovery/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 @@ -1148,12 +1139,17 @@ spec: name: cpu targetAverageUtilization: 80 --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/revision-tags.yaml +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: metadata exchange filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1165,7 +1161,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1192,7 +1188,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1219,7 +1215,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1243,11 +1239,11 @@ spec: local: inline_string: envoy.wasm.metadata_exchange --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1257,7 +1253,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: {} patch: operation: INSERT_BEFORE @@ -1272,7 +1268,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -1288,7 +1284,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -1301,12 +1297,12 @@ spec: value: protocol: istio-peer-exchange --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: http stats filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1316,7 +1312,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1337,6 +1333,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -1348,7 +1346,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1369,6 +1367,16 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -1380,7 +1388,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1401,6 +1409,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -1410,12 +1420,12 @@ spec: local: inline_string: envoy.wasm.stats --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: tcp stats filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1425,7 +1435,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1444,6 +1454,16 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -1455,7 +1475,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1474,6 +1494,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -1485,7 +1507,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1504,6 +1526,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -1937,7 +1961,7 @@ spec: inline_string: "envoy.wasm.stats" --- # Source: istio-discovery/templates/mutatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -1948,12 +1972,13 @@ metadata: app: sidecar-injector release: istio webhooks: -- name: sidecar-injector.istio.io +- name: rev.namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/inject" + port: 443 caBundle: "" sideEffects: None rules: @@ -1964,11 +1989,106 @@ webhooks: failurePolicy: Fail admissionReviewVersions: ["v1beta1", "v1"] namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist objectSelector: matchExpressions: - - key: "sidecar.istio.io/inject" + - key: sidecar.istio.io/inject operator: NotIn values: - "false" +- name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" +- name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml index 8b1f156..39a6424 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -9,6 +9,7 @@ metadata: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -80,7 +81,7 @@ spec: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -149,7 +150,7 @@ spec: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -211,6 +212,10 @@ spec: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -313,7 +318,7 @@ spec: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml index 3a6bb68..f63fff1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -1,8 +1,7 @@ - {{- define "mesh" }} # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} + trustDomain: "cluster.local" # The namespace to treat as the administrative root namespace for Istio configuration. # When processing a leaf namespace Istio will search for declarations in that namespace first @@ -13,8 +12,6 @@ defaultConfig: {{- if .Values.global.meshID }} meshId: {{ .Values.global.meshID }} - {{- else if .Values.global.trustDomain }} - meshId: {{ .Values.global.trustDomain }} {{- end }} tracing: {{- if eq .Values.global.proxy.tracer "lightstep" }} @@ -50,8 +47,8 @@ maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} {{- end }} {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} - {{ toYaml $.Values.meshConfig.defaultConfig.tracing }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} {{- end }} {{- if .Values.global.remotePilotAddress }} {{- if .Values.pilot.enabled }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml index c7a42c0..9c226dc 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -25,7 +25,7 @@ spec: maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} selector: matchLabels: - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} app: istiod istio.io/rev: {{ .Values.revision | default "default" }} {{- else }} @@ -39,10 +39,10 @@ spec: install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} sidecar.istio.io/inject: "false" operator.istio.io/component: "Pilot" - {{- if eq .Values.revision ""}} - istio: pilot - {{- else }} + {{- if ne .Values.revision "" }} istio: istiod + {{- else }} + istio: pilot {{- end }} annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} @@ -153,8 +153,6 @@ spec: value: "{{ .Values.global.istiod.enableAnalysis }}" - name: CLUSTER_ID value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: EXTERNAL_ISTIOD - value: "{{ $.Values.global.externalIstiod | default "false" }}" {{- if not .Values.telemetry.v2.enabled }} - name: PILOT_ENDPOINT_TELEMETRY_LABEL value: "false" @@ -173,8 +171,6 @@ spec: drop: - ALL volumeMounts: - - name: config-volume - mountPath: /etc/istio/config {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens @@ -188,9 +184,6 @@ spec: - name: istio-kubeconfig mountPath: /var/run/secrets/remote readOnly: true - - name: inject - mountPath: /var/lib/istio/inject - readOnly: true {{- if .Values.pilot.jwksResolverExtraRootCA }} - name: extracacerts mountPath: /cacerts @@ -219,13 +212,6 @@ spec: secret: secretName: istio-kubeconfig optional: true - # Optional - image should have - - name: inject - configMap: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.pilot.jwksResolverExtraRootCA }} - name: extracacerts configMap: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml index f9fd67b..b50f0b7 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -11,6 +11,7 @@ a unique prefix to each. */}} name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Release.Namespace }} path: "/inject" + port: 443 {{- end }} caBundle: "" sideEffects: None @@ -24,7 +25,7 @@ a unique prefix to each. */}} {{- end }} {{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} {{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: {{- if eq .Release.Namespace "istio-system"}} @@ -41,7 +42,7 @@ metadata: webhooks: {{- if .Values.sidecarInjectorWebhook.useLegacySelectors}} {{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }} +{{- include "core" . }} namespaceSelector: {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} matchExpressions: @@ -92,18 +93,21 @@ webhooks: {{- end }} {{- else }} -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} -{{- if .Values.revision }} + {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} {{- /* Case 1: namespace selector matches, and object doesn't disable */}} {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} namespaceSelector: matchExpressions: - key: istio.io/rev operator: In values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} - "{{ .Values.revision }}" + {{- end }} - key: istio-injection operator: DoesNotExist objectSelector: @@ -114,7 +118,7 @@ webhooks: - "false" {{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} namespaceSelector: matchExpressions: - key: istio.io/rev @@ -130,10 +134,15 @@ webhooks: - key: istio.io/rev operator: In values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} - "{{ .Values.revision }}" + {{- end }} -{{- else }} -{{- /* "default" revision */}} + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} {{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml index fef641a..40b2e60 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml @@ -16,7 +16,7 @@ spec: selector: matchLabels: app: istiod - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} istio.io/rev: {{ .Values.revision }} {{- else }} istio: pilot diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml new file mode 100644 index 0000000..3df335d --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml @@ -0,0 +1,113 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml index 1fe1b5a..1d4d9fe 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml @@ -27,7 +27,7 @@ spec: protocol: TCP selector: app: istiod - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} istio.io/rev: {{ .Values.revision }} {{- else }} # Label used by the 'default' service. For versioned deployments we match with app and version. diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml similarity index 88% rename from charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml rename to charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml index b1db1b9..3e4e597 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml @@ -3,7 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -19,7 +19,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -54,7 +54,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -89,7 +89,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -124,7 +124,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -138,7 +138,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: {} patch: operation: INSERT_BEFORE @@ -153,7 +153,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -169,7 +169,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -187,7 +187,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -201,7 +201,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -224,15 +224,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -255,7 +247,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -309,7 +301,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -333,15 +325,7 @@ spec: { "debug": "false", "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "disable_host_header_fallback": true } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -365,7 +349,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -379,7 +363,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -431,7 +415,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -452,15 +436,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -483,7 +459,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -504,15 +480,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -537,7 +505,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -552,7 +520,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -573,7 +541,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -587,7 +555,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -608,7 +576,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -621,7 +589,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -642,7 +610,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -655,7 +623,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -670,7 +638,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -703,7 +671,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -735,7 +703,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -768,7 +736,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -782,7 +750,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '1\.9.*' + proxyVersion: '1\.10.*' listener: filterChain: filter: diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml index 1290bee..b159557 100644 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -68,7 +68,7 @@ sidecarInjectorWebhook: # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook # requests in Istiod, rather than at the webhook selection level. # This is option is intended for migration purposes only and will be removed in Istio 1.10. - useLegacySelectors: true + useLegacySelectors: false # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # always skip the injection on pods that match that label selector, regardless of the global policy. # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions @@ -157,15 +157,13 @@ telemetry: enabled: false logging: false monitoring: false - topology: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. disableOutbound: false # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. configOverride: {} # e.g. - # enable_mesh_edges_reporting: true # disable_server_access_logging: false - # meshEdgesReportingDuration: 500s # disable_host_header_fallback: true # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. accessLogPolicy: @@ -176,6 +174,9 @@ telemetry: # Revision is set as 'version' label and part of the resource names when installing multiple control planes. revision: "" +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] + # For Helm compatibility. ownerName: "" @@ -197,6 +198,10 @@ meshConfig: rootNamespace: + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + # TODO: the intent is to eventually have this enabled by default when security is used. # It is not clear if user should normally need to configure - the metadata is typically # used as an escape and to control testing and rollout, but it is not intended as a long-term @@ -232,7 +237,7 @@ global: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.3 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -505,8 +510,6 @@ global: # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. useMCP: false - # Deprecated, use meshConfig.trustDomain - trustDomain: "" base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index edb9810..e0e0de3 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -11,11 +11,11 @@ metadata: k8s-sidecar-target-directory: Istio binaryData: istio-control-plane.json.gz: - H4sIAAAAAAAC/+1dW2/bOBZ+768ghMUiWSSBnVvbAeYhTdJOMOlMELedRaeFQEuMzY0sakgqsZvN/vY9JGXr7qvsKBm9JDYpk+fGcz4eXvTwCiHLtqkfhFJYP6E/4TtCD/ov1Ph4QKDUOuvYV9e/fzz/9Mv55461M672cJd4qv6KswGRfRKKuNIlwuE0kJT56pG4Qo4C3aiLJRYs5A6J6wIv7FH/wlX1QUGjpv63iKxEt/qBR/j7fcewxMlfIeWkgKlx/z2Ob7CP48apW1g8FsKHbMUd4SLi7njvcO8gImKnuLsA+yCsfGdBv7CrZHGio+l9FImUlgrTz4uxqMujvdZeawneJO56JN/bp3RxnreJErHvM4mVASktmk4tjwo50WlMCtR0Q+rJC9VSeycuTYgEuvhHgYTgIeJron5CkockUd6nbkEpdZh/yjzGVYu818VbrR20327Dn6OjHdTeTjY9ZvskZgb9E514hEuRfC5Woeh3GeauFdU96v/fX0XSz46rCwGf0CnzJWceuvJAE+hs3AaKpIvae2/BPvXviUtlxO0N9oRmzOr5ROpR9/r48MiUKBP8xJgnaTAWKQjfv9UjyihIq71ghDnM83AgiJvsQ9f0OHWvWKxOI+WMyu7h+/5homAIBa3E95H6PhZP2uqOW7GvmFD3PfY9VHrGo5HAYyPioi9GQiLvnzi7L7Z67FEstAFoRmIKuliXpFlWCr0kfk9qNlupclL0+Cx7tW6o5yVFVi7Vo0Wl2i6W6tFx7PNJj/huuit818vyoawg5Jz4sqBmgIdFpdQvKBV9dp8fghLGklfw9B32wlioOWbAfnVtsjVdeE9dmTLDjKmboRx63hWjvvzItFvQBYnYREBLvsQ9klNqoH7FsUtDkdSKKc/bAIjNJZxo/3LjMRn3IQinRPwOwxpUTjL0iQA7pMjUhMTOba4XIUkQEPcS2M/VScx7JIEI0q5WeZFhoMkT4WCLKhdkK/frPjhsEDAfxPDzNyugQPs363EbdUdoCwSTdIzKjhkfYKlDBR0Q2/CWfgTEQzgo9T12pPa37VS1Mcb3k3YeHhB0gx4f061wcmMgxYk1KX6MPiV8Qx/gQp95bs5nDMh7CJFQqhSeKr8mvSg8ZX7Q6dMbmf9F5H2ulGSKXM/E3z4kRwDm2pVmxoBgXGaGsDZ/e+zAqO/SO+qGMFJyIyEBgpJIY4iHNONHuqFza0whyYsar9EoUOwWRLzM08XjeDJe//yeI3GEh2SKBcbWA01zmdb4GJmmiVAVrPcOC5KzJOOSco8bn5QrTjATG9RObelMOsMiyx/ltQ4xrlfkjnX5JbmbUJ1CKdlIuQkgcFwCBPbnAwLXxIRX9Fkoz/0SUcDrjEiPZ0j0dQkIaDBAgwGKMADMLR0ihH1HuYRgYw/IgPGR3R1JIh5wEAAU0BDBBSywBAIAyossqAgd7E9FB18Mfeijpq8EIlyky5WAVMMz3XxWGIAlQDu+rFoaC3F8HRExneVfVmS5xxSToCYp7D7BgS1GoiJ+Cyfgi8tBUYWAqjlg4aK8Ys9jTg251XSV8Hu2HL9VsrogSydTuHlftflSPxSkWpWu7Lt+UTql/i5QViKG8wrFoINFpXJYkN2OImA6vx9W5NdhEKch7vGxh75n/Jb6PSBfRkxPHvn5f98slwqHQdAdfbN2UMBcVWbksbv3r//qT7t6xgtfn9JSzsZ0oq0J/dslMny3YRlGUuJsuC4pLpgw6IDQHcznENVpTVIHmUjepAyWShlo22xSBjVMGbycafXxfNPqJrXeTKvLU+scSxIHJ9sJQjtUiSoIflDqClurKxFlFwYqf7YH37fXnplfBJUsMB0z8hnPuZV00nLJwFbNax2QWURxOdhYDZctazoL47Mljacqic4P32Yi3afEdKdXnxtA16wBbZDOBs8tjufa+/MButcNoGsA3fRsyY2IQnE2R7L+NNOymGXtGaQpMqlr2qjmu0xAd7cNrlhbosiynhhVgA3SAfZEUTsxBz7zyaIMtJK7LpoU0tNBjjfzQY7Dp4Yc2eIGc9QEc/SY3WOchVJJdtOreL+Fgy7hiN2gDxMaSmNmjefnBdQ34bTqafqTh9O/8SR9E/s024cl2wrfzLdR0+yZvgpFH134RlfqCEx1GzZTQad6VJA5t9MBjQsk+wSpPK3ykXr+goJQd7AEmHiT0cibWQo5Kts5u/+yMhhpVa0GJxAW6AfhLAErSoJ6/eFGyuArXrLSxmwPXWEbg35QwxOwh+OKja05nXohcMXn2NCxsypbZINsnftuZCgr7+6bzZi3QcYuAZgSn/AKtmnOZoxvkLFrQI+lyPe8Sq5EKVdjkguQVja5RRxOSq3rXZXk+hWQqw6D6wOtonR/aJ0OfV1l4vv0eUQuPr6oiURSXSbGT0pWmGOwYK07u6yW1WzseoZZuQz+PsWBDGHsI4zuMHh4OYoxOMApxteCwd/Mi8GrXURU+y3OB4EcFV9x8FUB2lxNs/L4oraSxTEYMLjNyX+II7MJwW3EONrCXQESmvMHu+n7Lqre/zMDWGmiiItOzzrqDowb2hPVwP2YebKotEjtpXU+U1pny0qLLyotXntpXc+U1smy0vIWlZZXe2ldzpTWgjOIzATinlMJcBf4gUlV4f7OtU/n/lAkoE+GhHlmHYtxqaOm5lXT5cMXA0gq4rYqlV9E1KHzNFzKHi5dXQ7G4uvGv7FyZCxfXbJ0DbRXM8kvmDTbakMMGcp62oJOy58aCqfbw6/PffRrVmcM/g+1Sjlk9NEsXTY7jJsdxhtY2NMBDCnDRVQiiW8JlDO9wocwckz4CANXrf9BOUZ6h+M60g7t47nX/g6b3cvV5RD2X1AOoQ9xloEjH9h/hdiX1CNbrb2jHZSJ0tqGFVgBysF+HBOtbePfTYTW18F5ZP2hOjhqodWnbIWMv603429bq0++ivmuO+NvV8//lDBee8733s6RzXlSOKrkhSYAukGkKyLSBo02aHT5zedZ0Jg631a0YWz/oGT3+VGzWFUl0CzYY/a3vFZQx1g1TfKoI23qd1nou7YX7RLa4NVcs/KgmjA0a/vSAtArwzoLZZp3uy9lYKtzeXY0jmzpBLWRyO8RvbFI0JaiGCmKUUQxAooruAFipqigm+clKaBvbkGdrlNQSmXPS1KK4u2ag+DTSANNQrZJyDZbveqOgXOXPpSC4Obah2bzVWHgBdVH+SJ1QbYKknfUyR/GXHuGaHz9dSciYHXsFXP2ZEzNYObdkjtz8rtrVB4vYO76D60w3492aY3PeaCHB+i59KUm5zUBNidnHfSR+RS4pH6vQTcNumnOyi55Vvag5D1cx4fznZU99+/YaE3HZJ9kOd0lElNPIAxzQIkMe2r1Bbwtor5ebR+An9vEsdmD/RIA2GoAYAMAp5+DI8pwbcecS7XDQEhO8MB2huO7OKMaFW0AfgAQ2e3xwHn6/X3/Nrt6fbPTUVR5pLZcJo7p0L6Bof9cRIPeA7HqXFFFZ1h9B6QhxlJSMFtlfwGkQhdggNImAXP6mzp4rNzutel4HsT9lGjUEHtm4kYDRlcDo2s+UlkRFH0iKps0W+XHIksxVrvBWA3GKguW5UgC4hu9I1MwxPa6r0JTKOFEUzEXjqrxZWgzOGkibJPuafZzbeB0gaA/9LVhajxy8heYoBQI+y58EQGMyPVcIpY7SVAaqvfXtimsqC7aFdZE+Bcb4UGVWzMSBnxoLg9/DtmU62iUoneKYvQRDHXlo/jpgxkvV1gnYJXJl3UvveY3h03JNYtpKWlobz/Tck6WsJw5DKf2EpluHnV5kWOCboE6EMwbCL0ahH7XJKlqmKQqXy5Ngd/UGKluIfWwVXbO9Xi+ldQ/SLfP2K2o5QJqSmg5jK8KPigoaBB1aw0nQg7z69QQ9l3id4xfz1Ifyf5tMzWYb2owYx7AAhlFnoT4lIVcTqYUud7/lmeXJ+c2e9jzyMgGDVFXb4ywAyzAOa12BemXSXMCbXVCZ9qrHU+WuP8kT7VaEq2OarQVrVpu13xRz1y5E3JDdcxAA52a7GOTfawOS2SSjtZGQUZuy/1yKOOgVTnKaJBEgyTGMVmYVwDa1I+uf7OFCfwmLbJaaL4YN7oePJGn/cbE/6ppfyawYvwa6QnpDZ5o8MTLwBOvombVoFPjSXF90DLpDEs4fTLAXwgXJtCb1w2CoxyZceFibl4gCv6xFyveulDHYqxJ05IMAg9wuN+bkGypU8UJS3koCrEppQji6WMvOYvUHQy1ulxyg0MvozBtsMnaIv2PVyOSQ5P6jhe65MQrirzFZmANoANa8Hg0wqyCFdxUdI3dElJJd/VeXXU0G9wZkX0SJlODpvrLmLtkTazLdqq0R4bZR8UtDT5zrzPynaLXNEY+J0F2ynyUC3g0OqaawUi7N8b/Wj67322PnRX4yqjMSv0soOCuePzjiHp7HFKSHsU6SmTa2q3El4Pkl/Yg/nyU+NxOfjloJWsSLnU/8bntGo6/j3lQqxIJfc3sJdnwcbLhZC/7h8kvbvz5tZukd0xLSnw/mMYrVpezexG9zSgOXXoo6ptXOfPQlYd9gs4A7ncZ5qZtK9R42DrY3f14+eXr12hE38Wjvv3q8f87VdPrCKQAAA== + H4sIAAAAAAAC/+1dW1PjOBZ+71+h8sMWbAGVcOvuqZoHGugeaukZCrp7tvpSLsUWiRbHcksyJMOyv32PJDu+5+qAYfwCieRI56ZzPh1dfP8KIcu2qR+EUli/oG/wHaF7/RdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqkaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oEH+Ptjy7DEyc+QclLCVNx/n+Nr7OOkceqWFsdC+JCvuCVcRNwd7uzv7EVEbJV3F2AfhFXsLBiUdpUuTnU0vY8ykdJKYfpFMZZ1ebDT2ekswZvEPY8Ue/uULS7yNlEi9n0msTIgpUXTqeVRISc6TUiBml5IPXmmWupuJaUpkZSzCs8QX9P0C5I8JKnyAXVLSqnD/GPmMa4a5P0e3uhsod1uF/4cHGyh7ma66Zjro4QX9A905BEuMyQkGhSDHsPctaK6B/3/x6tI+PlhdSbgEzpmvuTMQxceKAKdxG2gSLiou/MWzFP/nrhURtxeY09oxqy+T6QedK8P9w9MibLAT4x5kgaxREH2/o0eUEY/WuslA8xhnocDQdx0H7qmz6l7wRJtGinnNHYH33f3UwUjKOikvo/V91g8WaM77CSuYkLdj8T1UOkZh0YCj42Ji74YCYmie+LsrtzosUex0AagGUko6GFdkmVZKfSc+H2p2exkyknZ4zPM1bqmnpeWWLVQDxYVardcqAeHiccnfeK72a7wbT/PhjKCkHPiy5KaIR6VlVK/pFQM2F1xBEoYSl7J07fYCxOZFpgB89W16dZ04R11ZcYKc5ZuRnLoeReM+vIj015BF6QiEwGd+RL3SUGngfoVxy4NRVorprxoAiA2l3Ci3cu1x2TShyCcEvEHjGpQOcnRJwLskDJLExI7N4VehCRBQNxzYL9QJzHvkxQeyDpa5URGgSZPhMMNqjyQrZyve++wYcB8EMOv362AAu3frYdN1BujDRBM2i8qO2Z8iKUOFHRIbMNb9hEQD+Gg1PfYkdrddjPVxhjfT9q5v0fQDXp4yLbCybUBFEfWpPgh+pRyDQMACwPmuQWXMSTvYRhCqVJ4pvyS9KPglPvB1YBey+IvIudzoSRT5nkm7vY+PQIw1540NwYE4zI3hLX527H/or5Lb6kbwkgpjIQUBErjjBEe0Zwf6YXOjTGFNC9qvEajQLFbEvByT5eP48l4/fajQOIYj8gUC0ysB5rmMqvxGJdmiVAVrP8OC1KwJOOSCo8bn1QoTjGTGNRWY+lMO8Myyx8XtQ4hrl/mjnX5ObmdUJ0BKflA+Rg44LACB+zOhwMuiQm26LNQnvsFgoDXOYkezhDo6woM0EKAFgKUQQCYWDpECPuWcgmxxh6SIeNjuzeWRNzjIAAkoBGCC1BgCQAAlJdZUBk42J0KDr4Y+tBHTV8FQjjLlisBqYZnevm8MABKgHZ8Wbc0FuL4MiJiOsu/rchynykmQU1S2AOCA1uMRU38lk6/F5eDogoBVXOgwkV5xZ7HnAZyq+mq4PdkOX7rZHVBlo6mcPO+bvOlfihIvSpd2Xf9pnRK/W2grEIMpzWKQQeLWuWwILtXioDp/H5YkV+HQZyGuMdjD33H+A31+0C+jJiePPLr/75bLhUOg6A7/m5toYC5qszIY3vnn//Vn7b1hBe+PqWlnMR0oo0J/ZsVMnz3yDKMpMTZaF1SXDBfcAVCdzCfQ1THDckc5CJ5mzFYKmOgbbPNGDQwY/BiZtWH882q28R6O6uuTqxzLEkSm2wnCO1Qpakg9kGpK2ytrlSQXRinfOsOf2yuPS+/CChZYDZm5BNPuZV0snLJoVbNaxOAWURxNdZYDZYtazoLw7Mljacuic6P3mYC3aeEdMcXn1s8164APSKdLZxbGM51d+fDc69bPNfiuem5kmsRReJ8hmT9SaZlIcva80dTZNLUpFHDt5iA7m5aWLG2NJFlPTGoABukQ+yJsnYSDnzmk0UZ6KS3XLQJpCdDHG/mQxz7T4048sUt5GgI5Ogzu884C6WS7GMv4f0eDnuEI3aNPkxoqAyZDZ6dl1DfRtO6J+lPHk3/xlP0x9ij2d2v2FP4Zr5Nmma/9EUoBujMN7pSp1/q26yZCTq1g4LciZ0rULhA8AxSSVrlIvXsBQWhbn8JLPEmp5A3s/RxULVpdvdl5S+ymloNTSAs0F+EsxSqqIjpzUcbGXuveb1KG7M9coVtDPpejU6AHo4rHm3B6dgLgSs+x2aOrVXZIo/I1qnvRoay8s6+2Yx5j8jYOeBS4hNewxbN2YzxR2TsEsBjJfA9rZMrUclVTHIJ0MqntojDSaV1vauTXL8GctUpcH2UVVTuDW3Sea+LXHyfPo0oxMcXNY9Iq8vE+EnJClMMFqx1V5fVsdpNXc8vJ5eD38c4kCEMfYTRLQYHL8cJBAc0xfhaIPibeSF4vSuIaq/F6TCQ4/K7Db4qPFuoaZcdX9Q2siQEAwS3OfkPcWQ+HbiJGEcbuCdAQnP+YDt70UXde39m4CpNFHHR8cmVuvzimvZFPWg/YZ4sKi3SeGmdzpTWybLS4otKizdeWpczpXW0rLS8RaXlNV5a5zOlteAEIjd/uONUAtoFfmBOVbq3c+2zuT8VCeiTIWGeScdiXOqoqXnVdPnwxQCSmritS+VnEXXoNAuX8udKV5eDsfim8W+sHBnLV7crXQLt9czxS+bMttoNQ0aymbagk/LHhsLp9vCv5z76NaszBv+HRmUccvpoFy7b3cXt7uL1L+vp+IWU3SIqkcQ3BMqZXt9DGDkmeoSBq1b/oBwjvbtxHVmH7uHcK3/77c7l+lIIuy8ohTCAMMvAjw/tnyH2JfXIRmfnYAvlgrS2YYVVgHKwH8cEa9u4dxOg9T1wHll/pA4OOmj1GVsp42+bzfjbzupzr3K+m87429XTPxWMN57znbdzJHOeFI0qeaEJfm4B6YqAtAWjLRhdeuN5HjNmjraV7Rbb3avYeX7QLlXViTNLNpj9Le8T1CFWzZI86kib+j0W+q7tRVuEHvFOrllZUE0YmrV3aQHklWOdhTLLuz2QMrDVkTw7Gke2dILGSOSPiN5EJGhDUYwUxSiiGAHFNdz9MFNU0M3zkhTQN7egjtcpKKWy5yUpRfFmwzHwcaSBNh3bpmPbfV4Nh8CF6x4qMXB74UO786o07oLqo2yRuhhbxchb6hTPYa49PxRfe30VEbA69Eo4ezKmZjDzbsltOcWtNSqLFzB3/QdWmO9HW7TiMx7o/h56rnyXyWlDcM3RyRX6yHwKXFK/34KbFty0x2SXPCa7V/H6rcP9+Y7Jnvq3bLymE7JPsZbuEompJxCGGaBEhju19ALOFlFfL7UPwc09xonZvd0K/Ndp8V+L/6YfgSPKcG3HHEm1w0BITvDQdkbxHZxRjQo2gD4Ah2z3eeA8/d6+f5sdvb7Z5SjqPE1bLRPHdGhfw9B/LqJB74FYdaaopuOrvgPSELGUFMpWuV/AqNAFGKC0ScCcwWOdOVZu99J0PA/gfkowaog9MXGjxaKrYdE1n6asCYk+EZVtkq3uE5GVEKvbQqwWYlXFymogAeGN3pIpEGJz3XegKZBwpKmYC0Y1+Ba0GZy0AbZN9rR7udZ/sEDQv/R9YWo4cvITLFAKhH0XvogABuR6bg8rHCKojNS7a9sQVlYX7QhrA/yLDfCgyo0Z6QI+MneGP4dcymU0StE7RTH6CIa68iH87JmMlyusI7DK9Au6l17wm8Om5JrFtJQ0tLefaTlHS1jOHIbTeIlMN4+mvL0xRbdAVxDMWwS9GoJ+16aoGpiiql4rzWDfzBipbxV1v1N1xPVwvmXUP0lvwNiNaOTqaUZoBYyvCj4oKGgQdWcNp0H2i4vUEPZd4l8Zv56nPpL923ZqMN/UYMY8gAUyijwp8SkLOZ9MKQq9/y2PLU+ObPax55GxDRqirt4VYQdYgHNa7e7RL5PmBNq4Cp1pL3Q8WuLmkyLVakG0PqrRRrRmudnwJT1z2U7IDdUJAy10apOPbfKxPiyRSzpajwoyCvvtl0MZe53aUUaLJFokEcdkYd78Z1M/uvjNFibwm7TIaqH5LG50PXiiSPu1if910/5MYEX88ugJ6S2eaPHEy8ATr6Jm1aBT40lxvdcx6QxLOAMyxF8IFybQm9cMgqMcm3HhYm7eGwr+sZ8o3jpTZ2KsSdOSDAMPcLjfn5BsqRPFKUu5LwuxGaUI4ukzLwWL1B2MtLpcco1DL6cwbbDp2jL9x6sR6aFJfccLXXLklUXecjOwhtABLXk8GmFpSJWqTaJr4paQSrqr1+mqY9nFdd+4+kvMXbom0WU3U9ono/yj4oYGn7l3NfadstczRj4nRXbGfJQLeDA6pprBSLvXxv9aPrvb7sbOCnxlVGZlfhZQcFc8+XFEvR2HlLRHsQ5SmbZuJ/VlL/2lO0w+H6Q+d9Nf9jrpmpRL3U197rqG4x8xD2pVIqWvmb2kGz5MN5zuZXc//cVNPr920/TGtGTE9xfTeMXqcXYnotcYJaFLD0V95ypnHrrwsE/QCcD9HsPctG2FGg9be9vbH8+/fP0ajejbZNR3Xz38H2KxXAX6owAA istio-mesh.json.gz: - H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugNJnBBK2NeU0m27U7pMYXvn3tLJKLaSaPFrJTnAMtzPfo9kO5ZjJYRAW5qqMw2JjqzHef70sHT1CCGn36dRkgru7KH38BuhK/UJlAiHBFKdg+P+0ds/Dp+fvHz+57GzWZADPCCBpB+xOCRiTFJeEn3CPUYTQeNIZikJ4jJRhfpYYB6nzCMlLQnSEY1e+ZKeGArN6G/yZmnVqgzX8PlhM+sSI3+nlBFDp4r6RwwPcYTLwqlvTC6Y8GKWMCGM573baWw3OnkjNs3VJTgCZtUrS8bGqvRkraLFdZhYSucyM6qz0VRlt9FqtFbom8CDgNRrO6km1/s2FSKOolhgqUBSilmlTkC5mMq0bApQBikNxCtZkrtZpmosgSq+NXAIMpFINWoPCZYSLX1MfUMq9eLoWRzETJbIRgO80dpEbdeFj253E7mP9aKLbj8tO4O+R08DwgTX85Ui5ONBjJnv5LRr9ffDo5z7s3b1isM3dEj4GB0Uj6Kcqcht9EAt1WPEpyLv5BAHXPXHGUVEKGN7stPpZSlS807iOBA0gfSWSlTyjNIgUL8CGp0ps8qkpGRvMDNgkiCRlJXzk08nv5xGCMkviIvLgPx86iQxp7IXewgPeBykgvyIBrEQcQj1njrqAXgEozEjQ8g/FiLhe80mlT1u0PjUQQKzERFA6w8CHJ1BSlH4EGrf4vQfsoc6reTiRyTIhdjyiRcznFUaxRFU6Ek57iEajQmjAmr9iYYjxJlnqLAZYEG4aEKOLG1rEKQkiEfxVhQPsHc2YnEa+VtpNGQgdb/BJyOtSWNCR2Oxh7rQHqgIKcn91MQZZ5q359GPiGUlwjetv25XlZ+xL1MPyhGODKwcUTFOBw0vDrMOZZ8mxv4SJyRCCXBgGLNQthqJMRYI/MoEjATKR2lEJQ2d40skYuBsFBFPbN4kxqYfe7wJuT2SCN4U4GWH1NsKwdWOSAga1IxBnSeUnDfGIgyMjcsyy1ZtQkd9dMs6wQrOY3a2BY9u4VSMm/Jjfm2ceClTtaGQeizmsnke4Y282gHLmf+GEB+NSZD8in6PaQQcI4saBWIIgYnismmsNhPlNJOsv6GrTva39KwjRv2juHSdmUeDnx3N7ZzD7/a2lnBRWH3++1L+LlzRtOxMl1V0AG2e8fxup0QIFV+hksJY+VRHsrd8UCl8talTlZa53d1EOLVmCCrUUzq6YDjiCWaZ69E999TFSldgjmce9sbkhIYkToXm8nJ/Bp5if2rluh8t6e8weAQziWtRC+Vxo70N8aK7nf1vNXqVyJHl6DyBiNLubaLtlsyya8jTBYr7pA1ZuqqUJ48LTpVcvzkMOtJ4sZJpnGhIYITT0YxkQnxRdNRt6coS0qgg6Ml8HJ/PMkXKAwwBSIH/WuJIvijHIWZnRLFQSrSmB0ur+s4Nmt6pFa00ut0qf0NUYxMczKqHQdPjpIpdSl04zG1gopiltUGF34IKSox14l8peIDh5ZScilgnx4yC0uMCGIzh9z9gQjioKAzxU4/8YWiZUv/Aq6ppDvO5eBOLN9BdR6N82NSfHVIS+Lxiixm+k12cynZKudalDPZY6VRNCCFOEhqNTjIDdk3p1XZXulVAMNUUGZqUA6i3UhZtaqCxMHAzoxsKa5eF1ewRTOgAbPAIwoIaeGl25Ei9UoSCKXkoJb5TyXMia55RQwAMYkgvqj4xT/wNtOE496fd1ncaHQJS7RmVNvcR1f1DnCxg+xCGFfI52b4qg0TWcOdN8+kMIZ4+sIB30r2fgb3NxgsaBFVY3gFI7rq78LHbk57R3a04z6Gsp4buZcF6MVkpbelje53K87lbM3okhbWhmDScHf2quL6AbeQiyaqWUWaDp+EGBchKNhRMUMNawKC8L2A0EVwxksQMHBLghMydnzrX793ww+PHsr+tVmUsonmv37AnVA/dChlkno29Z+TCBZGjge0FQpm6aj7T3yJEvwgAIwfobdYB9E7yhtRnBTjYcwAZsNDGiNKgdFXc1VVRURerYixb7/y8pBYW9nujIqqMxWQEnowsqFgAKhIChEhI7HpncLH7sdCFHqTuAV7sLAkvXAsvLLyw8MLCi08HLySwuBWu2ETgLRMwa9L3QHH+9b9Tp9v4YYo3UBPdusj80aqQyoghIGb2OQG/wz8PiulB6Ov15P9Gdz6iOU49j3CO3kLX0UYUR1vdi4sps/hji3HsxMnaTZy47SWhTdtCGwttLLSx0ObTQht6F2zzM2CbbQ3bPFiAYgAl2xcX3CIOizjWD3HsLok4OhZxWMRhEYdFHF8Y4uh+oYijaxHHfSOOb9q9nre9c1uI8Y2/vY07+I6QQm6M+0q3f+yYIYXrWkxhMYXFFOuJKWa9zkMBFaAiGwkNYtE/2+V9bzjqkwkYOL+SIRagxDvKRIqD42z3qYQUig4U7PuAJB6jLbSxeiE+CYggqpyYIVlOmqAfUOujgpOVcEhIfstUrWIJMv14TIeiTsiBS953lHd+nUCMlzK1A9YCma8DyOwsC2S2LZCxQMYCGQtkHhCQOYAISyNl72/TYFUks6CU9YcyWueR7L3FMhbLrM3WkrlgpmvBjAUzFsxYMPOAwMwLLMg5vlwRxBieXn/wknfaYhaLWdZmc8pczLJjMYvFLBazWMzygDDLv2PgQoz955FgqyKXuWWsP34puo5k36mde7E4Zv03xDyxMMbCGAtjLIx5QDAm38dxFxQzr4j1BzF5zy2GsRjm69gL07NnulkIYyGMhTAPCcIcEcKepmIMadRTZr8ikFlc0PrDmXr/0VEcUM9CGwtt1n9rTM8eKGexjcU2Fts8JGyTn/x6L/DmxrLWH+EYWWBBjgU5X8temp49Ws6CHAtyLMh5SCBHhmNp48riVTBedSnqhpLWH+BUGPD1ARulpTPBaynIUHYa/Nd3S9wH1XZveyFUr34hFPUVDPtjQhjLbs2rIioVsp8svBkqwSOSN72iEYwkBAtz6gFl4ITz6DrR7pPyWFw7MUr5hpcE+4TVKDETNUwACV39KkHCvXmeRd1ftUCfcEAx1zeLVRVIByB6L+eBUQ19LjiXcFmMWuabfz5hHVyA9oGJFd7lP/Bv6/Bw6+AAvXy5F4Z7fMbL+MSjIVaQsl0hSE2oe/yccKIc8768Am1+nul1heVWvPIaxVr2P5m6s7Q5zdL0B/l9fuf541tT2q8TzLYkvID45pGfv73q9z0SBP3OHsPn199LavFQSWwrYrXmBAvwskpN/fJlzf65UR0gzstL5Ur21jvOcURFZix1YsUZv6+KrXCbYLE+iar1qss59pSdMOHcCLumSm2V2SBm6Q6dzyqWfIqAW/EYxKMGxeibp7cXUZSGA4ggRhHJ81iXF9BRt4VeQ9ci79LKaL6M9u9XRreSUM9KaAkJPfucEupZCd0soYPPJyH9gpT5InIkdHK+biE9XySkaqsbve5sR5DbaLXmN3sZseqXtC0vYDummTOmqR5XXB+ufJsNGO53tDJvPPL9wqHMrUYrfSjqnv3JLaFtvl3Zatwn1bj8pvMZhctTS41yl9cobpLjMsrEBaPRyA5fP1pIMtr91H183IFtfXZ52fn5QC5b9v+KabRx1xvugNJutcoL7gaXaMPElE20mFVVeq7wjzfR6VzXKpty6jSyP6ZM8ylltafO/JUAuQxSJY4Nc7b54gAXOBIm13LDukFARiTyS628ujIy6vq6MYdS9gVdz3gT45rE5tKqsTEGnYhHDIf9v1PoHQ3IRqshDc6sNH0/ZVnbQhoElBMvjnzeH6TeGRELbjZUOhMQs4bcpDfqTkW31WqpFZ6VW/ypGmsV+l4Uev8eFbr3xSl0zyr0w1NodDeNfnafGt374jS6ZzV63TT6YDWNvvcrl1dFpHe5rHn1StdJ/eqjxgehmM8XjqHm7sTJN9y8PDk5ar54e/QMFRN6+m4bhiMu+Vnn5nSIlyV/7u0slf2jS21n6bRW3M/itnqrb2ixW1fs1pWPPRdsd67coNP7l4JwdCy34VmtXm2TRLXVd1t/2r/V9olMeG+JR+iEWLf06XZQ3E5MVjAPcneYDecPadX2E0Tq1VZt7ULbGi+02WV2u8x+b3s2PsaqrfCSPssBXn8g8d7Hm6GyC7U3zU3d6yKsQdIcxmFWyg9Uyvt3mlw8eXb0EaYVVaB6VoScq3JSa4BZ7eV1R/rT1yQaCTVN2KqkE1P2m6cnqZqpc2+elezddlJye3fe2ctlbZlMq5UBS0bRU36imFZ/kVZeb19PLV5FrFNCfGFKpZEhldHRWBwbVVd/LVd/y1xauSG38QX1a32ulfDZeVCZeE79TLiLpmVrr3JXXoYu9sDiUX3SN5FPMezTlOsTrFl6XYGApT5hasbWGQax9n5q9hpuMbk80z7lL0x6Cqbv1eYSIZUkCfFfZ+9eV2lLR2DpjDM/PEhp4Gfu1YvDJI6AF5sI2HHvLxYbPNK0RnBDoNVXst7l4s7iF5Lff1jqheS3ZJQfwTDzwOI3lV9JxqFnRdu5ZN47wric2y9zT9HhlW4VmBG/bhf5nH5r1iT6hU+kkU8n1E9xUD+Yocijzq0oG3CBL+iMY8oWnHkNxzthbhmiOktRHLQwk9ts21Mbfv+h1sRLfLFoyaHUrQxjVtVGQgjT0COIR/uYk5qeZS6slj3zYbXk+vkB81HNA2jnzAkeNTO4rEtdRQhTaJDpr8lk2upHeqHyUxUr7U+alux2p5WZvMO9MQlxofTFIly2tqQGI5idZTnBokvJZ6bjTIsWJEwCACTRaNpk8OBcaKpyZYpaFalwEmQHcxhAUvEKv0+GOA3mnBEypRpPRsmxmW6bNPKC1CdPzUdXGPXACaECashenGVigBuV42v0AZvzd0rYpXqBAzwbEWOS6q44IxenADnVo2cKWbqV1BG5mM3Kz2gCg9bjy8gzHQuUOx2t2RX1kT7gOpMxDctDQsoDSeLzLbfwVsWZI6DhlccSCv6KlQ/nre8XgUZ3KU5Xg5luS/vR0X+4Yfm9q3139R+dlk7RfGpb++76WY8/FH2QYVGT14216AXv6AXrtbS39R/a4TNPfL29RVsq7PsnVhDBGbD4nOej+tkodgj8RAeVaQsnVcDTebF7/pr9/uq/uSFPpsbefXT9f8ToGnNJtAAA + H4sIAAAAAAAC/+1de2/bthb/v5+CV9uKdEhsy47TOFs3NE3Xdmi6oMl6cW9TGLREy1z0Gkk5yYLcz34PKcmiLPkRJ2lTlwXq2DwUyfPkjw+RV48Qsvp9GsaJ4NYe+gi/EbpSn0AJcUAg1To47h+9/+Pw5cnrl38eW5s52ccD4kv6EYsCIkYk4QXRJdxhNBY0CmWWgiAuY1WoiwXmUcIcUtBiP/Fo+MaV9Lim0JT+LmuWVq3KcA2fnzZTlhj5O6GM1DCV1+8xPMQhLgqnbm1yLoRX04QxYTzjbqex3ehkjdisry7GIQirWlk8qq1KT9Yqml9HnUjpTGGGVTHWVdlttBqtFXgTeOCTam0n5eQqbxMl4jCMBJYGJLWYVmr5lIuJToumAGWQUF+8kSXZm0WqJpJ6ViEPCVWb9pBgCdHSR9StSaVOFL6I/IjJApk3wButTdS2bfjodjeR/UQvOuf6ecELeoye+4SJUhMKDfLRIMLMtTLatfr76VEm/Gm3esPhGzokfIQO8kdRJlNkN3pgleox4lKRMTnEPlf8WF5IhPK1pzudXpoiDe8kinxBY0hvqUSlzjDxffXLp+GZ8qpUSUr1NV4GQhIklKqyfnbp+JfTECH5BXFx6ZNnp1YccSq52EN4wCM/EeQnNIiEiAKo99RSD8AjGI0YGUL+kRAx32s2qeS4QaNTCwnMPCKA1h/4ODyDlLzwIdS+xek/ZA91WvHFT0iQC7HlEidiOK00jEKo0JF63EM0HBFGBdT6Mw08xJlTU2HTx4Jw0YQcadrWwE+IH3nRVhgNsHPmsSgJ3a0kHDLQutvgY09r0ohQbyT2UBfaAxUhpbmfmziVTPPmMvoJsbRE+Kbxa3dV+an4UvOgHOGwRpQeFaNk0HCiIGUo/awT7C9RTEIUgwSGEQtkq5EYYYEgrIzBSaB8lIRU0tA5vkQiAsmGIXHE5iI1Nt3I4U3I7ZBY8KaAIDukzlYAkdYjAVhQMwJzHlNy3hiJwK9tXJpZtmoTGHXRDesELziP2NkWPLqFEzFqyo/ZtXHiJEzVhgLqsIjL5jmEN7JqBywT/jtCXDQifvwr+j2iIUiMzGsUqCEAIYrLZm21qSonmWT9Dd100r9FYPUYdY+iInKmEQ1+drSwcw6/29tawkXu9dnvS/k7D0WTslNbVp0DWPNU4Lc7BUAoxQqVFEQqplpSvMWDyuDLTZ2YtMxt78bCqjRDUKGe0sEFwyGPMUtDjx65JyFWhoL67szBzoic0IBEidBCXhbPIFLsT7xcj6MF/QOGiFBP4lqnhbJ+o70N/UV3O/3favRKPUeao/MUepR2bxNtt2SW3Zo8XaDYT9uQpatKefokl1Qh9YW9oCV9FyuVRrGW7OHEm1JMgC9yPu2WbisBDXOCnsxH0fm0TKQ6wA+A5LtvJYrk83IcYnZGlASlQitmsLSl7yww9E6laGXQ7VbxGzo1Nsb+tHXUGHoUl5FLYQqHmQuMlbC0NqjeN6eCDWOd+FcCAWB4OSEnItLJEaNg8zjHBSP4/Q94EPZL9kLcxCF/1LRMWb/vlK00A/lcvIvEO2DX0iifNvVnh5T4Li+5YoruJIsT3U4o17qWwR1LTFWUEOA4pqF3kvqvXZdebneJrRyBqabInkn5f7WVsui6BtYWBlHGW1BYuyis4o7gQgfgkUfQK6hhl+ZHlrQrRciFkvWkxLVKeU5kzVNmCHhBDOlFOSRmib+BNRxn4bTb+kGjQ39UeUalzXxEsX+I4zliH0KMkc/J9pUFJNKGW++az6cI0eSBObKT0f0M/G26u6C+X0blHUDktr0LH7s9GRjt3VLsHMp6KuBeFqwXk5bSliG21yk9n4W12oikoDYUkwTTY1/Vrc8RG7mI06plJ7PBk2CDAmIlGwolqEEtQFDeFzCY8K8YiSMGAQlgQhrcT63rj3bw6ckTyW+rVRqKaNHrN+wIxaFdIoPO05H3lF64IHIwsD1HKZNQzaf4zXvoVz5AZB+9TxlAH6RsSHVOgIM/+5ABC22EKB1KN8Vd3RQVdb4pRrL11rMlrTD334WGqDLmUxF47BlMMRtTxASyhUIi11tji937Ahd6H3UH6GJnSXRhG3Rh0IVBFwZdfD50IXHFjWDFJoJoGYNbk74DhvOv/51a3caPE7iBmujGRWaPlpVU9BgCusw+JxB3+JcBMT3o+Xo9+b/RnQ1ojhPHIZyj98A62gijcKt7cTERFn9iII6ZNlm3aRO7vSSyaRtkY5CNQTYG2XxeZENvA22eAbTZ1qDNg8UnNZhk++KCG8BhAMfaAY7dJQFHxwAOAzgM4DCA4ysDHN2vFHB0DeC4a8DxXbvXc7Z3boowvnO3t3EH3w5RyD1x3+jWj516RGHbBlIYSGEgxXpCiumo81AwBZjIRkz9SPTPdnnfGXp9MgYH51eyhwUk8YEykWD/ON14KhGFogMFuy4AiSdoC22sXohLfCKIKidiSJaTxOhH1LpXbLISDAnIb6mplTxBph+P6FBUCRluyXhHGfPrhGGchKnNrwbHfBM4ZmdZHLNtcIzBMQbHGBzzgHDMAXSwNFT+/j7xVwUyc0pZfySjMY8k9wbKGCizLttKZmKZrsEyBssYLGOwzAPCMq+wIOf4ckUMU/P0+mOXjGkDWQxkWZeNKTMhy46BLAayGMhiIMsDgiz/jkAKEXZfhoKtClxmlrH+8CVnHUneqZl5MTBm7TfDPDUoxqAYg2IMinlAKCbbw3EbEDOriPXHMBnnBsIYCPNN7IPpmaPcDIIxCMYgmIeEYI4IYc8TiOKhoI5y+xVxzPyC1h/NVPlHR5FPHYNsDLJZ+20xPXOOnIE2BtoYaPOQoE123uudoJuFZa0/wKkVgcE4BuN8I/toeuZEOYNxDMYxGOchYRzZG0sfVx6v+uJV16EWlLT++KYkgG8P1ygrneq8lkEMBc8Qvn5Y4gqotn3TO6B61TugqKtA2B9jwlh6UV4ZT6ke++ncy6Bi7JGs6SWDYCQmWNSnHlAGMTjrXMfaFVIOiyoHRanQ8Jpgl7AKJWKiAgkgoatfHki4MyuwqCur5pgT9inm+j6xsv3o+EPnchYU1bDnnNMIl0WoRb7ZpxJWsQXYInhYHlz+A/+2Dg+3Dg7Q69d7QbDHp4KMSxwaYIUo2yWCtIRqwM8IJyou78tbz2bnmdxQWOzCK25OrGT/k6lbSpuTLE13kF3hd549vjWh/TrGbEuiC+jeHPLs+6t+3yG+3+/sMXx+/VhS84cKYlsRyzXHWECQVWbqFm9p9s9rzQG6eXmPXCHeKuMch1SkzlIllmLxx7La8qgJHuuSsFyvupFjT/kJE9ZC1DUxamPMNWqW4dD6omrJJgi4UU+NetSYGH33/OYqCpNgAD1IrYrkMazLK+io20JvgbXQuTQ6mq2j/bvV0Y001DMaWkJDL76khnpGQ4s1dPDlNKTfijJbRZaETta3raSX85RUbnWj151mBNmNVmt2s5dRq34z2/IKNmOaGWOa8inF1eHK9+mA4W5HK7PGI4/nDmVuNFrpQ1F3HE9uCG2zrcrG4j6rxWWXm08ZXJZaWJS9vEXxOj0uY0xcMBp6Zvh6b11Srd9Pwsf9Dmyrk8vLTs/7ctWy/1dEw43bXmsHlHarVdxqN7hEG3VC2UTzRVWmZwb/ZBOdzgytsimnViP9U5dpNqWo9tSavRAgV0HKxFHNnG22NsAFDkVdaFmwbOATj4RuYZVXV7WCur5uzKAUvKDrqWhSuySxubRpbIzAJiKP4aD/dwLcUZ9stBrS4eqNpu8mLG1bQH2fcuJEocv7g8Q5I2LOdYbKZnxSbyGL7EZdpGi3Wi21wLNyiz9XY41B34lB79+hQfe+OoPuGYN+eAaNbmfRL+7SontfnUX3jEWvm0UfrGbRd37P8qqI9DY3NK9e6TqZX3XU+CAM8+XcMdTMjTjZfpvXJydHzVfvj16gfEJP32zDcMilPKvSnAzx0uQvvJultHt0qd0sndaK21nsVm/1/Sxm54rZuXLfU8Fm48oCm96/FISjY7kJz1j1anskyq2+3fLT/o12T6TKe08cQsfEhKXPt4HiZmoyinmQm8NMd/6QFm0/Q0+92qKtWWdb43U2s8puVtnvbMvGfSzaCifuswzg9QcS793fBJVZp100NXWna7A1muYwDjNafqBa3r/V3OLJi6N7mFVUHdWLvMu5Kia1BphVXl23ZDx9S0JPqGnCVimd1GVfODtJ1USdvXhSsnfTOcnt3VmnLhe1pSotVwYS8cLn/ETJrPoWrbzTvpqav4dYpQT4oi6VhjWpjHojcVxrufo7ufor5tLJa3LXvp1+rU+1Ej49DSoTz6mb6nberGzlPe7Sm9D5DljsVed8Y/kUwy5NuD6/mqZX7QdE6hKmJmytoR9pL6em7+Dmc8tT7VPhos5MwfOdylQipJI4Ju7b9MXrMm3pDljG4jQMDxLqu2l0daIgjkKQxSYCcdz5W8U1AWlSI0QhsOorWe9y3c78t5E/flrqbeT3xMvOX5h6YP5rym+k4NCLvO1cCu8DYVxO7Re5J+DwSvcKzIhb9YtsSr817RL9PCTS0KVj6ibYr57KkOdRh1YUDbjAF3QqMKXLzbwC460g8wxRnqTIT1mYyl3v2xMf/vip0sRLfDFvxaGwrRRils1GIoi6kYcfefuYk4qdpSGskj2NYZXk6uEBs0HNA2jn1PEdFTe4rGpd9RB1XYNMf0vGk1Y/0guVn6pY6X/StSTbnVbq8hZ3RiTAudHna3Dp0pIai2B2luYEjy40n7qONSlakCD2AY+E3qTJEMG50Ezlqq7XKmmFEz89laMGI+Xv77tkiBN/xgEhE2rtsSgZNNN9k4aOn7jkef25FbV2YAVQAa3Jnh9kooEP/TCZyQkx+njN+jsh7FK9vlEFKTk5PwLIKp87k+vSLqV65GI6Kz+jMYxZjy9Dp+5MoCzoaM0umY+MAdepjmlQnBBSnEYSnW/ZebTKDxwBCy89FlOIV6x4OGt9P+9o9JBidTWcZre0Hx39hx0U37vad1v/0WnpFC2mtrXvtpty/CnnQXaLmr4W1qIXvKMXrNfS3tZ/aCfPPHX19uZtKYnvn0hBBGvAonOeDeqne7FDkCc6KM1aWIkCntar3fO37Pc3/80ceTxx9u6j6/8DB3BWLzm0AAA= istio-service.json.gz: - H4sIAAAAAAAC/+1dbVPbSBL+zq8Y6/auIEWIZTBYW9lUgSHZ7LIJh7ls1S05l5AGW4csOXohEIr77TczepdGRvKLLNv9IQQ0I81bd8/zdLc0T1sICf2+ZoxdxxZ+Rn+RvxF6Yj9JiSGPMLkqnPb6F5ef/zi7+vXsXz1hNyjW5Rus0/ILyxxhZ4hdOypUsa1Y2tjRTINWiQqcxzF7qCo7sm26loKjsrHuDjTjo0rLx5yHeuWf/G7FmmUVnsnPr7vekCz8zdUszBlU0P7Akm9lQ44erqncy8EkfEgX3GPL9kd3uHewt+93Ypff3Fg2yGRlGxsPuU3FL8camtwGb0q13Mk0stPIa7K919xrTjE2R77Rcba1q+Tl7NjCRZQNw3RkKkB0Fb1GBV2znXBNo66QkhtX052P9EnibnQ1NiWkiZ84M0QqYYN16mfkWC6OXR9qKueqpphG19RNiz7RGtzI281d1BJF8qPd3kXiTvzRwbCPo8Ggf6BjHVuOHa8XLaE9vDFlSxX8smf2/9ctf/bTevXRJr+hHrbuNQWj0+Bu5M8rEvckIpnsTqxqjj/OW1m32ZCEgYEdpm9Hh/uH3hUqfFemqTvamFxvsouagy3Zb1NsS+22JLYk8Ug6YqW6ZtwxTfMWjokDR/MUU9flsY3V1JySJjX1woxW2Zv81Ep+J3+3DmIXHoLe+X8/0r+DWUsKo9g8jGxIsndJKWK9NBxsUCET3qraPVJ02bZ/uY5W5vUQyyq2kIMfnNcKqYqta+HdtfHWJo9+1zu7/PKxe/Yz+sn2FuXtG3adlL8hj3sXW3TS2K2GdbVrGrfaIDF634Teyq7u2JkS2kvXdswRLXlOFD3vJp9hEkEgs+sZwq9bORW5KxCuwn7qmemV4K1GuCJibptsZTpS4lpSksLLI5MpojB0RnpyAs1x0kAsZRnTPcwdsrd/fYls3tGeSIxroo6jOUxHhdRlSzZIDyxvTEmTFLMfdDRR+7HWkzIuK0N8pY2w6dKnGa6u7yZ1gJi3E1m5G1ima6hxi5Gs80XWXZxfnFQzdp0ZzNYBMZTtA+9fc0/aSU+nV2v/iJjTlrSLDpq0WienXpuUikctUq3Nnna0E1+BpCQV2Q9qpJe3pjWSmRCbYzvZxYHsDnC2cyP5IVgUsZlWyBERPr8wXWQPze+8haSyNSRAamjq6jkFfPZLtf6QrTvMlp5K6XQm54Bjcg4LWpyDyRZHbCWvUcW/l3WeGuRYowk2h8j8H74luGcTneof21yDGkSZ5XSF/xL50W4fwyquY6armJZGjECwGwtD8vcPYuxkPaMcWHUV/Dmnt8wM6EpWRX1sbzufTOcTmRIhVfp1N/0cpi12xmZ5AI9OQygzE3WC2q7EwHMXciSPx5oxuPKMnphXlh1bZgoCfMa6iRyTbQc5o0jtZpkB5D6cmO5BgYe3kg/PtWFExU+J3bowiezaWT0XqByzwmAyyV5oYMUhwCtT74r2iCP6Y9N2brWH7D7kF7wnEtfTfrDHt5t/T9WxMP9edn3irWyq/iAo8eWlu7WYoWXDyE6q4w1M+PTmmFNohjcWnHO69d4Re8CxuLearif5wD7hAqLYIT8IvCE7ktjJbFy3tO3sPu4ZHRx/nPe0Ft3jpP3Mc3yzPdHSMtRPHumODA6ukK0BdgpMN34Ye12iiGDbdkfbGqEEeFujDITxbWw7dt8hNEd/svDYtIhhJYDrp2/kj2thl+x1jmYws9X3MdUv/yPF/u/XwvNf7dHXnR06Yc2muJNdtWgzdAh0oQ/RsJ2tFlj097LisFkUM1WIHHpOBo5s2A4ep3aRSYIRbns2Z24DKNfVqclGl94koS90LVKIIwBwNrFdOqkkJw2FZyTiqtNJqw6rUUx1TDpC4ZeSWhPYqVKKw24KPDaKazEAW3uAyoGUsyDULN6dFaCqWNFGMgNjmcmpH3gdY4syLNfQnLmC2E4VKDYNXBYAYw+ngLEHAGMBxgKMBRgLMHYaGLsAALtLto4xsVG4rxCJbZCy9t6rENeiN2hxoLkisDwVJpYI9pEk+m+vPRkf91xFwbaNLskUoW3DNF63Hx5QMKv2zgYiZvl+8DJalnVNtrsBnn1Kqs2NbHHBDvOEn2Nj4LBISzNThvNuWy0PqsYslJi5+MGSVc3zpjfnj+iSXsYXId1QU1Vs9Dwl5c26Fyw5SuI6PMCM+6T6ScRhYBzbV+lgX7zK/SCnJKBo/FIaET0bjZ3HCeX/xpaZU0y2/LwSzcgpsbTBkKgwJxKb3jnSOIwa1ZyH5sK55zRyxjYv3EILvmuqM8yIVg7YzoCZzHYfkCR5wOerRWJHY9oClWuXdqGdLeMLF1lwFVuY7Yu3upmyo97W8TmhbmlQoeA8S0LssnLHbZU6WsZYPffQSLa89Ja+PSTbqkm4yaj/zZUNR9PxdnOPUvmcjbevul5Uuz8iBkGzMUGYqt2/cZU77Ey5HYtsr795RNs6Zps+gbXNHWRaaPreLaBjMwMGPk0qACc8q/U+bO2i3RSKY47dWURBqrUoSKsmCn56DMe+TikJ0iRJOJmrJEi1lgRp4yVBmiAJ3al4SGrTouN571HvjNeAll3ige9v4tzYG2q3Dv9Ovsf/1F+1FIMJs6ye0qBGtjJpUkEZWWZO5Jshmn7AiTRD1e411ZUnJKPEEiFj2YYegpUfNA4A9kSN53OOZcDQ+UnTe9+DxLkrH76FEG0CuH+UH4p4xyIp5shukMWa7RwtNAcnso25QuuBWe5tHprlFvE9HS/bs9gYhlQCajIOjjs0Vx0f+VLF6EoeT6Fl5/g+HNkWr6EaRpH+1pIk5eBw2qjR39SDA3lfXsM8phPIY+K5CzrlI0AdiABBBAgiQBABggjQXCJAjjImLEvB2j1W+zePDp4Ql0FFuVVtKJUw97hOTiznqntBaI83jeiETiOEbSALH7LwNywLvzMZvEpHAF4BvAJ4BfAK4LWKLPwYXt3wXHz6rjS2IBcfcvEhFx9y8Yvl4r8EZjsAZgHMApgFMAtgdrG5+CVh7Bwz8qcD0Cuel+9jZcjLh7z8dc7L78yYly9JkJcPefmQl195Xn7pTbna7PwZuwc5+jUVC2k1xWLD8/UXLhUSSMVa5O6nIgSQuw+5+5C7D7n7kLsPufuFc/dfiBil/esQMoKQEYSMIGQEIaMZkvdtYpAgcX+mxP0efWkZkvZj93yNDq4JJuoDNrAV2+jC2bGIFnAPSqng5Asx7+SLg6pOvuiefzz7dIX+/Hz5+/nn49Pehh980ZqMAA/a9Tz4oswqrty5FxCQfTEg25xTQPaQozuZ4Gue7rRnDMi22sUCsnOItnKw0zTR1FUOlyLZRj9ocBnCpvMMmxZK8fdJlR9acC3NeeyPTV1THonJH7mOK+t9R7cLJktl4LJnsPrfTUI7TFn1brCU73q2rE95Jpu7oJZhR6lWNEyRumEX5T5hFyUStyp5DyGNu5+e0v1Dz8972atRr0k5IjbmKdl5enX72lU7+yr5qYrN0dV5b0eY5j2I1lQRtRnlqJEWpJcpFF2+LPOaJEtolYRp3gxvjpI2MR5bUKzqGJL7aCgm2TwHQVDOJiQV9dj0oGNDJZe9eUBdui+VDNRx9+ONi9RlvVOOnOLRcwzmpV+kXnAYTOBkKkA0r7poHhCvyjJhCxMvbirszMzrcJnMawFprpDHCoRs6iMjUHF6hqZ9mWV5wHq6Iy3mOyfLG/yK04elUtK5Sk0DVGlOrB10aSpdWnvS/dL7fxEZhxzZ5ebI5n3cYR68VCBwUBSAYAPBLvxdFFuxtHGQIrix7LtTMOopirOS71qdD1UNP4+/hgr8Hfj7Us+HqiG3FaeKmFV5dtVaTVqNmEyqp4zH5Pb++RldtJvL9Qos/tCuzdJPCfRzrfRTKqmfJ9XoZxv0c0r9bIN+rpV+tsvpZ7ca/ZRAP6fUTwn0c630Uyqnn6eV6GdF/LMBBHQzZm21GegEdTxbJ7rZAL4J6lh/wjlBHd+vE7tsAL0Edaw/v5ygjh/WiUw2gE2COtafTk5Qx1/X6W2r8BOIkOi1kR9DhOQuSO7a4LenePlbnYXkb3Vqnr8FCVqQoLXABK3STl7vY28QeoHUomkkSwLJWnnJWn5WTGnfG4gW5HPMIFkSSNYaGK0lpyJUibTALbm+MfQqcRXI0foGf6sEUSBH6xu1rBIygRxBuG0x4Tb6EX0ItdUl1KZi5SZzIgJE3CDiBhG3KiNu4uEiQm6HEHKDkBuE3Io4gvwvpoGTEWJu8/YNgWhB0G1R/iKQLYi6LciFBKIFYbdFhd1mly3wT0LcDQQJAm/1AVIgSBB5A0GC0Ft9Qm/huWEQcoOQG4TcIOQGR4TFY27cr5QfzRhy6zQXekQYHPIFAbEZAmL803IdZUyAq4K1e6z6wHWVDriaBrauwzm59Tx6eU7C1NgsaapIYNb1MKcTKmfo0hc7dEtaQmHi4VX3AnVDQQP2s1z2cwJnI8+Z+GTHAbwHeE/Jo5FnJz4tID5AfFaP+NhkXhM4tQTB4UFagKnry2tKyEoDhAU4zRw4TY+IHHJMYDPAZoDNVMZmtlLNRVrZ1SkyR3/6hiha/VD8LTKMrdgCBL0TFFPX5bGd0UMurBdS8JHB+dZB7EIqhMFQfGDWwrX3sLnYDMG5MJYNrCdlPMHYyJbmeDBceEt0Him6bNtkz6K868aULfX1EMsEEiIHPzivKSrF1rXw7tp4S+yx8a53dvnlY/cM/fn58vfzz8envbdv2HVS/oY87l09qdhEYrXPIVbxlZgYUNrPbdN7Q0sqwhACUzh0RiliYLIDiDkdr3IZ0z3MHXIRnhJqWuqyJRukBz5DzJCuQPnoaATwSszulWjWIRp7OKNPQlpsMHYBLzeusssCyTb6Qc+/BtfF4l0X/ic+yjstXqacMaIaq5y6NcFHVdthfJRXIcVJSVWPk7ZDTsq7K0mNeWmHYaalQkRwWWSV10mfsU7uP6mEiB16Sg4D1dP1UVjWpgra5oobelHe0AoL3ALyB+YvjevqW0l/lMam2bGn0RyF/A4dGyoK82i7dLcr6XHh7vIb53JJi4qHZhJX5+iVMcErA8m1QOdqF2Semc+Jy+RztPjflN9AhBoi1HOneS+A7nyUPNeE3AQAbJCy9t6rukFxehpdPWarXtOyNlRkqRR4AZLVAEVc9HSBJi5CE9ee/vdcRcG2jS6JAKNtwzRetx8eQi+IvZPnFoC0i+WmXfho0zW0+TNkgQBTUQCqD1S/INUnZlSxNBaIz8atN/y7ttx3bFuzugEOav5Z2wV4CuCrt+BJ+GuWw+0nnX9U9HD7FeLS4ozRvkKn3heaU5jO+n0kaDb/xNI/Prxd+mQq0PDpNFwCDd9IDV/2J6C3S58ZBho+pYa3QcM3UsOX/CXu7dKnuYGGT6nhEmj4Rmr4kr+HXgMe3gAiPlcVb4CO142JV/hd+hrQ7gbwblDo9SbeFZ4PUAOW3QCaDQq93jy7wnMaakCqG8CqQaHXm1ZvzFH1p74cs7MzPOmCFMCapADCG36Q9gdv+C0vs6+zkMy+NhxYD6l7cGB9Yed23jFzELSC1LJFn70KEriOErj83KfS/kMQQcjNWdZxryCBa2oEl5w8Uj0SBEfrJuc2VI/7QN42OfRePcgDedvkyHD1kA7kDQKXywpc9rQfGIKW9QtaqlhhdgVilxC7hNjl0mKX4uFCgpeHELyE4CUELwu4rPxvG4LbFKKXy/JigQhC+HLZ4UuQQYhfLjl+CSIIAcxlBzDnJYPgcYUIZqXYDwQOQpiVAj0QOIhhVgrrQOAgiFlREDM8ZRGClxC8hOAlBC8heMk/WpF7pkJn1uBla6FHK8LhiBBanCG0yD+X3FHGBOoqWLvHqg91V/n4v9mA7nqdSL7sUwArELgGSFzlQrWuB9qdUFlEl75oolvSEgqTQq+6F6gbiiGwqOWyqBM4m37OBCo7DuBPwJ9KHk0/O4HaBwIFBGr1CJRN5jWBZUtQpHzYC1B2Rihb81PS5yJPDRCoGgnUenOjHhFL5JjAioAVASuqjBVtpZqLtDId3I2WP5R/i4xjK3gMewS1SNSO0NL9pneLYCtDPJIj8Nc69C47j15LqmzdeTUJfoyEUvhItywhfLSDR2OdmEcjIkUEsNpOTIqj+YmB9ackHtSJPeFaCNLAgx9GZQwrqdhMqeKlPGYZeGhjJoYYFEV3VXysc+B8juSRPZdYN0513xoIXOIomOyE87QZFr652KIEShgTE46dIXbjmuwVfwlGFy+J1lJMXB3gh3RV+04b/8vSe4+Gwul2IC+xbm+l5i62crKuB91JTUtsTeOTXoRV02XTDI1zBPzUaxZoiFBi4ezsLS+tGmuu79n0bQ7I2lnIkmX3SqqcbF3sfwZdE5KlmTHQa/zKvkB4g4wVuDa+8h4U57ZTS0l5zQ+nN1f7oxpcC7AsYbz0gTlPGpPjDYXxGwHzU0tiQAQWKn6t1Ra/CuUitcShWHR16qcLN3H0KeATJeTEthTDLiMo7Bea40ie61HQ+IdbOCG5n6go5pHIOId89gifN3M8VkdPw4ha5NLdou3+r1TDZfTgzd6riNNeC9t//eda+PpqZ+/VG9CQZWtIOb34ri9PL1LOlVzR9CpSHc4T44VpzWy9KqlSoUdpNo3aB42aUaPSzHGqTYe5+RaqXAX8l5wd4AWvYjlNKutCLdYH2IrWRHHKqcsMexGak74U8PfnePPzBXvBKjWvXm70ZsX+p87mZ89TpzGh9H10t17kQDDM76/FwF0uOKZ/TUjcNtaUOxbL9W/2Z7IfBFviPmuhPYp8kmL8j/1mvCRy0Qut2O+i6jH4r0GPaLAnpjYvthJ/8GH8wfFWWgfxPyKVFo7UeH+DviQm44dpRE652McEqSKEL9+cyvbwxpQt73GCy3IdhPPf+u5vx/cj37F6Hzpfxa3n/wMhOAi8d7EBAA== + H4sIAAAAAAAC/+1dbVPbSLb+zq9otHNvQYoQy2CwpjKpAkNms8skXMxmqnbIdQmpsXWRJUcvBEKxv/12t96llpFsS5bt8yEE1LLU6j7n9POc51j9vIWQMBhoxsR1bOFX9Bf5G6Fn9pO0GPIYk6PCWX9wefXlj/Prv5//qy/sBc26fIt12n5pmWPsjLBrR40qthVLmziaadBTogbnacIuqsqObJuupeCobaK7Q834pNL2CeeiXvtnv1ux27ITXsjPb3veI1n4u6tZmPNQwf2HlnwnG3J0cU3lHg4G4fd0wwO2bP/pjvYP9w/8TuzxbzeRDTJY2ZtNRtxbxQ/HbjT9Hrwh1XIH08gOI++Wnf3WfmuGZ3PkWx1n73adPJx9tnASZcMwHZkaEJ1F76aCrtlOOKdRV0jLravpzid6JXEvOhobEv6jknOwwfr0K3IsF8eOjzSVc1RTTKNn6qZFL2gNb+Wd1h5qiyL50ensIXE3fungqU+iZ0H/jU50bDmJLkQzaI9uTdlSBb/thf3/bcsf/LRbfbLJb6iPrQdNwegs+DTyhxWJ+xIxTPZJrGqO/5x3sm6zRxKGBnaYux0fHRx5R6jtXZum7mgTcrzFDmoOtmT/nmJH6nQksS2Jx9Ixa9U14545mjdvzBo4jqeYui5PbKymxpTcUlMvzWiSvcFPTeQP8nf7MHbgMeid//cT/TsYtaQtiq2jKIQke5c0ItZLw8EGtTHhvao9IEWXbfu3m2hm3o6wrGILOfjReauQU7F1I3y4Md7b5NIf+udXXz/1zn9Fv9jepLx/x46T9nfkch9ik05udqdhXe2Zxp02TDy9H0HvZFd37EwL7aVrO+aYtrwkml72ktcwiSGQ0fXi4LetnBO5MxDOwkHqmumZ4M1GOCNi7j3ZzHSlxLGkJYWHxyZzRGHkjPXkAJqTZHxYyjSme5j7yN7y9TUKecf7IomtiXMczWE+KqQOW7JBemB5z5QMSbH4QZ8mun/s7kkbl5URvtbG2HTp1QxX1/eSPkDC26ms3A8t0zXUeMRInvNV1l2c35x0M3acBcz2IQmUnUPvX2tf2k0Pp3fWwTEJp21pDx226GndnPM6pFU8bpPTOuxqx7vxGUhaUoHloEFueWdaY5nZsDlJdXEou0Oc7dxYfgzmRGyl/XFMbM9vTDfZI/MHbx6paY0IjBqZunpB4Z792ll/yNY9ZjNPjXS2iHPIiThHBQPO4fSAI7aTx6jfP8g6zwtygtGUkENM/g8/EDywgU71j62twRnEl+X0Cf9H7Ee7ewpPcR0zfYppaSQGBIuxMCJ//ySxTtYzvoFVV8FfcnrLooCuZD3UR/a289l0PpMhEVKt3/bS12HeYmdClgfv6DCENjPVJ2joSjx47kSO5clEM4bXXswT89qyz5YZggCesW4ix2SrQc5TpBazzAPkXpxE7mGBi7eTF88NYcTFz0gUuzSJ7dpZPxeoHbPGYDDJUmhgxSG4K3PeNe0Rx/Qnpu3caY/ZZchv+Egsrq/9ZJfvtP4rdY6F+Z9lx6d+lA3VHwQkvj51dxYLtOwxsoPqeA8mfH53wmk0ww8WHHO68t6TeMCJuHearifpwAGhAqLYJT8IuiELktjNrFt39N7ZZdwLOjh+Oe9qbbrESQeZ6/hhe2qkZaCfXNIdGxxYIVtD7BQYbvw48bpEAcGO7Y53NMII8I5GCQhj29h27IFDWI7+bOGJaZHASvDWL9/JHzfCHlnrHM1gYWvgQ6rf/kOa/d9vhJe/OuNvu7t0wFotcTc7a9Fi6BDkQi+iYTt7WhDRP8qKw0ZRzJxC7NBLMXBsw3bwJLWKTDOMcNmzOWMbILmeTkM2uvIGCX2lc4EFLn6zSezSyUlyMlB4QSLuOt2067AzirmOSZ9Q+K2k1wRxqpTjsA8F+RrFtRh+bTw+5SDKeQBqFu7OiU9VrGhjmWGxzNg0D7tOsEX5lWtozkIxbLcOEJvGLRWg2KMZUOwhoFhAsYBiAcUCip0FxVaAX/fI0jEhMQoPFGKx26Sts/8mhLXoHaoOM9eElWeCxBKBPpJE/+13psPjvqso2LbRFRkitGOYxtvO4yMKRtXe3UDALD8MXwfLsq7Jdi+As89Jt7mVLS7YYXnwC2wMHaaztDJtOO9jK5U/1ViAEjMHf7dkVfNS6a3FA7pkjvFVRDfSVBUbfc9HeYPuKSXHSViHh5gxn1Q/iTUMjRP7Oq30xU95GOa0BASN30rl0PPxxHma0v5vbJk5zWTFz2vRjJwWSxuOiAdzZNj0wpGGYTSm5lw0F829pIEztnlaC234oanOKGNaOVg7g2Uyq33AkeQhn60WEY4m9A7Url3ahU62jW9cZMJVbGG2LN7pZiqMeivHl4S7pTGFgvMCCQnLyj33rjTNMsHqhQdGsu2lV/SdEVlVTUJNxoPvrmw4mo53WvuUyOesuwPV9STtwZgEBM3GBGCq9uDWVe6xM+NqLLKl/vYJ7eiYrfkE1bZ2kWmh2XtXQcfmxgt8llQATXhR62N4t8tOSygOOfbmMQWp0aYgrZop+LUxnPg6oyVI0yzhdKGWIDXaEqSNtwRpiiX0ZqIhqUWLPs9Hj3lnkga07QoP/XQT54P9kXbn8D/Jz/ef+bOWIjBhidVzGtTIVqZGKmgj08zRvRmiGQSUSDNU7UFTXXlKJUqsCDJWaeghWPlR4wBgz9R4KedY+QsdnzS79xNInE/lw7cQok0B90/yY5HkWGTFHNsNKliznaON5vBUtjHXaD0wy/2Yh2a5TfxEx+vxLPYMI2oBDXkOTjY01x2f+FbF6EoeT6FtF/ghfLIt3o0aqCH9rS1JyuHRrJrR39TDQ/lAXr8iplMoYuJlC7rl9Z8u6D+g/4D+A/oP6D8L0X8cZUJIloK1B6wObp8cPEWVQUWpVWMYlbBwVSdHybnuXRLW4w0jOqXDCKINVOBDBf5mVeB3p2NX6RiwK2BXwK6AXQG71lGBH4OrG16HT78mjS2ow4c6fKjDhzr8QnX4r2HZLmBZwLKAZQHLApattg6/JIpdYDX+bPh5xWvyfagMNflQk7/GNfndOWvyJQlq8qEmH2rya6/JL70m11uZP2f3oD6/oWYhraZZbHitfuVWIYFVrEXdfkofgLp9qNuHun2o24e6fSh9Klq3/4pelM6ug2AEghEIRiAYgWA0R+G+TQISFO3PVbTfp99XhoL92Ge+RfvVBAP1OzawFVvowtGxiBdw90epYccLMW/Hi8O6drzoXXw6/3yN/vxy9c+LLydn/Q3f8KI9HQEedpq54UWZWVy5/S5Ajn1Njm0tSI494rhORnrNc53OnHJsu1NMjl2A1sqBTrNoqassliLZRj+ptAyi6SJF00Ll/T6n8oUF19Kcp8HE1DXliUT8seu4sj5wdLtgpVQGLXvha/DDJKzDlFXvA5byQ8+2DSjNZGMXnGXYUZ0VFSlSH9hDuVfYQ4mqrVq+g5CG3c/P6f6hl5f97NGo16QdkRjznOw8Pbpz46rdA5X8VMXW+PqivyvM8h2I9kx62px2tJ02pNcZFJ2+LPGaZktolYxp0QRvgZY2VY0taFZNFOQ+GYpJFs9hIMnZhKOiPhsedGKo5LA3DqhH16WSMh13Pd44nS6bnHLkFI1eoJSX/hJ1xSKYwKlTAC2vPi0PeFddZbCFeRe3DnZu4nW0TOJVQY0rFLECH5t5qwhUnJ2hWb/IsjxcPdtWFosdk+U9/Iqzh6Uy0oVazTa40oJIO/jSTL609pz7te/+RVwcCmSXWyCb92KHRdBSgcBBUQB+Dfy66CtRbMXSJkF94MaS725BzVMU5+XejdoXqh56Hv8KKtB3oO9L3ReqgdRWnEkvq3PPqrUatAYRmVRPGY3J7f3LC7rstJabFKh+s67N8k8J/HOt/FMq6Z+n9fhnB/xzRv/sgH+ulX92yvlnrx7/lMA/Z/RPCfxzrfxTKuefZ7X4Z038cxsI6GaM2moz0CnueL5OdHMb+Ca4Y/MJ5xR3/LhO7HIb6CW4Y/P55RR3/H2dyOQ2sElwx+bTySnu+Pd1+q5V+PpDqPPayBchQm0X1HbZUL4VK9/qVlK+1W14+RbUZ0F9VoX1WaVzvN6L3kB5gcqiWSxLAstaectaflFM6dQbmBaUc8xhWRJY1hoErSVXItSJtCArub4Sep24CuxofbXfOkEU2NH6ipZ1QiawI1DbqlHb6Av0QWlritKmYuU2sxsCCG4guIHgVqPgJh5VobgdgeIGihsobkXyQP7r0iDHCJLbolNDYFqguVWVLgLbAtGtogwSmBaoblWpbvPbFqQnQXYDQwLdrTlACgwJhDcwJFDemqO8hXuGgeIGihsobqC4wfZgMcmN+4ry4zkVt26r0u3BYIMv0MPm0MP4G+U6yoTgVgVrD1j1cesqbW41C2pdhy1ym7nr8oKMaXuzrKkmg1nXjZxOqZ2hK9/s0B25EwrLDq97l6gXGhqQn+WSn1PYFnnBvCf7HEB7gPaU2xV5ft7TBt4DvGf1eI9NxjUBU0vwGx6iBZS6vrSmhK1sg7EApVkApekTk0OOCWQGyAyQmdrIzFbqdpFX9nSKzNGffiCKZj80f4s8xlZsAoLeCYqp6/LEzvghF9YLKfjI4Hz7MHYgpWAwFB+EtXDuPWwutkJwLkxkA+tJG08QNrKkOR4MF94Tn0eKLts2WbMo7bo1ZUt9O8IygYTIwY/OW4pKsXUjfLgx3pN4bHzon199/dQ7R39+ufrnxZeTs/77d+w4aX9HLvehmVRsKrE64BCr+ExM1ZMOcu/pfT9LKsIQglA4csYpYmCyzYc5Ha9zGtM9zH3kIjwl9LTUYUs2SA98hpghXYHz0acRICkxd1Ki1QQt9mjOlIRUrRRbwTcbVzljgWQb/aRbX0PmovrMhf96j/I5i9cZZ4ynxk5OfTRBR1XbYXSUd0KKkpJTPUraCSkp71NJZsyrOQzLLBVigsviqrxO+oR1ev/JSYjEoefkY6BmZj4K29pMkm2uuaFX7Q2tsMFVUD2weGtc19RK+oU0Ni2NPYvGKKR36MRQUVhE26OrXcmEC3eV37iMS9pUPDSTOLrApIwJSRmorAU21zSJeW46Jy6TztHmf1N6A/o06NMLZ3mvYO58kLzQatwE/tsmbZ39N01D4nQfumaMVrOGZW2YyFIZcAWWtQ2OWPVwgSdW4Ylrz/77rqJg20ZXxIDRjmEabzuPj2ESxN7NywpA0cVyiy58tOka2uIJskCAqSgA0wemX4zpkyiqWBpT4bOi9Ya/0pb7/dr2vFmAw4a/0baCRAG88BYSCX/Ns6v9tJ2Piu5qv0JUWpxT6yu03X2hMYXhbN77geZLTyz9vcM7pfekAg+fzcMl8PCN9PBlv/15p/RuYeDhM3p4Bzx8Iz18yS/h3im9jxt4+IweLoGHb6SHL/lV6A3g4dtAxBfq4tvg401j4jW+kr4BtHsbeDc49HoT7xq3BmgAy94Gmg0Ovd48u8YtGhpAqreBVYNDrzet3phN6s98O2bbZnjWBRWADakAhO/3QdUffL9vaYV93UoK+zqwVT1U7sFW9YVz23kbzIFmBZVlVe+6Cha4jha4UhvfgwlCaU4FpTml811ggWsXBJdcO1I/EoQ86yaXNtSP+8DeNll5rx/kgb1tsjBcP6QDewPdclm6ZV/7iUGzbJ5mqWKFxRWQLkG6BOlyWdKleFSJdnkE2iVol6BdFshY+S82hKwpiJfLSmKBCYJ6uWz1EmwQ5Msly5dggqBfLlu/XJQNQsIVBMxasR8YHCiYtQI9MDiQMGuFdWBwoGHWpGGGOyyCdgnaJWiXoF2CdsndVpG7oUJ3Xu2yXem2irAxIiiLcyiL/C3JHWVCkK6CtQes+kh3lbf+mw/nrtdm5MveAbAGg9sGi6vdqNZ1M7tTaovoyjdNdEfuhMKS0OveJeqFZggkarkk6hS2pV8wf8o+B9AnoE/ldqWfnz8dAH8C/rR6/Mkm45qAsiUYUj7qBSQ7J5Jt+AbpC7GnbTCoBhnUelOjPjFL5JhAioAUASmqjRRtpW4XeWVa2o2mP7R/izzHVnAZdgkakWgcoa0HLe8jgq2M8FiOwF/7yDvsPHl3UmXr3juT4MfIKIVPdMkSwks7eDzRSXg0IlJEAKvtxKw4Gp8YWH9O4kGdxBNuhCA3ePRFVMawko7NnCreyiOWQYI2FmJIQFF0V8UnOgfO51geWXNJdOOc7keDOI2MtZpsd/N0GBa+u9iiBEqY8Oim1/w1eLp4SzSXYuLoED+mT7Xvtcm/LL3/ZCicbgf2Euv2VmrsYjMn63rQndSwxOY0PugFSDWdNc3QOLu/zzxlgYMIJebNzn7ktUljtxt4IX2Hg7F2K5mx7FJJfZNNi/0/QdeEZGvmGegx/sm+PXgPGWtwbXztXShObWc2kvKOHw5vrvNHZ3ADwJJs8cqH5TxjTD5uaIvfCZSf2RADGlCp9bVX2/rqM4vUDIdW0dNpki5cwdHngEyUMBPbUgy7jJ2wX2h5I7muxz/jr2zhyHG/UEvMY5BxAvnisT1vHHmUjm6DEd2Ry3WL3vc/pW5cxg3e7b+JCO2NsPPX/94I397s7r95Bw6yZAcp5xY/9OW5RSqxkmuZ3onUhfOsuDKnma9XJT0qzCbN51AH4FDzOVSaNM605LAMX6W+VSB1yYn/ryQUyzlS2expsT7AQrQeflPOW+ZYidCC3KVApj8nj59v1xV71KJ6udFLFfufpplfvBydxozSz87deZqBYJg/3opBolxwTP+YkPjYRFPumYrrf9gfyUEgs8Sz1UJnHGUjxfgfB614S5ScF9qx30XVI+/fgh5RmSfmNq/eJX7ho/iF43dpH8b/iFxaOFbj/Q36khiMn6YRpeNi7xCkjhB+6eZMtke3pmx5lxNcVuUgXPxj4P7j5GHsp1QfwrSruPXy/5MKGTNasQEA istio-workload.json.gz: - H4sIAAAAAAAC/+1da3PbOLL97l8Bc7O35FzHEfWwralMqmI7mUndTOxrOZmqGWdVNAlJXFOkwodjx+X97QuAbxKUST1ISuoP44kIEASB7sY53U3gcQchYTBQ9aljW8Iv6G/yG6FH9peU6NIEk6vCWX9wcXn+x/ur399/6Qv7frEm3WCNll+YxgTbY+xYYaGCLdlUp7Zq6LRKWGA/TFmjimRLluGYMg7LppozUvWPCi2fchp1yz973Yo8llV4In+/7buvZOLvjmpizkv5zx+Z0lDSpbBxVeFe9gfht2TBHTYt7+0ODzoHba8T+/zHTSWdDFb6YdMx91HRy5EHzX4Gb0jVzMHU08PIe2T3oHnQnOPdbOlGw+mnXcUvp98tmERJ1w1bogJEZ9F9qKCplh3MadgVUnLjqJr9kbYk7odXI0NCHvGCM0KkEtZZp35BtungyPWxqnCuqrKhnxqaYdIWzdGN1Gjuo5Yokj/d7j4S96JN+6/9LnwZ9D/onYZN24rWC6fQGt8YkqkIXtkT+/+3HW/0k3r10SL/Qn8a5q1mSAo6829H3sAi8aBHRJPdihXV9l50KGkWeydhpGObKdzRYbvpXqHSd2UYmq1OyXX3ompjU/IeKnbbYrvT7RyKncMuK9VU/ZapmjtzTB44qicbmiZNLawkBpU8UlUujHCa3dFPTOUP8rvViVy493vn/X6gv/1hi0tjrxvakHjn4lLEOqnbWKdCJrxR1Dska5Jl/XodzsyrMZYUbCIb39uvZFIVm9fC22v9jUWafvvn+eX/fTp/d/YLevHDm5WDF1QKSKmM37xmlUjl16TttxEJIE8eqlhTTg19qI5iI+HZ06HkaLaVKqFddizbmNCSp1jR0368DYMIBRlp1yp+28moyJ2NYEbaiTaTs8KbmWB2xMxnslk67sWuxaUquDwxmFYKY3uixQfQmMatRfVzmuxu5vu7K9vX0BoeHYjE7Mbq2KrNlFdIXDYlnfTAdF8wbqwiloW+Wvj8yNPj0i/JY3ylTrDh0NZ0R9P249pBDN+JJN+OTMPRlagpidf5KmkOzi6OKyC7zkxpq0NMaLfj/tc86O0lh9Ot1T4ihrbV20edJq12nFGvS0rFoxap1mWtHe1FZyAuVnlWihop6dAwJxKTaGNqxbs4kpwRTnduIt37kyI2k9o5IcLnFSaLrLHxgzeRVLbGBGKNDU35RKGg9VytPyTzFrOpp1I6n/3pcOzPcU7z05ltfsRW/Bq1AneSxlODDNM0wwARmf/DswR3bKAT/WOrrl+DKLOUrPBvIj/q8CGo4thGsophqsQI+Mu0MCa/fxLLJ2kp5cCKI+PzjN4yM6DJaRX1UL9lfzbsz2RIhETpt/1kO0xbrJTNcqEfHYZAZmbqBLVdsRfPnMiJNJ2q+ujKNXpiVln63VJD4CM31k1kG2xtyHiLxNKWeoHMxonpHuVovBVvPNOGERU/I3brwiCya6X1XKByzAr9wSQLo45lmyCyVL0r2iOO6E8Nyx6q9+l1yCv4QCSur/5kzXeb/0zUMTH/XnZ95q1sqP4g8PH5qRuazNCy10gPqu2+mPD59TtOoRHcmHPM6dJ7S+wBx+IOVU2LM4U2YQmieEz+EKxDViTxOLVwDemz0+u4a3RwtDm3tRZd43rtVDue2Z5paRkdIE06E52DKyRzhO0cw43vp26XKCJoWM6koRKugBsq5SaMiWPLtgY2IUDao4mnhkkMK0FfL76TH9fCPlnrbFVnZmvg46tBAK9+/Q+pGfzKqM4q+T+uhae/u5Nve3t0hJtNcS89zeHqaROsM7AwsZxWupq/BHyQZJsNu5iqQgTX9VdwhMmy8TSx7MySpGCdtDiT4WO/j7pskMV6hC7dcUVf6fQlQIqP+SxSUSOVpLhtce1KVNuOk9rGauTTNoO+o/BrQUXzTVshXWM3+e4f2TEZ5q09puWg0EVAbRoiL4ppFSyrE4nht9Tg1A/vTrFJGZqjq/ZSce9xGcA3iXVWgHyP50C+HUC+gHwB+QLyBeQ7D/KtA+bdJ2vNlBg1PJCJiO+Swu7BywAKo9eoRsC8JEA+F+7uEXTV69H/DrrPYfC+I8vYstAlGVXU0A39Vff+HvkTYe1tISqX7kbPI3JJUyXr1MfMj3HVvJFMLqBi3vpPWB/ZLDLUTJXhrNvWy7GrMisopi7+ZkqK6jr5m8tHjeJhIdg4VhUF631XTXmj7gZ0juLYEY8w41eJfhJxGOnvrKtkcDJa5W6UUeLTQH4pDeG+n0zthxnlf2HTyCgmsCKrRNUzSkx1NCYqzAkdJ1enJNajdjij0UzI+JRE59jiRYFowQ9Vsccp0coA9CnAlIIUPhGTRnxOnCekNaVPoHLt0C5002V84SITrmATs7V3qBkJO+ouHucxdUsCFxlnWRJil+Vb7lOpO2eKlU8u4kmXF4YNjTFZiQ3CfyaD746k26qGG80D6i7IWKsHiuNG4QcTYhBUCxMUq1iDG0e+xXbeFTyJG1CxZf7pb5EBipsH1NAwQxYEbDf3kGGi+d+nFq+yMCzh070coMW1jB+Cp110m0J+ZLO/iLj1Nkzcepsvbl5eEmedmFPaerOk7WSp0tbbMGnrgbQVlrbeDGk7nYu1JRZ4+j4fXFdIyotDyy7xyPP/cW7sj9Whzb/T439+6OXMm+AEzQtS5x6TyE8yU7lvfhmRCE7WAoN9A584qrqi3qmKI81IJIqkt0ZySF2YL92rHJbgSiXP+R/JXqIDk/SzeK48zl3ZGDfAsTMY0IN0n8dNGYovR2j93OR052ihMTqRLMyVVhfxc29zIT+3iO9yet5YRt5hTCWgJu/B8Utn6uEDX6oYp8sic7TsE74L3myH96AahvP+0er15M7hvOG7fyidjtSWNjAH7WTrc9DiyWMzktCOn8mBhVAchOIgFAehOAjFLSUUZ8tTwmx0e3DzYOMZsa6C7IpfPxXtcinY/yJer0wsY/UOKxX2rDacUFh6GC8jdHd1eoH6pHfYRFemNByqMsToAGYDzF5rmJ26mAdndwFnA84GnA04G3B2qTjbXWlzAdlE1dWg62X3Zzsx9alGVyPA1PF7voW7nviD9RvWsRlZpIPRMYkGc3fZKGHXBDFj14R2WbsmfPx8cv7l8xnyv7Tvb/tGCe3Z6LXTredOCYXmce02R4C01WfTVptLSls9XCTEIh4umLfa6ubLW11CUioH+s2TdLrOWaVIstBPmoML2aXLzC7N9Tm2xwm9LCXHVO2HwdTQVPmBGP2JYzuSNrA1a0Vu6H2UA5GzeyxT/qE9D9dJNd0KP3qhuU+JG2a0sI9in9CU8vl4ErQ/Pib7h56eDtJXw16TckQs02O88/Rq49pRjtsK+auIzcnVp/6eMM/n66250v8WlL5dEL+FxW/ZhHKJsjkz3TSnINYxMzC5O4OFTh5Qnw0Peqcr5LI7DuiUrn8F0wa56/7W5Q2mnXi2lKDsS0wtTG6uteKkPIGTiA25heXlFgLDK+3DxMOFonuLU7zDKineCj47hO8KgfnNvR0BqpgH8vcuqA6Lz7dfQtWjWN1wrTlHqZQpL1XOdkFd12cYQV/n09eN9x48t69M6FWATw+r/fQwazPCZRBsgcBaUQBPAXgKcu/jyT9zZ9vcCHn3g2+1FnUi1Gp/o3L8DNHtjcAPAX6ISvc3WpRxL7jHxnIQvDhXsLDMvZe2fJhrxJYSPWVcKbP3T0/ootus1rux+k2nwAaUsiEW2IC1tQG9gjbgpBwb0AUbUJoN6IIN2HIb0C1mA07LsQE9sAGl2YAe2IAttwG9YjbgrBQbUJI/YBeMQCkOgV2wAnX3CMxQ+febRP9B5cvh/6DytXcAzFD5D5vE9kHly6H7oPK15/szVP63TSL3oPLlsHtQ+drT+xkq//smfVYZnLwAiZBbeQYDJD9C8uMWfyaZ99TvxfMbj2ue3wgJjJDAuMIExsIudHezSQieQSLd0hPpCvt2QRY3VRarz+gq7HUEYYTMohVlFhV2h4EsbrBhrDjFpUzECA5ZyLSoBh+C5EHAvxowCJIHcedqoB9IHoQ/6xL+pAelQOizLqFPBcvMrkAEFCKgEAGtLAIqHq4iBHoIIVAIgUIINI9Dy9sTEtyrEAOtPgYKwghB0PoEQUEaIQpamygoCCOEQesTBl1cGsEzC3HQijAiiB4EQisChCB6EAmtCP6B6EEotKJQaHCAJoRAIQQKIVAIgcJZmdEYKPeUi+MFQ6DHzZUelQmHXUKAcoEAJf+geVueEqgrY/UOKx7U3exjG+cBuptwxHzVpzeuVPx2Qf5my19JIrapBw6eUMlEl56goiF5EgqSTa9OL9BpIJrAsKplWCdTIFfLJVfp9wBuBdwqm1ulLi6HXLWAXAG5Wj9yZZFxjSHbAiSKB4IB2AJ3mku6dkG8gDdVwpv6REiRbQBjAsYEjKk0xrSTeFz0M9kbuqCgPz1LFE5/IP8meY+dyAz43RNkQ9OkqZVSRC53EBIYlXGGVidyIRGLcanCTmLyXQLQCxoSppKOtbiMx1ghWQRtF+oLb4jOI1mTLIuscpTb3RiSqbwaY4nATmTje/sVRb7YvBbeXutviD3W355/uTo5//L5DPXfX379ePq+/+Y1u07KX5Pm3taT7s0kb20OeYtOxMzAmNjJfKj76V8vDw3xbeHYniTYhzG1vUUm0fMy5zHZw8xXzkOGAlVLXDYlnfTAo6EpZucrH30bAVwfi7s+mnUIK4tHC3o+jlYbVl7BZ7Pr7BhBkoV+YtMAB0kJDhJvu5k5XCOzWeOz6ZFRdhqhwW7VJK8lg3ynei0rpLd3MiWk3YCQcurSVr38UZkIV1VElNMzQkYRsR2P8Q6iero4csvH7tYLyAoyDIpIz6Z6MM4de2REthSyaC7tWTgw6B0hUkGy7SldSAq6M7gL6Nb5M5IS4gKF2NUlujwMcHlABi5QpdpFiRfnSmKVXIkW/0W5A8SYIca8dAr1DDjmotRKGFUMG+6Swu7ByyVAZnq249qMwcIvuwZEoFLCuFxJ2AV1WDGJ3nx92HgK3HdkGVsWuiQChxq6ob/q3t8HngBrL0GNIa5fbVzfA1yOri6fJQoEm4kC0F2guznpLjGZsqmyQG86LrrlG/JyP0ZtL8qEWzXfj3cFZBm26wUynZNMNwofQKV4R6kPJsQgqAQ6G7rC2xdmGcTzuQzavBm5fKAtzg5M0U1dCLcQm83mHjJMNP9IbfggrQFFr3wn4kbh47ZAzwqPFOhZ5XpW9R7LjcKHi4GeFR4p0LPq9azi7aMbhY9SAz0rPFKgZ9XrWcUbY1fLz3aBoG3EKK0HQytx0+9q6dgu8DFQq9IIWYkbmlfLvnaBfoFalca/StysvVqytQtsC9SqNLq1qRvRJz+gQWee3EG2UK2yheCDGMgQgg9iqksCOl5JElAbDuWGLB84lDu3ZzTrsCeIO2xJvkphpx9IzJZnXhT2Z4HEbHkOQWFXDUjMlkfDS8Ux4NFbu7BuqagF5GPt4pOlYhSQj7ULtJWKSEA+IGJUKGLkH2EM0SI4xxiCRhA0gqCRHzQSD1cSNepA1AiiRhA1yuFt8XZ2AgcdhI3yOmBAZCBuVNAnAyIDgaOCbhoQmVqIzFqFjpYgM+Db2+TYEQgIBI9WDVRAQDY5egQCAuGjFYePgsN4IGwEYSMIG0HYCA7fScWNuDsO9xYNGx2u9OwdOD0HgjoLBHX4B0za8pTAIt1PaCp8DCkXu5Z6asZMPFqzc0dreMJoQQHYBQmAI1LSnOOECg/qEzlCho6CBLar0wt0GsgSkI9qyccJHPq5ZN6Rfg+gHUA7Cp75uTjvOAbeAbxj/XiHiWWs3mElBj3X6gRL4B77dRCCXZAC4B+Ef1x6soSG5EnAQoCFAAspjYXsJB4X+5zthpp/1HfNUDj9gfyb5D12/GZYE9QuUWtCS9tN9xbBksd4IoVgq3XoXrYf3Ccpknnr1iR4LRRK4SNdbYSgaRtPphqxjHpIQghAtOyIFIfjEwHHj3H8pRF7wrUQ5AH3XrSPMZq4YjOlipbymJwfCY+YGGJQZM1R8DuNA58zJI+sisS6cap71kDgEjXBYMdUJo2x8N3B5gM7WJWYV2yPsRPVZLf4q/920ZJwLsXY1RG+T1a1btXpF1PrP+gyp9u+vES6vZMYu8jMSZrmdycxLJE5jQ56HhZLp03VVc45nnPPmfDZxyNCganTeTc9N3PsHzQNhTTuwjHOsdlpLJPGUWzL3bABnhc5VzN7BeTk9cHLCJC7Fhp//+ta+PZy7+Dl6/wilF67qbFgcmL9vz9MQrw0NZ70Gr+yJ6DugEcKHAtfuQ1Fue1aS+2f3mwWEdofnHsKyWym0D7OFrQk7n/Kls6EaCcek5tZeE9I1N9jrTdma87K3oX7sIXfqKAOB0xrMQ0W11uDi2OJjCSuCJ4Ia3AxRVWG4tJj8zxDEX/fwE58NwnzLGAj2LMGLl9p+N6DvZVgEE/8WrCA5JSLxBQHYvFRd2mBv46gmTAoQ1AsU9atpSOgqAPqBZXFpCMoYsMynUXzGtRCIKsuPS24BiwLxoEWLlsLi+neD21dde85HzEzLJmYpzaKudhrVIPc2qC0CyptJKPf96oV0Fs3crFSxc3MBJv/25Sn7BBLMW0st28FVYwXbVpM2zr10Db2fxpGeHJ9sCqTRc/7OnQjQ4Ju/Hgl+oEQwTa8a0Lstqkq37KouHezN6gDP04WjUYI3UnobRajP9rNaEkYfBFakX+Lisukvvk9onG6iLI8+5Row4fRhqNPaXWiP8IVWDhSov31+xIbjJ+GHrpbQ58783iHyPpMssY3hmS67QkOSxsRvtxY/b+uzlTPZ34X+NXFnaf/AluDM8vxjQEA + H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnilT44tjx+H77AeA7CcqkXkhK2g91IwIEQWB38Ty7S+BxByFhMFD1qWNbws/oL/IboUf2l5To0gSTq8JZf3Bxef77u6vf3n3uC/t+sSbdYI2WX5jGBNtj7FhhoYIt2VSntmrotEpYYD9MWaOKZEuW4ZgyDsummjNS9Q8KLZ9yGnXLP3ndijyWVXgif7/uu69k4m+OamLOS/nPH5nSUNKlsHFV4V72B+HXZMEdNi3v7Q4POgdtrxP7/MdNJZ0MVvph0zH3UdHLkQfNfgZvSNXMwdTTw8h7ZPegedCc491s6UbD6addxS+n3y2YREnXDVuiAkRn0X2ooKmWHcxp2BVScuOomv2BtiTuh1cjQ8J/VVIH66xPPyPbdHDk+lhVOFdV2dBPDc0waYPm6EZqNPdRSxTJn253H4l70ab9t34bvgv6B3qrYdOOdSGcQWt8Y0imInhlT+z/X3e8wU+q1QeL/Av9YZi3miEp6My/HXnjisSDHpFMditWVNt70aGkWeydhJGObaZvR4ftpnuFCt+VYWi2OiXX3YuqjU3Je6jYbYvtTrdzKHYOu6xUU/VbpmnuxDFx4GiebGiaNLWwkhhU8khVuTDCWXZHPzGT38nvVidy4d7vnff7gf72hy0ujL1uaELinYsLEeukbmOdypjwWlHvkKxJlvXLdTgzL8dYUrCJbHxvv5RJVWxeC2+u9dcWafrNH+eX//p4/vbsZ/TTd29WDn6iUkBKZfz6FatEKr8ibb+JSAB58lDFmnJq6EN1FBsJz5wOJUezrVQJ7bJj2caEljzFip72420YRCjISLtG8etORkXubAQz0k60mZwV3swEsyNmPpPN0nEvdi0uVcHlicG0UhjbEy0+gMY0biyqn9NkdzPf313YvoTG8OhAJFY3VsdWbaa8QuKyKemkB6b7gnFjFbEs9NXC50eeHpd+SR7jK3WCDYe2pjuath/XDmL4TiT5dmQajq5ETUm8zhdJc3B2cVwB2XVmSlsdYkK7Hfe/5kFvLzmcbq32ETG0rd4+6jRpteOMel1SKh61SLUua+1oLzoDcbHKsVDUSEeHhjmRmEAb00QXR5IzwunOTaR7f07EZlI5J0T2vMJkkTU2vvPmkYrWmACssaEpHykQtJ6r9btk3mI281RI5zM/HY75Oc5pfTqzrY/Yil+jRuBO0nhakGGZZtgfIvK/e4bgjg10on9s0fVrEF2WkhX+S+RHHT4EVRzbSFYxTJXYAH+VFsbk9w9i+CQtpRtYcWR8ntFbZgU0Oa2hHua37E+G/YkMiZAo/bqfbIdpi5UyWS7wo8MQyMxMnaCmK/bimRM5kaZTVR9duTZPzCpLv1tqCHzgxrqJbIMtDRlvkVjZUi+Q2Tix3KMcjbfijWeaMKLiZ8SKXRhEdq20ngtUjlmhP5hkXdSxbBNAlqp3RXvEEf2pYdlD9T69DHkF74nE9dUfrPlu8++JOibm38uuz7yVDdXvBD0+P3VDkxla9hrpQbXdFxM+vXrLKTSCG3OOOV15b4k94FjcoappcaLQJiRBFI/JHwJ1yIIkHqfWrSF9dnoZd40OjjbnttaiS1yvnWrHM9szLS1jA6RJZ6JzYIVkjrCdY7jx/dTtEgUEDcuZNFRCFXBDpdSE8XBs2dbAJvxHezTx1DCJYSXg66dv5Me1sE/WOlvVmdka+PBqEKCrX/5Haga/MqqzSv6Pa+Hpr+7k694eHeFmU9xLT3O4etoE6gwsTCynla7mLwHvJdlmwy6mqhDBdb0VHGGybDxNLDuzJClYJy3OZPjQ74MuG2SxHqFLd1zRFzp9WOBCPotU1EglKW5bXLsS1bbjpLaxGvm0zaDvKPxSUNF801ZI19hNvvNHdkwGeWsPaTkgdBFMm0bIC0JaBcvqRGLwLTU29YO7U2xSfuboqr1U2HtcBu5NQp0VAN/jOYBvB4AvAF8AvgB8AfjOA3zrAHn3yVozJUYND2Qi4ruksHvwIkDC6BWqES4vCY/PBbt7BFz1evS/g+5zELzvyDK2LHRJRhU1dEN/2b2/R/5EWHtbCMqlu9HzgFzSVMk69SHzY1w1bySTC6iYr/4j1kc2iws1U2U467a1cuuqzAiKqYu/mpKiuh7+5vJBo3hYCDWOVUXBet/VUt6gu9Gcozh0xCPM2FWin0QaRvpb6yoZmYxWuRtllPgkkF9K47fvJlP7YUb5n9g0MooJqsgqUfWMElMdjYkGc+LGycUpCfWoGc5oNBMxPiXBObZ4ISBa8F1V7HFKtDLwfAovpRCFz8OkEZ8R54lnTekTqFw7tAvddBlfuMiEK9jEbOkdakbCjLprx3lM3ZK4RcZZhoSYZfmW+1TqzJli5aMLeNLlhVFDY0wWYoPQn8ngmyPptqrhRvOAOgsyluqB4rgh+MGEGATVwgTEKtbgxpFvsZ13AU/CBlRslX/6S2R44uYBNTTMgAXB2s09ZJho/vepxassjEr4bC8HZnEt4/vgaRfdppAf2OwvIm69DRO33uaLm5eUxFkn5pS23ixpO1mqtPU2TNp6IG2Fpa03Q9pO5yJtiQWevs971xOScuLQsks88tx/nBv7Y3Vo8+/06J8feDnzJjjB8oK8ucck8pPMVOKbX0YkgpOzwGDfwOeNqq6od6riSDOyiCKprZH8URfmS/cqhyW4Usnz/UdSl+jAJN0sniePc1c2xg1w7AwG9CDd5/FShuLLEVo/LzndOVpojE4kC3Ol1UX83NtcyM8t4nucnjeWkXcYUwmoyXtw3NKZevjAlyrG6bLIHC37iO+CN9vhPaiGwby/tXo9uXM4b/Dub0qnI7WlzUtAO9n6BLR45tiMDLTjZ/JfIRAHgTgIxEEgDgJxSwnE2fKUEBvdHtw82HhGpKsgueLXT8W6XAb2T8TrlYllrN5hpcKe1YYSCksP4mUE7q5OL1Cf9A6b6MqUhkNVhggdoGxA2euMslMX88DsLsBsgNkAswFmA8wuFWa7624uHJuouhpwvez+bCekPtXoagSQOn7P13C/E3+wfsU6NiOLdDA6JtFg7v4aJWyYIGZsmNAua8OED59Ozj9/OkP+R/b9bd8joT0bvXa69dwkodA8rt2+CJCz+lzOanNJOauHiwRYxMMFk1Zb3XxJq0vISOUgv3kyTtc5pRRJFvpBE3AhtXSZqaW5vsT2KKGXouSYqv0wmBqaKj8Qmz9xbEfSBrZmrcgJvY9yAHJ2j2XK37Xn0TqpplvhBy808Slxw4wW9lHs85lSvhxPYvbHx2T/0NPTQfpq2GtSjohleox3nl5tXDvKcVshfxWxObn62N8T5vlyvTVX7t+C0rcL4rew+C2bTy5RNmfmmuYUxDqmBSY3ZrDQyQPqs+FBb3WFXHbHAZ3S9a9gziB33d+6pMG0D8+WEox9iXmFyX21VpyRJ3CysCGxsLzEQiB4ZX2UeLhQbG9xhndYJcNbwSeH8E0hEL+5dyJAFdNA/rYF1UHx+bZKqHoUqxuuNacolRLlpcrZLqjr+gwj6Ot8+rrxzoPntpQJnQrw2WG1nx1m7UO4DH4tEFgrCuAoAEdB3h08+UftbJsXIe9G8K3Woj6EWm1tVI6bIbqzEbghwA1R6dZGixLuBbfXWA6AF+cKFZa57dKWD3ONyFKip4wqZfb+6QlddJvVOjdWv98U2IBS9sICG7C2NqBX0AaclGMDumADSrMBXbABW24DusVswGk5NqAHNqA0G9ADG7DlNqBXzAaclWIDSvIH7IIRKMUhsAtWoO4egRkq/26T6D+ofDn8H1S+9g6AGSr/fpPYPqh8OXQfVL72fH+Gyv+6SeQeVL4cdg8qX3t6P0Plf9ukjyqDQxcgD3Irj1+A3EfIfbQgvTGS3ni8kvTG45qnN0L+IuQvrjB/sbAH3d1oEmJnkEe39Dy6wq5dkMVNlcXqE7oKOx1BGCGxaEWJRYW9YSCLG2wYK85wKRMxgj8WEi2qwYcgeRDvrwYMguRB2Lka6AeSB9HPukQ/6SEpEPmsS+RTwTKzKxAAhQAoBECrCoCKh6uIgB5CBBQioBABzePP8jaEBO8qhECrD4GCMEIMtD4xUJBGCILWJggKwghR0PpEQReXRnDMQhi0IowIogdx0IoAIYgeBEIrgn8gehAJrSgSGhyeCRFQiIBCBBQioHBOZiQEyj3i4njBCOhxc6XHZMJBlxCfXCA+yT9j3panBOnKWL3Diod0N/vIxnlw7iacLl/1yY0rFb9dkL/Z8leSiG3qYYMnVDLRpSeoaEiehIJU06vTC3QaiCYQrGoJ1skUuNVyuVX6PYBaAbXKpFapi8vhVi3gVsCt1o9bWWRcY8C2AIfiYWDAtUCd5pKuXRAvoE2V0KY+EVJkG0CYgDABYSqNMO0kHhf9RvaGLijoD88ShdMfyL9J3mMnMgN+9wTZ0DRpaqUUkcsdhARGZZyh1YlcSIRiXKqwk5h8lwD0goaEqaRjLS7jMVJIFkHbhfrCa6LzSNYkyyKrHKV2N4ZkKi/HWCKwE9n43n5JkS82r4U31/prYo/1N+efr07OP386Q/13l18+nL7rv37FrpPyV6S5N/WkezPJW5tD3qITMTMuJnYyH+p++NfLQ0N8Wzi2Jwn2YUxtb5FJ9LzMeUz2MPOV85ChQNUSl01JJz3waGiK2fnKR99GAM/Hwp6PZh2CyuLRgo6Po9UGlVfwzew6+0WQZKEf2DTAP1KCf8TbamYOz8hs0vhsbmSUnEZYsFs1SWvJIN+pXssK6e2dTPloN+CjnLq0VS95VCbCVRUP5fSMcFFEbMdjvIOonh6O3PKxu/UCsoL8giLSs6kOjHPHHhmR7YQsmkh7Fg4Mekt4VJBpe0oXkoLeDO4CunXujKSEuEAhdnWJHg8DPB6QfgtMqW4x4sWpklglVaLFf1LqABFmiDAvnUE9g425ILUSQhWDhruksHvwYgmImZ7quDZjsPDLrgEPqJQvLlcSdkEdVsyhN18fNp4B9x1ZxpaFLonAoYZu6C+79/eBI8DaSzBjiOpXG9X3AJejq8sniQLBZqIAbBfYbj62SyymbKosypsOim75XrzcD1HbixLhVs234l0BV4adeoFL5+TSjcJHTyneGeqDCTEIKkHOhq7wtoRZBu98Ln02bzouH2eLs8NSdD8XQi3EZrO5hwwTzT9SGz5Ia8DQK9+EuFH4oC3Qs8IjBXpWuZ5Vvb1yo/CxYqBnhUcK9Kx6Pat45+hG4UPUQM8KjxToWfV6VvGe2NXys10gaBsxSuvB0Erc77taOrYLfAzUqjRCVuJe5tWyr12gX6BWpfGvEvdpr5Zs7QLbArUqjW5t6h70yc9n0Jknd5AsVKtkIfgcBhKE4HOYynKAjleSA9SG47ghyQeO487tGM065gnCDluSrlLY5wcSs+WJF4XdWSAxW55CUNhTAxKz5cHwUnEMOPTWLqpbKmoB+Vi78GSpGAXkY+3ibKUiEpAPCBgVChj5hxdDsAhOMIaYEcSMIGbk76B2uJKgUQeCRhA0gqBRDmeLt60T+OcgapTX/wIiA2Gjgi4ZEBmIGxX00oDI1EJk1ipytASZAdfeJoeOQEAgdrRqoAICssnBIxAQiB6tOHoUHMQDUSOIGkHUCKJGcPBOMmzE3W64t2jU6HCl5+7AyTkQ01kgpsM/W9KWpwQV6X46U+ETSLnQtdQTM2bC0ZodOVrDw0ULCsAuSAAcj5KmHCdUeFCfyBEydBSkr12dXqDTQJaAe1TLPU7gvM8l0470ewDrANZR7LjPxWnHMdAOoB3rRztMLGP1Disx5LlWh1cC9divgxDsghQA/SD049KTJTQkTwISAiQESEhpJGQn8bjYt2w31PyjvmuGwukP5N8k77HjN8OaoHaJWhNa2m66twiWPMYTKQRbrUP3sv3gPkmRzFu3JsFroVAKH+hqIwRN23gy1Yhl1EMSQgCiZUekOByfCDh+jOMvjdgTroUgD7j3Yn2M0cQVmylVtJRH5Pw4eMTEEIMia46C32oc+JwheWRVJNaNU92zBlHaFik12BGVSWMsfHOw+cDOVOXRO7f4i/920ZJwLsXY1RG+T1a1btXpZ1PrP+gyp9u+vES6vZMYu8jMSZrmdycxLJE5jQ56DhJLZ03VVc4RnnNPmfDJhyNCgZnTeTc9N3HsHzQHhTTuojHOgdlpKJOGUWy33bABng85VzN7BcTk1cGLCI67Fhp//eda+Ppi7+DFq/wSlF66qa1gYmL92x8mIV6aGk96jV/Zk093wCMFjoWv3Iai1HadhfYPbzKLyOx3zj2FRDZTZh9ny1kS9T9lC2dCshOPyc0rvCck6u+x1huzFWdl78J92MJvVFCFA561mAKL663AxZFERgJXBE2ENbiIoiI7celReZ6diL9uYCa+EfpfxESwZw1cstLwXQd7KwEgnvS1YPnIJxaJGQ6k4oPuUgJ/FUEzMVCGnFimrFtLhz9R59NPVBSTTqCIBct0FM1rTgshrLr0tOAKsCwMB0q4ZCUspnrftXVVvefcw8yuZAKe2ujlYq9RDWxrg84uprORTH7fn1ZAbd2YxUr1NjMFbP5vUp6ygyvFlLHcvhXUMF6caTFl69RD2dj/aQDhyfW+qkwWPb/r0I0JCbrx/aXoh0AE2/CuCbHbpqp8y+Lh3s3eoA78CFk0DiF0J6GfWYz+aDejJWHYRWhF/i0qLov66veIRugiyvLsU6INH0Ybjj6l1Yn+CBdg4UiJ9tfvS2wwfhh66GgNve3M1x3i6jPJGt8Ykum2JzgsYUT4fGP1/7w6Uz1v+V3gURd3nv4Ps0DK0NeNAQA= {{- end }} diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index f7b2313..2af9b65 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -4,14 +4,14 @@ set -ex ### TODO # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/ -export ISTIO_VERSION=1.9.3 +export ISTIO_VERSION=1.10.3 rm -rf istio curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz mv istio-${ISTIO_VERSION} istio # remove unused old telemetry filters -rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml +rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml # Patch patch -p0 -i zdt.patch --no-backup-if-mismatch diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index e1531d4..e248fd9 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,9 +1,8 @@ global: # hub: docker.io/istio - # tag: 1.9.3 + # tag: 1.10.2 logAsJson: true - jwtPolicy: first-party-jwt defaultPodDisruptionBudget: enabled: false diff --git a/charts/kubezero-kiam/Chart.yaml b/charts/kubezero-kiam/Chart.yaml index 45defec..14debca 100644 --- a/charts/kubezero-kiam/Chart.yaml +++ b/charts/kubezero-kiam/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-kiam description: KubeZero Umbrella Chart for Kiam type: application -version: 0.3.4 +version: 0.3.5 appVersion: "4.0" home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-kiam/README.md b/charts/kubezero-kiam/README.md index 61c6a05..643d6f6 100644 --- a/charts/kubezero-kiam/README.md +++ b/charts/kubezero-kiam/README.md @@ -1,6 +1,6 @@ # kubezero-kiam -![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.0](https://img.shields.io/badge/AppVersion-4.0-informational?style=flat-square) +![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.0](https://img.shields.io/badge/AppVersion-4.0-informational?style=flat-square) KubeZero Umbrella Chart for Kiam @@ -53,9 +53,9 @@ By default all access to the meta-data service is blocked, expect for: | kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | | -| kiam.agent.resources.limits.memory | string | `"20Mi"` | | +| kiam.agent.resources.limits.memory | string | `"64Mi"` | | | kiam.agent.resources.requests.cpu | string | `"50m"` | | -| kiam.agent.resources.requests.memory | string | `"20Mi"` | | +| kiam.agent.resources.requests.memory | string | `"16Mi"` | | | kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | | | kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | | | kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | | @@ -74,9 +74,9 @@ By default all access to the meta-data service is blocked, expect for: | kiam.server.prometheus.servicemonitor.enabled | bool | `false` | | | kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | | | kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | | -| kiam.server.resources.limits.memory | string | `"100Mi"` | | +| kiam.server.resources.limits.memory | string | `"128Mi"` | | | kiam.server.resources.requests.cpu | string | `"50m"` | | -| kiam.server.resources.requests.memory | string | `"50Mi"` | | +| kiam.server.resources.requests.memory | string | `"64Mi"` | | | kiam.server.service.port | int | `6444` | | | kiam.server.service.targetPort | int | `6444` | | | kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | | diff --git a/charts/kubezero-kiam/values.yaml b/charts/kubezero-kiam/values.yaml index 8f1b8da..82a050a 100644 --- a/charts/kubezero-kiam/values.yaml +++ b/charts/kubezero-kiam/values.yaml @@ -65,6 +65,9 @@ kiam: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: kubezero-workergroup + effect: NoSchedule + operator: Exists priorityClassName: system-node-critical prometheus: servicemonitor: diff --git a/charts/kubezero-local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/Chart.yaml deleted file mode 100644 index 4a32718..0000000 --- a/charts/kubezero-local-path-provisioner/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v2 -name: kubezero-local-path-provisioner -description: KubeZero Umbrella Chart for local-path-provisioner -type: application -version: 0.1.0 -appVersion: 0.0.18 -home: https://kubezero.com -icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png -keywords: - - kubezero - - local-path-provisioner -maintainers: - - name: Quarky9 -dependencies: - - name: kubezero-lib - version: ">= 0.1.3" - repository: https://zero-down-time.github.io/kubezero/ -kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/README.md deleted file mode 100644 index c69fb7f..0000000 --- a/charts/kubezero-local-path-provisioner/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# kubezero-local-path-provisioner - -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.18](https://img.shields.io/badge/AppVersion-0.0.18-informational?style=flat-square) - -KubeZero Umbrella Chart for local-path-provisioner - -Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Quarky9 | | | - -## Requirements - -Kubernetes: `>= 1.16.0` - -| Repository | Name | Version | -|------------|------|---------| -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| local-path-provisioner.nodePathMap[0].node | string | `"DEFAULT_PATH_FOR_NON_LISTED_NODES"` | | -| local-path-provisioner.nodePathMap[0].paths[0] | string | `"/opt/local-path-provisioner"` | | -| local-path-provisioner.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| local-path-provisioner.storageClass.create | bool | `true` | | -| local-path-provisioner.storageClass.defaultClass | bool | `false` | | -| local-path-provisioner.tolerations[0].effect | string | `"NoSchedule"` | | -| local-path-provisioner.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | - -## KubeZero default configuration - -- add nodeSelector to only install on nodes actually having ephemeral local storage -- provide matching storage class to expose mounted disks under `/mnt/disks` - -## Resources - -- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/README.md.gotmpl b/charts/kubezero-local-path-provisioner/README.md.gotmpl deleted file mode 100644 index 7eecd10..0000000 --- a/charts/kubezero-local-path-provisioner/README.md.gotmpl +++ /dev/null @@ -1,27 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -{{ template "chart.description" . }} - -Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. - -{{ template "chart.homepageLine" . }} - -{{ template "chart.maintainersSection" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -## KubeZero default configuration - -- add nodeSelector to only install on nodes actually having ephemeral local storage -- provide matching storage class to expose mounted disks under `/mnt/disks` - -## Resources - -- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml deleted file mode 100644 index 59f96aa..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -description: Use HostPath for persistent local storage with Kubernetes -name: local-path-provisioner -version: 0.0.18 -appVersion: "v0.0.18" -keywords: - - storage - - hostpath -kubeVersion: ">=1.12.0-r0" -home: https://github.com/rancher/local-path-provisioner -sources: - - https://github.com/rancher/local-path-provisioner.git diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md deleted file mode 100644 index 03235f0..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/README.md +++ /dev/null @@ -1,116 +0,0 @@ -# Local Path Provisioner - -[Local Path Provisioner](https://github.com/rancher/local-path-provisioner) provides a way for the Kubernetes users to -utilize the local storage in each node. Based on the user configuration, the Local Path Provisioner will create -`hostPath` based persistent volume on the node automatically. It utilizes the features introduced by Kubernetes [Local -Persistent Volume feature](https://kubernetes.io/blog/2018/04/13/local-persistent-volumes-beta/), but make it a simpler -solution than the built-in `local` volume feature in Kubernetes. - -## TL;DR; - -```console -$ git clone https://github.com/rancher/local-path-provisioner.git -$ cd local-path-provisioner -$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ -``` - -## Introduction - -This chart bootstraps a [Local Path Provisioner](https://github.com/rancher/local-path-provisioner) deployment on a -[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - -- Kubernetes 1.12+ with Beta APIs enabled - -## Installing the Chart - -To install the chart with the release name `local-path-storage`: - -```console -$ git clone https://github.com/rancher/local-path-provisioner.git -$ cd local-path-provisioner -$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage -``` - -The command deploys Local Path Provisioner on the Kubernetes cluster in the default configuration. The -[configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `local-path-storage` deployment: - -```console -$ helm delete --purge local-path-storage -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the Local Path Provisioner for Kubernetes chart and their -default values. - -| Parameter | Description | Default | -| ----------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | -| `image.repository` | Local Path Provisioner image name | `rancher/local-path-provisioner` | -| `image.tag` | Local Path Provisioner image tag | `v0.0.18` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `storageClass.create` | If true, create a `StorageClass` | `true` | -| `storageClass.provisionerName` | The provisioner name for the storage class | `nil` | -| `storageClass.defaultClass` | If true, set the created `StorageClass` as the cluster's default `StorageClass` | `false` | -| `storageClass.name` | The name to assign the created StorageClass | local-path | -| `storageClass.reclaimPolicy` | ReclaimPolicy field of the class | Delete | -| `nodePathMap` | Configuration of where to store the data on each node | `[{node: DEFAULT_PATH_FOR_NON_LISTED_NODES, paths: [/opt/local-path-provisioner]}]` | -| `resources` | Local Path Provisioner resource requests & limits | `{}` | -| `rbac.create` | If true, create & use RBAC resources | `true` | -| `serviceAccount.create` | If true, create the Local Path Provisioner service account | `true` | -| `serviceAccount.name` | Name of the Local Path Provisioner service account to use or create | `nil` | -| `nodeSelector` | Node labels for Local Path Provisioner pod assignment | `{}` | -| `tolerations` | Node taints to tolerate | `[]` | -| `affinity` | Pod affinity | `{}` | -| `configmap.setup` | Configuration of script to execute setup operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
mkdir -m 0777 -p ${absolutePath} | -| `configmap.teardown` | Configuration of script to execute teardown operations on each node | #!/bin/sh
while getopts "m:s:p:" opt
do
 case $opt in
  p)
  absolutePath=$OPTARG
  ;;
  s)
  sizeInBytes=$OPTARG
  ;;
  m)
  volMode=$OPTARG
  ;;
 esac
done
rm -rf ${absolutePath} | -| `configmap.name` | configmap name | `local-path-config` | -| `configmap.helperPod` | helper pod yaml file | apiVersion: v1
kind: Pod
metadata:
 name: helper-pod
spec:
 containers:
 - name: helper-pod
  image: busybox | - - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set storageClass.provisionerName=rancher.io/local-path -``` - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the -chart. For example, - -```console -$ helm install --name local-path-storage --namespace local-path-storage ./deploy/chart/ -f values.yaml -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## RBAC - -By default the chart will install the recommended RBAC roles and rolebindings. - -You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable -[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/). - -To determine if your cluster supports RBAC, run the following command: - -```console -$ kubectl api-versions | grep rbac -``` - -If the output contains "beta", you may install the chart with RBAC enabled (see below). - -### Enable RBAC role/rolebinding creation - -To enable the creation of RBAC resources (On clusters with RBAC). Do the following: - -```console -$ helm install ./deploy/chart/ --name local-path-storage --namespace local-path-storage --set rbac.create=true -``` diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt deleted file mode 100644 index 25370ac..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/NOTES.txt +++ /dev/null @@ -1,13 +0,0 @@ -You can create a hostpath-backed persistent volume with a persistent volume claim like this: - -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: local-path-pvc -spec: - accessModes: - - ReadWriteOnce - storageClassName: {{ .Values.storageClass.name }} - resources: - requests: - storage: 2Gi diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl deleted file mode 100644 index cd58f3d..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/_helpers.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "local-path-provisioner.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "local-path-provisioner.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "local-path-provisioner.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "local-path-provisioner.labels" -}} -app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} -helm.sh/chart: {{ include "local-path-provisioner.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Create the name of the service account to use. -*/}} -{{- define "local-path-provisioner.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "local-path-provisioner.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the provisioner to use. -*/}} -{{- define "local-path-provisioner.provisionerName" -}} -{{- if .Values.storageClass.provisionerName -}} -{{- printf .Values.storageClass.provisionerName -}} -{{- else -}} -cluster.local/{{ template "local-path-provisioner.fullname" . -}} -{{- end -}} -{{- end -}} - -{{- define "local-path-provisioner.secret" }} -{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} -{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml deleted file mode 100644 index a9fd1c6..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "local-path-provisioner.fullname" . }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -rules: -- apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims", "configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] -{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml deleted file mode 100644 index 9a46a7b..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "local-path-provisioner.fullname" . }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "local-path-provisioner.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "local-path-provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml deleted file mode 100644 index b025053..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.configmap.name }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -data: - config.json: |- - { - "nodePathMap": {{ .Values.nodePathMap | toPrettyJson | nindent 8 }} - } - setup: |- - {{ .Values.configmap.setup | nindent 4 }} - teardown: |- - {{ .Values.configmap.teardown | nindent 4 }} - helperPod.yaml: |- - {{ .Values.configmap.helperPod | nindent 4 }} - diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml deleted file mode 100644 index ad42ae0..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/deployment.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "local-path-provisioner.fullname" . }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "local-path-provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "local-path-provisioner.serviceAccountName" . }} - containers: - - name: {{ .Chart.Name }} - {{- if .Values.privateRegistry.registryUrl }} - image: "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- else }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - local-path-provisioner - - --debug - - start - - --config - - /etc/config/config.json - - --service-account-name - - {{ template "local-path-provisioner.serviceAccountName" . }} - - --provisioner-name - - {{ template "local-path-provisioner.provisionerName" . }} - - --helper-image - {{- if .Values.privateRegistry.registryUrl }} - - "{{ .Values.privateRegistry.registryUrl }}/{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" - {{- else }} - - "{{ .Values.helperImage.repository }}:{{ .Values.helperImage.tag }}" - {{- end }} - - --configmap-name - - {{ .Values.configmap.name }} - volumeMounts: - - name: config-volume - mountPath: /etc/config/ - env: - - name: POD_NAMESPACE - value: {{ .Release.Namespace }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumes: - - name: config-volume - configMap: - name: {{ .Values.configmap.name }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml deleted file mode 100644 index eb33897..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/registry-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.defaultSettings.registrySecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.defaultSettings.registrySecret }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ template "local-path-provisioner.secret" . }} -{{- end }} \ No newline at end of file diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml deleted file mode 100644 index aed111e..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "local-path-provisioner.serviceAccountName" . }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -{{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- toYaml . | nindent 2 }} -{{- end }} -{{- if .Values.defaultSettings.registrySecret }} - - name: {{ .Values.defaultSettings.registrySecret }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml deleted file mode 100644 index c451b82..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/templates/storageclass.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{ if .Values.storageClass.create -}} -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: {{ .Values.storageClass.name }} - labels: -{{ include "local-path-provisioner.labels" . | indent 4 }} -{{- if .Values.storageClass.defaultClass }} - annotations: - storageclass.kubernetes.io/is-default-class: "true" -{{- end }} -provisioner: {{ template "local-path-provisioner.provisionerName" . }} -volumeBindingMode: WaitForFirstConsumer -reclaimPolicy: {{ .Values.storageClass.reclaimPolicy }} -{{- end }} diff --git a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml deleted file mode 100644 index a19bcd2..0000000 --- a/charts/kubezero-local-path-provisioner/charts/local-path-provisioner/values.yaml +++ /dev/null @@ -1,144 +0,0 @@ -# Default values for local-path-provisioner. - -replicaCount: 1 - -image: - repository: rancher/local-path-provisioner - tag: v0.0.18 - pullPolicy: IfNotPresent - -helperImage: - repository: busybox - tag: latest - -defaultSettings: - registrySecret: ~ - -privateRegistry: - registryUrl: ~ - registryUser: ~ - registryPasswd: ~ - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -## For creating the StorageClass automatically: -storageClass: - create: true - - ## Set a provisioner name. If unset, a name will be generated. - # provisionerName: rancher.io/local-path - - ## Set StorageClass as the default StorageClass - ## Ignored if storageClass.create is false - defaultClass: false - - ## Set a StorageClass name - ## Ignored if storageClass.create is false - name: local-path - - ## ReclaimPolicy field of the class, which can be either Delete or Retain - reclaimPolicy: Delete - -# nodePathMap is the place user can customize where to store the data on each node. -# 1. If one node is not listed on the nodePathMap, and Kubernetes wants to create volume on it, the paths specified in -# DEFAULT_PATH_FOR_NON_LISTED_NODES will be used for provisioning. -# 2. If one node is listed on the nodePathMap, the specified paths will be used for provisioning. -# 1. If one node is listed but with paths set to [], the provisioner will refuse to provision on this node. -# 2. If more than one path was specified, the path would be chosen randomly when provisioning. -# -# The configuration must obey following rules: -# 1. A path must start with /, a.k.a an absolute path. -# 2. Root directory (/) is prohibited. -# 3. No duplicate paths allowed for one node. -# 4. No duplicate node allowed. -nodePathMap: - - node: DEFAULT_PATH_FOR_NON_LISTED_NODES - paths: - - /opt/local-path-provisioner - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -rbac: - # Specifies whether RBAC resources should be created - create: true - -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - name: - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -configmap: - # specify the config map name - name: local-path-config - # specify the custom script for setup and teardown - setup: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - - mkdir -m 0777 -p ${absolutePath} - teardown: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - - rm -rf ${absolutePath} - # specify the custom helper pod yaml - helperPod: |- - apiVersion: v1 - kind: Pod - metadata: - name: helper-pod - spec: - containers: - - name: helper-pod - image: busybox - - - - - diff --git a/charts/kubezero-local-path-provisioner/update.sh b/charts/kubezero-local-path-provisioner/update.sh deleted file mode 100755 index 78e944f..0000000 --- a/charts/kubezero-local-path-provisioner/update.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -# get subchart until they have upstream repo -rm -rf charts/local-path-provisioner && mkdir -p charts/local-path-provisioner - -git clone --depth=1 https://github.com/rancher/local-path-provisioner.git -cp -r local-path-provisioner/deploy/chart/* charts/local-path-provisioner -rm -rf local-path-provisioner diff --git a/charts/kubezero-local-path-provisioner/values.yaml b/charts/kubezero-local-path-provisioner/values.yaml deleted file mode 100644 index 2add882..0000000 --- a/charts/kubezero-local-path-provisioner/values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -local-path-provisioner: - storageClass: - create: true - defaultClass: false - - nodePathMap: - - node: DEFAULT_PATH_FOR_NON_LISTED_NODES - paths: - - /opt/local-path-provisioner - - nodeSelector: - node-role.kubernetes.io/master: "" - - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule diff --git a/charts/kubezero-local-volume-provisioner/Chart.yaml b/charts/kubezero-local-volume-provisioner/Chart.yaml deleted file mode 100644 index 35b4a86..0000000 --- a/charts/kubezero-local-volume-provisioner/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v2 -name: kubezero-local-volume-provisioner -description: KubeZero Umbrella Chart for local-static-provisioner -type: application -version: 0.1.1 -appVersion: 2.3.4 -home: https://kubezero.com -icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png -keywords: - - kubezero - - local-static-provisioner -maintainers: - - name: Quarky9 -dependencies: - - name: kubezero-lib - version: ">= 0.1.3" - repository: https://zero-down-time.github.io/kubezero/ -kubeVersion: ">= 1.16.0" diff --git a/charts/kubezero-local-volume-provisioner/README.md b/charts/kubezero-local-volume-provisioner/README.md deleted file mode 100644 index 9fa10fe..0000000 --- a/charts/kubezero-local-volume-provisioner/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# kubezero-local-volume-provisioner - -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.3.4](https://img.shields.io/badge/AppVersion-2.3.4-informational?style=flat-square) - -KubeZero Umbrella Chart for local-static-provisioner - -Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Quarky9 | | | - -## Requirements - -Kubernetes: `>= 1.16.0` - -| Repository | Name | Version | -|------------|------|---------| -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| local-static-provisioner.classes[0].hostDir | string | `"/mnt/disks"` | | -| local-static-provisioner.classes[0].name | string | `"local-sc-xfs"` | | -| local-static-provisioner.common.namespace | string | `"kube-system"` | | -| local-static-provisioner.daemonset.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/localVolumes"` | | -| local-static-provisioner.daemonset.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"Exists"` | | -| local-static-provisioner.prometheus.operator.enabled | bool | `false` | | - -## KubeZero default configuration - -- add nodeSelector to only install on nodes actually having ephemeral local storage -- provide matching storage class to expose mounted disks under `/mnt/disks` - -## Resources - -- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-volume-provisioner/README.md.gotmpl b/charts/kubezero-local-volume-provisioner/README.md.gotmpl deleted file mode 100644 index 7eecd10..0000000 --- a/charts/kubezero-local-volume-provisioner/README.md.gotmpl +++ /dev/null @@ -1,27 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -{{ template "chart.description" . }} - -Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. - -{{ template "chart.homepageLine" . }} - -{{ template "chart.maintainersSection" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -## KubeZero default configuration - -- add nodeSelector to only install on nodes actually having ephemeral local storage -- provide matching storage class to expose mounted disks under `/mnt/disks` - -## Resources - -- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/Chart.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/Chart.yaml deleted file mode 100644 index 21d0314..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -appVersion: 2.3.4 -description: local provisioner chart -keywords: -- storage -- local -name: local-static-provisioner -version: 3.0.0 diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/NOTES.txt b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/NOTES.txt deleted file mode 100644 index 5839304..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -provisioner installed diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/_helpers.tpl b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/_helpers.tpl deleted file mode 100644 index 406d4d0..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "provisioner.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Expand the name of the chart. -*/}} -{{- define "provisioner.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "provisioner.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "provisioner.serviceAccountName" -}} -{{- if .Values.common.serviceAccount.create -}} - {{ default (include "provisioner.fullname" .) .Values.common.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.common.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/configmap.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/configmap.yaml deleted file mode 100644 index 93cf277..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/configmap.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "provisioner.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -data: -{{- if .Values.daemonset.nodeLabels }} - nodeLabelsForPV: | - {{- range $label := .Values.daemonset.nodeLabels }} - - {{$label}} - {{- end }} -{{- end }} -{{- if .Values.common.useAlphaAPI }} - useAlphaAPI: "true" -{{- end }} -{{- if .Values.common.setPVOwnerRef }} - setPVOwnerRef: "true" -{{- end }} -{{- if .Values.common.useJobForCleaning }} - useJobForCleaning: "yes" -{{- end}} -{{- if .Values.common.useNodeNameOnly }} - useNodeNameOnly: "true" -{{- end }} -{{- if .Values.common.minResyncPeriod }} - minResyncPeriod: {{ .Values.common.minResyncPeriod | quote }} -{{- end}} - storageClassMap: | - {{- range $classConfig := .Values.classes }} - {{ $classConfig.name }}: - hostDir: {{ $classConfig.hostDir }} - mountDir: {{ if $classConfig.mountDir }} {{- $classConfig.mountDir -}} {{ else }} {{- $classConfig.hostDir -}} {{ end }} - {{- if $classConfig.blockCleanerCommand }} - blockCleanerCommand: - {{- range $val := $classConfig.blockCleanerCommand }} - - "{{ $val -}}"{{- end}} - {{- end }} - {{- if $classConfig.volumeMode }} - volumeMode: {{ $classConfig.volumeMode }} - {{- end }} - {{- if $classConfig.fsType }} - fsType: {{ $classConfig.fsType }} - {{- end }} - {{- if $classConfig.namePattern }} - namePattern: "{{ $classConfig.namePattern }}" - {{- end }} - {{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/daemonset.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/daemonset.yaml deleted file mode 100644 index 5bc9e50..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/daemonset.yaml +++ /dev/null @@ -1,93 +0,0 @@ ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: {{ include "provisioner.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - serviceAccountName: {{ template "provisioner.serviceAccountName" . }} -{{- if .Values.daemonset.priorityClassName }} - priorityClassName: {{.Values.daemonset.priorityClassName}} -{{- end }} -{{- if .Values.daemonset.nodeSelector }} - nodeSelector: -{{ .Values.daemonset.nodeSelector | toYaml | trim | indent 8 }} -{{- end }} -{{- if .Values.daemonset.tolerations }} - tolerations: -{{ .Values.daemonset.tolerations | toYaml | trim | indent 8 }} -{{- end }} -{{- if .Values.daemonset.affinity }} - affinity: -{{ .Values.daemonset.affinity | toYaml | trim | indent 8 }} -{{- end }} - containers: - - image: "{{ .Values.daemonset.image }}" - {{- if .Values.daemonset.imagePullPolicy }} - imagePullPolicy: {{ .Values.daemonset.imagePullPolicy | quote }} - {{- end }} - name: provisioner - securityContext: - privileged: true -{{- if .Values.daemonset.resources }} - resources: -{{ .Values.daemonset.resources | toYaml | trim | indent 12 }} -{{- end }} - env: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: MY_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: JOB_CONTAINER_IMAGE - value: "{{ .Values.daemonset.image }}" - {{- if .Values.daemonset.kubeConfigEnv }} - - name: KUBECONFIG - value: {{.Values.daemonset.kubeConfigEnv}} - {{- end }} - {{- if .Values.serviceMonitor.enabled }} - ports: - - containerPort: 8080 - name: metrics - {{- end }} - volumeMounts: - - mountPath: /etc/provisioner/config - name: provisioner-config - readOnly: true - - mountPath: /dev - name: provisioner-dev - {{- range $classConfig := .Values.classes }} - - mountPath: {{ if $classConfig.mountDir }} {{- $classConfig.mountDir -}} {{ else }} {{- $classConfig.hostDir -}} {{ end }} - name: {{ $classConfig.name }} - mountPropagation: "HostToContainer" - {{- end }} - volumes: - - name: provisioner-config - configMap: - name: {{ template "provisioner.fullname" . }}-config - - name: provisioner-dev - hostPath: - path: /dev - {{- range $classConfig := .Values.classes }} - - name: {{ $classConfig.name }} - hostPath: - path: {{ $classConfig.hostDir }} - {{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/psp.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/psp.yaml deleted file mode 100644 index 1f2da62..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/psp.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- if .Values.common.rbac.pspEnabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "provisioner.fullname" . }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: true - allowedHostPaths: - - pathPrefix: /dev - {{- range $classConfig := .Values.classes }} - - pathPrefix: {{ $classConfig.hostDir }} - {{- end }} - fsGroup: - rule: RunAsAny - privileged: true - requiredDropCapabilities: - - ALL - runAsUser: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - secret - - hostPath -{{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/rbac.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/rbac.yaml deleted file mode 100644 index bd4c980..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/rbac.yaml +++ /dev/null @@ -1,131 +0,0 @@ -{{- if .Values.common.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "provisioner.fullname" . }}-pv-binding - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ template "provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: system:persistent-volume-provisioner - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "provisioner.fullname" . }}-node-clusterrole - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "provisioner.fullname" . }}-node-binding - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ template "provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ template "provisioner.fullname" . }}-node-clusterrole - apiGroup: rbac.authorization.k8s.io -{{- if .Values.common.useJobForCleaning }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "provisioner.fullname" . }}-jobs-role - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -rules: -- apiGroups: - - 'batch' - resources: - - jobs - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "provisioner.fullname" . }}-jobs-rolebinding - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ template "provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "provisioner.fullname" . }}-jobs-role - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- if .Values.common.rbac.pspEnabled }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "provisioner.fullname" . }}-psp-role - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - {{ template "provisioner.fullname" . }} - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "provisioner.fullname" . }}-psp-rolebinding - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -subjects: -- kind: ServiceAccount - name: {{ template "provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "provisioner.fullname" . }}-psp-role - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/serviceaccount.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/serviceaccount.yaml deleted file mode 100644 index 1994168..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.common.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "provisioner.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/servicemonitor.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/servicemonitor.yaml deleted file mode 100644 index 89c6953..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/servicemonitor.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.serviceMonitor.enabled }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "provisioner.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -spec: - type: ClusterIP - ports: - - port: 8080 - targetPort: 8080 - name: metrics - selector: - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "provisioner.fullname" . }} - namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }} - labels: - helm.sh/chart: {{ template "provisioner.chart" . }} - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- range $k, $v := .Values.serviceMonitor.additionalLabels }} - {{ $k }}: {{ $v | quote }} - {{- end }} -spec: - jobLabel: app.kubernetes.io/name - endpoints: - - port: metrics - interval: {{ .Values.serviceMonitor.interval }} - scheme: http -{{- if .Values.serviceMonitor.relabelings }} - relabelings: -{{ toYaml .Values.serviceMonitor.relabelings | indent 4 }} -{{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app.kubernetes.io/name: {{ template "provisioner.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/storageclass.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/storageclass.yaml deleted file mode 100644 index ce2f2ae..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/templates/storageclass.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- $release := .Release }} -{{- $chart := .Chart }} -{{- range $val := .Values.classes }} -{{- if $val.storageClass }} ---- -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: {{ $val.name }} - {{- if kindIs "map" $val.storageClass }} - {{- if $val.storageClass.isDefaultClass }} - annotations: - storageclass.kubernetes.io/is-default-class: "true" - {{- end }} - {{- end }} - labels: - app.kubernetes.io/managed-by: {{ $release.Service | quote }} - app.kubernetes.io/instance: {{ $release.Name | quote }} - helm.sh/chart: {{ replace "+" "_" $chart.Version | printf "%s-%s" $chart.Name }} -provisioner: kubernetes.io/no-provisioner -volumeBindingMode: WaitForFirstConsumer -{{- if kindIs "map" $val.storageClass }} -reclaimPolicy: {{ $val.storageClass.reclaimPolicy | default "Delete" }} -{{- else }} -reclaimPolicy: Delete -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/values.yaml b/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/values.yaml deleted file mode 100644 index 13bed45..0000000 --- a/charts/kubezero-local-volume-provisioner/charts/local-static-provisioner/values.yaml +++ /dev/null @@ -1,162 +0,0 @@ -# -# Common options. -# -common: - # - # Defines whether to generate rbac roles - # - rbac: - # rbac.create: `true` if rbac resources should be created - create: true - # rbac.pspEnabled: `true` if PodSecurityPolicy resources should be created - pspEnabled: false - # - # Defines whether to generate a serviceAccount - # - serviceAccount: - # serviceAccount.create: Whether to create a service account or not - create: true - # serviceAccount.name: The name of the service account to create or use - name: "" - # - # Beta PV.NodeAffinity field is used by default. If running against pre-1.10 - # k8s version, the `useAlphaAPI` flag must be enabled in the configMap. - # - useAlphaAPI: false - # - # Indicates if PVs should be dependents of the owner Node. - # - setPVOwnerRef: false - # - # Provisioner clean volumes in process by default. If set to true, provisioner - # will use Jobs to clean. - # - useJobForCleaning: false - # - # Provisioner name contains Node.UID by default. If set to true, the provisioner - # name will only use Node.Name. - # - useNodeNameOnly: false - # - # Resync period in reflectors will be random between minResyncPeriod and - # 2*minResyncPeriod. Default: 5m0s. - # - #minResyncPeriod: 5m0s -# -# Configure storage classes. -# -classes: -- name: fast-disks # Defines name of storage classe. - # Path on the host where local volumes of this storage class are mounted - # under. - hostDir: /mnt/fast-disks - # Optionally specify mount path of local volumes. By default, we use same - # path as hostDir in container. - # mountDir: /mnt/fast-disks - # The volume mode of created PersistentVolume object. Default to Filesystem - # if not specified. - volumeMode: Filesystem - # Filesystem type to mount. - # It applies only when the source path is a block device, - # and desire volume mode is Filesystem. - # Must be a filesystem type supported by the host operating system. - fsType: ext4 - # File name pattern to discover. By default, discover all file names. - namePattern: "*" - blockCleanerCommand: - # Do a quick reset of the block device during its cleanup. - # - "/scripts/quick_reset.sh" - # or use dd to zero out block dev in two iterations by uncommenting these lines - # - "/scripts/dd_zero.sh" - # - "2" - # or run shred utility for 2 iteration.s - - "/scripts/shred.sh" - - "2" - # or blkdiscard utility by uncommenting the line below. - # - "/scripts/blkdiscard.sh" - # Uncomment to create storage class object with default configuration. - # storageClass: true - # Uncomment to create storage class object and configure it. - # storageClass: - # reclaimPolicy: Delete # Available reclaim policies: Delete/Retain, defaults: Delete. - # isDefaultClass: true # set as default class -# -# Configure DaemonSet for provisioner. -# -daemonset: - # - # Defines Provisioner's image name including container registry. - # - image: quay.io/external_storage/local-volume-provisioner:v2.3.4 - # - # Defines Image download policy, see kubernetes documentation for available values. - # - #imagePullPolicy: Always - # - # Defines a name of the Pod Priority Class to use with the Provisioner DaemonSet - # - # Note that if you want to make it critical, specify "system-cluster-critical" - # or "system-node-critical" and deploy in kube-system namespace. - # Ref: https://k8s.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical - # - #priorityClassName: system-node-critical - # If configured, nodeSelector will add a nodeSelector field to the DaemonSet PodSpec. - # - # NodeSelector constraint for local-volume-provisioner scheduling to nodes. - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - nodeSelector: {} - # - # If configured KubeConfigEnv will (optionally) specify the location of kubeconfig file on the node. - # kubeConfigEnv: KUBECONFIG - # - # List of node labels to be copied to the PVs created by the provisioner in a format: - # - # nodeLabels: - # - failure-domain.beta.kubernetes.io/zone - # - failure-domain.beta.kubernetes.io/region - # - # If configured, tolerations will add a toleration field to the DaemonSet PodSpec. - # - # Node tolerations for local-volume-provisioner scheduling to nodes with taints. - # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - tolerations: [] - # - # If configured, affinity will add a affinity filed to the DeamonSet PodSpec. - # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity - affinity: {} - # - # If configured, resources will set the requests/limits field to the Daemonset PodSpec. - # Ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - resources: {} - # limits: - # memory: "512Mi" - # cpu: "1000m" - # requests: - # memory: "32Mi" - # cpu: "10m" -# -# Configure Prometheus monitoring -# -serviceMonitor: - enabled: false - ## Interval at which Prometheus scrapes the provisioner - interval: 10s - # Namespace Prometheus is installed in defaults to release namespace - namespace: - ## Defaults to whats used if you follow CoreOS [Prometheus Install Instructions](https://github.com/coreos/prometheus-operator/tree/master/helm#tldr) - ## [Prometheus Selector Label](https://github.com/coreos/prometheus-operator/blob/master/helm/prometheus/templates/prometheus.yaml#L65) - ## [Kube Prometheus Selector Label](https://github.com/coreos/prometheus-operator/blob/master/helm/kube-prometheus/values.yaml#L298) - additionalLabels: {} - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - -# -# Overrice the default chartname or releasename -# -nameOverride: "" -fullnameOverride: "" diff --git a/charts/kubezero-local-volume-provisioner/templates/local-sc-xfs.yaml b/charts/kubezero-local-volume-provisioner/templates/local-sc-xfs.yaml deleted file mode 100644 index 86e9bdb..0000000 --- a/charts/kubezero-local-volume-provisioner/templates/local-sc-xfs.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: local-sc-xfs -provisioner: kubernetes.io/no-provisioner -volumeBindingMode: WaitForFirstConsumer -# Supported policies: Delete, Retain -reclaimPolicy: Delete diff --git a/charts/kubezero-local-volume-provisioner/update.sh b/charts/kubezero-local-volume-provisioner/update.sh deleted file mode 100755 index b933d2e..0000000 --- a/charts/kubezero-local-volume-provisioner/update.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# get subchart until they have upstream repo - -rm -rf charts/local-volume-provisioner && mkdir -p charts/local-volume-provisioner - -git clone --depth=1 https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner.git -cp -r ./sig-storage-local-static-provisioner/helm/provisioner/* charts/local-volume-provisioner - -rm -rf sig-storage-local-static-provisioner diff --git a/charts/kubezero-local-volume-provisioner/values.yaml b/charts/kubezero-local-volume-provisioner/values.yaml deleted file mode 100644 index 7d60c09..0000000 --- a/charts/kubezero-local-volume-provisioner/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -local-static-provisioner: - common: - namespace: kube-system - classes: - - name: local-sc-xfs - hostDir: /mnt/disks - daemonset: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node.kubernetes.io/localVolumes - operator: Exists - prometheus: - operator: - enabled: false diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 38c97ef..5b62cd7 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.6.5 -appVersion: 1.5.0 +version: 0.7.3 +appVersion: 1.6.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -19,13 +19,13 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: eck-operator - version: 1.5.0 + version: 1.6.0 # repository: https://helm.elastic.co condition: eck-operator.enabled - name: fluentd - version: 0.2.2 + version: 0.2.6 condition: fluentd.enabled - name: fluent-bit - version: 0.15.4 + version: 0.15.15 condition: fluent-bit.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 171c670..8ccdec5 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.6.5](https://img.shields.io/badge/Version-0.6.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square) +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -18,9 +18,9 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | fluent-bit | 0.15.4 | -| | fluentd | 0.2.2 | -| https://helm.elastic.co | eck-operator | 1.5.0 | +| | eck-operator | 1.6.0 | +| | fluent-bit | 0.15.14 | +| | fluentd | 0.2.6 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream @@ -105,12 +105,12 @@ Kubernetes: `>= 1.18.0` | fluentd.env[1].name | string | `"OUTPUT_PASSWORD"` | | | fluentd.env[1].valueFrom.secretKeyRef.key | string | `"elastic"` | | | fluentd.env[1].valueFrom.secretKeyRef.name | string | `"logging-es-elastic-user"` | | -| fluentd.fileConfigs."00_system.conf" | string | `"\n workers 2\n"` | | +| fluentd.fileConfigs."00_system.conf" | string | `"\n root_dir /var/log/fluentd\n # log_level debug\n workers 2\n"` | | | fluentd.fileConfigs."01_sources.conf" | string | `"\n @type http\n @label @KUBERNETES\n port 9880\n bind 0.0.0.0\n keepalive_timeout 30\n\n\n\n @type forward\n @label @KUBERNETES\n port 24224\n bind 0.0.0.0\n # skip_invalid_event true\n send_keepalive_packet true\n \n self_hostname \"#{ENV['HOSTNAME']}\"\n shared_key {{ .Values.shared_key }}\n \n"` | | | fluentd.fileConfigs."02_filters.conf" | string | `""` | | -| fluentd.fileConfigs."04_outputs.conf" | string | `""` | | +| fluentd.fileConfigs."04_outputs.conf" | string | `""` | | | fluentd.image.repository | string | `"fluent/fluentd-kubernetes-daemonset"` | | -| fluentd.image.tag | string | `"v1.12-debian-elasticsearch7-1"` | | +| fluentd.image.tag | string | `"v1-debian-elasticsearch"` | | | fluentd.istio.enabled | bool | `false` | | | fluentd.kind | string | `"Deployment"` | | | fluentd.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | | @@ -141,7 +141,7 @@ Kubernetes: `>= 1.18.0` | kibana.istio.enabled | bool | `false` | | | kibana.istio.gateway | string | `"istio-system/ingressgateway"` | | | kibana.istio.url | string | `""` | | -| version | string | `"7.11.1"` | | +| version | string | `"7.13.2"` | | ## Resources: diff --git a/charts/kubezero-logging/charts/eck-operator/Chart.yaml b/charts/kubezero-logging/charts/eck-operator/Chart.yaml index 5cd7a0d..36b05d3 100644 --- a/charts/kubezero-logging/charts/eck-operator/Chart.yaml +++ b/charts/kubezero-logging/charts/eck-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.5.0 +appVersion: 1.6.0 description: 'A Helm chart for deploying the Elastic Cloud on Kubernetes (ECK) operator: the official Kubernetes operator for orchestrating Elasticsearch, Kibana, APM Server, Enterprise Search, and Beats.' home: https://github.com/elastic/cloud-on-k8s icon: https://helm.elastic.co/icons/eck.png @@ -17,4 +17,4 @@ maintainers: name: Elastic name: eck-operator type: application -version: 1.5.0 +version: 1.6.0 diff --git a/charts/kubezero-logging/charts/eck-operator/crds/all-crds.yaml b/charts/kubezero-logging/charts/eck-operator/crds/all-crds.yaml index 5e41c56..0dbf2a9 100644 --- a/charts/kubezero-logging/charts/eck-operator/crds/all-crds.yaml +++ b/charts/kubezero-logging/charts/eck-operator/crds/all-crds.yaml @@ -10,8 +10,8 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: agents.agent.k8s.elastic.co spec: additionalPrinterColumns: @@ -191,6 +191,13 @@ spec: type: string outputName: type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes + service which will be used to make requests to the referenced + object. It has to be in the same namespace as the referenced + resource. If left empty the default HTTP service of the referenced + resource will be used. + type: string required: - name type: object @@ -239,7 +246,7 @@ spec: type: array serviceAccountName: description: ServiceAccountName is used to check access from the current - resource to a Elasticsearch resource in a different namespace. Can + resource to an Elasticsearch resource in a different namespace. Can only be used if ECK is enforcing RBAC on references. type: string version: @@ -297,8 +304,8 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: apmservers.apm.k8s.elastic.co spec: additionalPrinterColumns: @@ -366,6 +373,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object @@ -757,6 +771,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object @@ -873,8 +894,8 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: beats.beat.k8s.elastic.co spec: additionalPrinterColumns: @@ -1055,6 +1076,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object @@ -1074,6 +1102,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object @@ -1182,8 +1217,535 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' + name: elasticmapsservers.maps.k8s.elastic.co +spec: + additionalPrinterColumns: + - JSONPath: .status.health + name: health + type: string + - JSONPath: .status.availableNodes + description: Available nodes + name: nodes + type: integer + - JSONPath: .status.version + description: ElasticMapsServer version + name: version + type: string + - JSONPath: .metadata.creationTimestamp + name: age + type: date + group: maps.k8s.elastic.co + names: + categories: + - elastic + kind: ElasticMapsServer + listKind: ElasticMapsServerList + plural: elasticmapsservers + shortNames: + - ems + singular: elasticmapsserver + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: ElasticMapsServer represents an Elastic Map Server resource in + a Kubernetes cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MapsSpec holds the specification of an Elastic Maps Server + instance. + properties: + config: + description: 'Config holds the ElasticMapsServer configuration. See: + https://www.elastic.co/guide/en/kibana/current/maps-connect-to-ems.html#elastic-maps-server-configuration' + type: object + configRef: + description: ConfigRef contains a reference to an existing Kubernetes + Secret holding the Elastic Maps Server configuration. Configuration + settings are merged and have precedence over settings specified in + `config`. + properties: + secretName: + description: SecretName is the name of the secret. + type: string + type: object + count: + description: Count of Elastic Maps Server instances to deploy. + format: int32 + type: integer + elasticsearchRef: + description: ElasticsearchRef is a reference to an Elasticsearch cluster + running in the same Kubernetes cluster. + properties: + name: + description: Name of the Kubernetes object. + type: string + namespace: + description: Namespace of the Kubernetes object. If empty, defaults + to the current namespace. + type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string + required: + - name + type: object + http: + description: HTTP holds the HTTP layer configuration for Elastic Maps + Server. + properties: + service: + description: Service defines the template for the associated Kubernetes + Service object. + properties: + metadata: + description: ObjectMeta is the metadata of the service. The + name and namespace provided here are managed by ECK and will + be ignored. + type: object + spec: + description: Spec is the specification of the service. + properties: + allocateLoadBalancerNodePorts: + description: allocateLoadBalancerNodePorts defines if NodePorts + will be automatically allocated for services with type + LoadBalancer. Default is "true". It may be set to "false" + if the cluster load-balancer does not rely on NodePorts. + allocateLoadBalancerNodePorts may only be set for services + with type LoadBalancer and will be cleared if the type + is changed to any other type. This field is alpha-level + and is only honored by servers that enable the ServiceLBNodePortControl + feature. + type: boolean + clusterIP: + description: 'clusterIP is the IP address of the service + and is usually assigned randomly. If an address is specified + manually, is in-range (as per system configuration), and + is not in use, it will be allocated to the service; otherwise + creation of the service will fail. This field may not + be changed through updates unless the type field is also + being changed to ExternalName (which requires this field + to be blank) or the type field is being changed from ExternalName + (in which case this field may optionally be specified, + as describe above). Valid values are "None", empty string + (""), or a valid IP address. Setting this to "None" makes + a "headless service" (no virtual IP), which is useful + when direct endpoint connections are preferred and proxying + is not required. Only applies to types ClusterIP, NodePort, + and LoadBalancer. If this field is specified when creating + a Service of type ExternalName, creation will fail. This + field will be wiped when updating a Service to type ExternalName. + More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + clusterIPs: + description: "ClusterIPs is a list of IP addresses assigned + to this service, and are usually assigned randomly. If + an address is specified manually, is in-range (as per + system configuration), and is not in use, it will be allocated + to the service; otherwise creation of the service will + fail. This field may not be changed through updates unless + the type field is also being changed to ExternalName (which + requires this field to be empty) or the type field is + being changed from ExternalName (in which case this field + may optionally be specified, as describe above). Valid + values are \"None\", empty string (\"\"), or a valid IP + address. Setting this to \"None\" makes a \"headless + service\" (no virtual IP), which is useful when direct + endpoint connections are preferred and proxying is not + required. Only applies to types ClusterIP, NodePort, + and LoadBalancer. If this field is specified when creating + a Service of type ExternalName, creation will fail. This + field will be wiped when updating a Service to type ExternalName. + \ If this field is not specified, it will be initialized + from the clusterIP field. If this field is specified, + clients must ensure that clusterIPs[0] and clusterIP have + the same value. \n Unless the \"IPv6DualStack\" feature + gate is enabled, this field is limited to one value, which + must be the same as the clusterIP field. If the feature + gate is enabled, this field may hold a maximum of two + entries (dual-stack IPs, in either order). These IPs + must correspond to the values of the ipFamilies field. + Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy + field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies" + items: + type: string + type: array + externalIPs: + description: externalIPs is a list of IP addresses for which + nodes in the cluster will also accept traffic for this + service. These IPs are not managed by Kubernetes. The + user is responsible for ensuring that traffic arrives + at a node with this IP. A common example is external + load-balancers that are not part of the Kubernetes system. + items: + type: string + type: array + externalName: + description: externalName is the external reference that + discovery mechanisms will return as an alias for this + service (e.g. a DNS CNAME record). No proxying will be + involved. Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) + and requires Type to be + type: string + externalTrafficPolicy: + description: externalTrafficPolicy denotes if this Service + desires to route external traffic to node-local or cluster-wide + endpoints. "Local" preserves the client source IP and + avoids a second hop for LoadBalancer and Nodeport type + services, but risks potentially imbalanced traffic spreading. + "Cluster" obscures the client source IP and may cause + a second hop to another node, but should have good overall + load-spreading. + type: string + healthCheckNodePort: + description: healthCheckNodePort specifies the healthcheck + nodePort for the service. This only applies when type + is set to LoadBalancer and externalTrafficPolicy is set + to Local. If a value is specified, is in-range, and is + not in use, it will be used. If not specified, a value + will be automatically allocated. External systems (e.g. + load-balancers) can use this port to determine if a given + node holds endpoints for this service or not. If this + field is specified when creating a Service which does + not need it, creation will fail. This field will be wiped + when updating a Service to no longer need it (e.g. changing + type). + format: int32 + type: integer + ipFamilies: + description: "IPFamilies is a list of IP families (e.g. + IPv4, IPv6) assigned to this service, and is gated by + the \"IPv6DualStack\" feature gate. This field is usually + assigned automatically based on cluster configuration + and the ipFamilyPolicy field. If this field is specified + manually, the requested family is available in the cluster, + and ipFamilyPolicy allows it, it will be used; otherwise + creation of the service will fail. This field is conditionally + mutable: it allows for adding or removing a secondary + IP family, but it does not allow changing the primary + IP family of the Service. Valid values are \"IPv4\" and + \"IPv6\". This field only applies to Services of types + ClusterIP, NodePort, and LoadBalancer, and does apply + to \"headless\" services. This field will be wiped when + updating a Service to type ExternalName. \n This field + may hold a maximum of two entries (dual-stack families, + in either order). These families must correspond to the + values of the clusterIPs field, if specified. Both clusterIPs + and ipFamilies are governed by the ipFamilyPolicy field." + items: + description: IPFamily represents the IP Family (IPv4 or + IPv6). This type is used to express the family of an + IP expressed by a type (e.g. service.spec.ipFamilies). + type: string + type: array + ipFamilyPolicy: + description: IPFamilyPolicy represents the dual-stack-ness + requested or required by this Service, and is gated by + the "IPv6DualStack" feature gate. If there is no value + provided, then this field will be set to SingleStack. + Services can be "SingleStack" (a single IP family), "PreferDualStack" + (two IP families on dual-stack configured clusters or + a single IP family on single-stack clusters), or "RequireDualStack" + (two IP families on dual-stack configured clusters, otherwise + fail). The ipFamilies and clusterIPs fields depend on + the value of this field. This field will be wiped when + updating a service to type ExternalName. + type: string + loadBalancerIP: + description: 'Only applies to Service Type: LoadBalancer + LoadBalancer will get created with the IP specified in + this field. This feature depends on whether the underlying + cloud-provider supports specifying the loadBalancerIP + when a load balancer is created. This field will be ignored + if the cloud-provider does not support the feature.' + type: string + loadBalancerSourceRanges: + description: 'If specified and supported by the platform, + this will restrict traffic through the cloud-provider + load-balancer will be restricted to the specified client + IPs. This field will be ignored if the cloud-provider + does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/' + items: + type: string + type: array + ports: + description: 'The list of ports that are exposed by this + service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + items: + description: ServicePort contains information on service's + port. + properties: + appProtocol: + description: The application protocol for this port. + This field follows standard Kubernetes label syntax. + Un-prefixed names are reserved for IANA standard + service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). + Non-standard protocols should use prefixed names + such as mycompany.com/my-custom-protocol. This is + a beta field that is guarded by the ServiceAppProtocol + feature gate and enabled by default. + type: string + name: + description: The name of this port within the service. + This must be a DNS_LABEL. All ports within a ServiceSpec + must have unique names. When considering the endpoints + for a Service, this must match the 'name' field + in the EndpointPort. Optional if only one ServicePort + is defined on this service. + type: string + nodePort: + description: 'The port on each node on which this + service is exposed when type is NodePort or LoadBalancer. Usually + assigned by the system. If a value is specified, + in-range, and not in use it will be used, otherwise + the operation will fail. If not specified, a port + will be allocated if this Service requires one. If + this field is specified when creating a Service + which does not need it, creation will fail. This + field will be wiped when updating a Service to no + longer need it (e.g. changing type from NodePort + to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport' + format: int32 + type: integer + port: + description: The port that will be exposed by this + service. + format: int32 + type: integer + protocol: + description: The IP protocol for this port. Supports + "TCP", "UDP", and "SCTP". Default is TCP. + type: string + targetPort: + anyOf: + - type: integer + - type: string + description: 'Number or name of the port to access + on the pods targeted by the service. Number must + be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + If this is a string, it will be looked up as a named + port in the target Pod''s container ports. If this + is not specified, the value of the ''port'' field + is used (an identity map). This field is ignored + for services with clusterIP=None, and should be + omitted or set equal to the ''port'' field. More + info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service' + required: + - port + type: object + type: array + publishNotReadyAddresses: + description: publishNotReadyAddresses indicates that any + agent which deals with endpoints for this Service should + disregard any indications of ready/not-ready. The primary + use case for setting this field is for a StatefulSet's + Headless Service to propagate SRV DNS records for its + Pods for the purpose of peer discovery. The Kubernetes + controllers that generate Endpoints and EndpointSlice + resources for Services interpret this to mean that all + endpoints are considered "ready" even if the Pods themselves + are not. Agents which consume only Kubernetes generated + endpoints through the Endpoints or EndpointSlice resources + can safely assume this behavior. + type: boolean + selector: + additionalProperties: + type: string + description: 'Route service traffic to pods with label keys + and values matching this selector. If empty or not present, + the service is assumed to have an external process managing + its endpoints, which Kubernetes will not modify. Only + applies to types ClusterIP, NodePort, and LoadBalancer. + Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/' + type: object + sessionAffinity: + description: 'Supports "ClientIP" and "None". Used to maintain + session affinity. Enable client IP based session affinity. + Must be ClientIP or None. Defaults to None. More info: + https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies' + type: string + sessionAffinityConfig: + description: sessionAffinityConfig contains the configurations + of session affinity. + properties: + clientIP: + description: clientIP contains the configurations of + Client IP based session affinity. + properties: + timeoutSeconds: + description: timeoutSeconds specifies the seconds + of ClientIP type session sticky time. The value + must be >0 && <=86400(for 1 day) if ServiceAffinity + == "ClientIP". Default value is 10800(for 3 hours). + format: int32 + type: integer + type: object + type: object + topologyKeys: + description: topologyKeys is a preference-order list of + topology keys which implementations of services should + use to preferentially sort endpoints when accessing this + Service, it can not be used at the same time as externalTrafficPolicy=Local. + Topology keys must be valid label keys and at most 16 + keys may be specified. Endpoints are chosen based on the + first topology key with available backends. If this field + is specified and all entries have no backends that match + the topology of the client, the service has no backends + for that client and connections should fail. The special + value "*" may be used to mean "any topology". This catch-all + value, if used, only makes sense as the last value in + the list. If this is not specified or empty, no topology + constraints will be applied. This field is alpha-level + and is only honored by servers that enable the ServiceTopology + feature. + items: + type: string + type: array + type: + description: 'type determines how the Service is exposed. + Defaults to ClusterIP. Valid options are ExternalName, + ClusterIP, NodePort, and LoadBalancer. "ClusterIP" allocates + a cluster-internal IP address for load-balancing to endpoints. + Endpoints are determined by the selector or if that is + not specified, by manual construction of an Endpoints + object or EndpointSlice objects. If clusterIP is "None", + no virtual IP is allocated and the endpoints are published + as a set of endpoints rather than a virtual IP. "NodePort" + builds on ClusterIP and allocates a port on every node + which routes to the same endpoints as the clusterIP. "LoadBalancer" + builds on NodePort and creates an external load-balancer + (if supported in the current cloud) which routes to the + same endpoints as the clusterIP. "ExternalName" aliases + this service to the specified externalName. Several other + fields do not apply to ExternalName services. More info: + https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types' + type: string + type: object + type: object + tls: + description: TLS defines options for configuring TLS for HTTP. + properties: + certificate: + description: "Certificate is a reference to a Kubernetes secret + that contains the certificate and private key for enabling + TLS. The referenced secret should contain the following: \n + - `ca.crt`: The certificate authority (optional). - `tls.crt`: + The certificate (or a chain). - `tls.key`: The private key + to the first certificate in the certificate chain." + properties: + secretName: + description: SecretName is the name of the secret. + type: string + type: object + selfSignedCertificate: + description: SelfSignedCertificate allows configuring the self-signed + certificate generated by the operator. + properties: + disabled: + description: Disabled indicates that the provisioning of + the self-signed certifcate should be disabled. + type: boolean + subjectAltNames: + description: SubjectAlternativeNames is a list of SANs to + include in the generated HTTP TLS certificate. + items: + description: SubjectAlternativeName represents a SAN entry + in a x509 certificate. + properties: + dns: + description: DNS is the DNS name of the subject. + type: string + ip: + description: IP is the IP address of the subject. + type: string + type: object + type: array + type: object + type: object + type: object + image: + description: Image is the Elastic Maps Server Docker image to deploy. + type: string + podTemplate: + description: PodTemplate provides customisation options (labels, annotations, + affinity rules, resource requests, and so on) for the Elastic Maps + Server pods + type: object + serviceAccountName: + description: ServiceAccountName is used to check access from the current + resource to a resource (eg. Elasticsearch) in a different namespace. + Can only be used if ECK is enforcing RBAC on references. + type: string + version: + description: Version of Elastic Maps Server. + type: string + required: + - version + type: object + status: + description: MapsStatus defines the observed state of Elastic Maps Server + properties: + associationStatus: + description: AssociationStatus is the status of an association resource. + type: string + availableNodes: + description: AvailableNodes is the number of available replicas in the + deployment. + format: int32 + type: integer + health: + description: Health of the deployment. + type: string + version: + description: 'Version of the stack resource currently running. During + version upgrades, multiple versions may run in parallel: this value + specifies the lowest version currently running.' + type: string + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: eck-operator-crds/templates/all-crds.yaml +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + creationTimestamp: null + labels: + app.kubernetes.io/instance: 'logging' + app.kubernetes.io/managed-by: 'Helm' + app.kubernetes.io/name: 'eck-operator-crds' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: elasticsearches.elasticsearch.k8s.elastic.co spec: additionalPrinterColumns: @@ -1985,6 +2547,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes + service which will be used to make requests to the referenced + object. It has to be in the same namespace as the referenced + resource. If left empty the default HTTP service of the + referenced resource will be used. + type: string required: - name type: object @@ -2478,8 +3047,8 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: enterprisesearches.enterprisesearch.k8s.elastic.co spec: additionalPrinterColumns: @@ -2558,6 +3127,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object @@ -3002,8 +3578,8 @@ metadata: app.kubernetes.io/instance: 'logging' app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '1.5.0' - helm.sh/chart: 'eck-operator-crds-1.5.0' + app.kubernetes.io/version: '1.6.0' + helm.sh/chart: 'eck-operator-crds-1.6.0' name: kibanas.kibana.k8s.elastic.co spec: additionalPrinterColumns: @@ -3071,6 +3647,13 @@ spec: description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. type: string + serviceName: + description: ServiceName is the name of an existing Kubernetes service + which will be used to make requests to the referenced object. + It has to be in the same namespace as the referenced resource. + If left empty the default HTTP service of the referenced resource + will be used. + type: string required: - name type: object diff --git a/charts/kubezero-logging/charts/eck-operator/templates/_helpers.tpl b/charts/kubezero-logging/charts/eck-operator/templates/_helpers.tpl index 3ba51a6..25b20ed 100644 --- a/charts/kubezero-logging/charts/eck-operator/templates/_helpers.tpl +++ b/charts/kubezero-logging/charts/eck-operator/templates/_helpers.tpl @@ -303,6 +303,20 @@ RBAC permissions - update - patch - delete +- apiGroups: + - maps.k8s.elastic.co + resources: + - elasticmapsservers + - elasticmapsservers/status + - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP + verbs: + - get + - list + - watch + - create + - update + - patch + - delete {{- end -}} {{/* diff --git a/charts/kubezero-logging/charts/eck-operator/templates/cluster-roles.yaml b/charts/kubezero-logging/charts/eck-operator/templates/cluster-roles.yaml index 2fd7b49..342792f 100644 --- a/charts/kubezero-logging/charts/eck-operator/templates/cluster-roles.yaml +++ b/charts/kubezero-logging/charts/eck-operator/templates/cluster-roles.yaml @@ -35,6 +35,12 @@ rules: - apiGroups: ["beat.k8s.elastic.co"] resources: ["beats"] verbs: ["get", "list", "watch"] + - apiGroups: ["agent.k8s.elastic.co"] + resources: ["agents"] + verbs: ["get", "list", "watch"] + - apiGroups: ["maps.k8s.elastic.co"] + resources: ["elasticmapsservers"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -60,4 +66,10 @@ rules: - apiGroups: ["beat.k8s.elastic.co"] resources: ["beats"] verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["agent.k8s.elastic.co"] + resources: ["agents"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["maps.k8s.elastic.co"] + resources: ["elasticmapsservers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] {{- end -}} diff --git a/charts/kubezero-logging/charts/eck-operator/templates/operator-namespace.yaml b/charts/kubezero-logging/charts/eck-operator/templates/operator-namespace.yaml index 1061cdf..c3841f8 100644 --- a/charts/kubezero-logging/charts/eck-operator/templates/operator-namespace.yaml +++ b/charts/kubezero-logging/charts/eck-operator/templates/operator-namespace.yaml @@ -6,5 +6,4 @@ metadata: name: {{ .Release.Namespace }} labels: name: {{ .Release.Namespace }} - {{- include "eck-operator.labels" $ | nindent 4 }} {{- end -}} diff --git a/charts/kubezero-logging/charts/eck-operator/templates/podMonitor.yaml b/charts/kubezero-logging/charts/eck-operator/templates/podMonitor.yaml new file mode 100644 index 0000000..54a5966 --- /dev/null +++ b/charts/kubezero-logging/charts/eck-operator/templates/podMonitor.yaml @@ -0,0 +1,36 @@ +{{- $metricsPort := int .Values.config.metricsPort -}} +{{- if and .Values.podMonitor.enabled (gt $metricsPort 0) }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "eck-operator.fullname" . }} + namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (empty .Values.podMonitor.namespace)) }} + labels: {{- include "eck-operator.labels" . | nindent 4 }} + {{- if .Values.podMonitor.labels }} + {{- toYaml .Values.podMonitor.labels | nindent 4 }} + {{- end }} + {{- with .Values.podMonitor.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.podMonitor.podTargetLabels }} + podTargetLabels: {{- toYaml . | nindent 4 }} + {{- end }} + podMetricsEndpoints: + - port: metrics + path: /metrics + {{- if .Values.podMonitor.interval }} + interval: {{ .Values.podMonitor.interval }} + {{- end }} + {{- if .Values.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.podMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.podMonitor.podMetricsEndpointConfig }} + {{- toYaml .Values.podMonitor.podMetricsEndpointConfig | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: {{- include "eck-operator.selectorLabels" . | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-logging/charts/eck-operator/templates/statefulset.yaml b/charts/kubezero-logging/charts/eck-operator/templates/statefulset.yaml index adb9889..6f60830 100644 --- a/charts/kubezero-logging/charts/eck-operator/templates/statefulset.yaml +++ b/charts/kubezero-logging/charts/eck-operator/templates/statefulset.yaml @@ -1,3 +1,4 @@ +{{- $metricsPort := int .Values.config.metricsPort -}} --- apiVersion: apps/v1 kind: StatefulSet @@ -24,6 +25,9 @@ spec: {{- end }} labels: {{- include "eck-operator.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: terminationGracePeriodSeconds: 10 serviceAccountName: {{ include "eck-operator.serviceAccountName" . }} @@ -73,11 +77,18 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- if .Values.webhook.enabled }} + {{- if or (gt $metricsPort 0) .Values.webhook.enabled }} ports: + {{- if (gt $metricsPort 0) }} + - containerPort: {{ .Values.config.metricsPort }} + name: metrics + protocol: TCP + {{- end }} + {{- if .Values.webhook.enabled }} - containerPort: 9443 name: https-webhook protocol: TCP + {{- end }} {{- end }} volumeMounts: - mountPath: "/conf" diff --git a/charts/kubezero-logging/charts/eck-operator/values.yaml b/charts/kubezero-logging/charts/eck-operator/values.yaml index 5d43ff5..8091d6d 100644 --- a/charts/kubezero-logging/charts/eck-operator/values.yaml +++ b/charts/kubezero-logging/charts/eck-operator/values.yaml @@ -40,6 +40,9 @@ resources: # podAnnotations define the annotations that should be added to the operator pod. podAnnotations: {} +## podLabels define additional labels that should be added to the operator pod. +podLabels: {} + # podSecurityContext defines the pod security context for the operator pod. podSecurityContext: runAsNonRoot: true @@ -165,6 +168,37 @@ config: # Can be disabled if cluster-wide storage class RBAC access is not available. validateStorageClass: true +# Prometheus PodMonitor configuration +# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitor +podMonitor: + + # enabled determines whether a podMonitor should deployed to scrape the eck metrics. + # This requires the prometheus operator and the config.metricsPort not to be 0 + enabled: false + + # labels adds additional labels to the podMonitor + labels: {} + + # annotations adds additional annotations to the podMonitor + annotations: {} + + # namespace determines in which namespace the podMonitor will be deployed. + # If not set the podMonitor will be created in the namespace to release is installed into + # namespace: monitoring + + # interval specifies the interval at which metrics should be scraped + interval: 5m + + # scrapeTimeout specifies the timeout after which the scrape is ended + scrapeTimeout: 30s + + # podTargetLabels transfers labels on the Kubernetes Pod onto the target. + podTargetLabels: [] + + # podMetricsEndpointConfig allows to add an extended configuration to the podMonitor + podMetricsEndpointConfig: {} + # honorTimestamps: true + # Internal use only internal: # manifestGen specifies whether the chart is running under manifest generator. diff --git a/charts/kubezero-logging/charts/fluent-bit/Chart.yaml b/charts/kubezero-logging/charts/fluent-bit/Chart.yaml index 546461f..140229e 100644 --- a/charts/kubezero-logging/charts/fluent-bit/Chart.yaml +++ b/charts/kubezero-logging/charts/fluent-bit/Chart.yaml @@ -1,9 +1,10 @@ annotations: artifacthub.io/changes: | - - Upgrade fluent-bit image to v1.7.3 -apiVersion: v2 -appVersion: 1.7.3 -description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems. + - Upgrade fluent-bit image to v1.7.9 +apiVersion: v1 +appVersion: 1.7.9 +description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD + family operating systems. home: https://fluentbit.io/ icon: https://fluentbit.io/assets/img/logo1-default.png keywords: @@ -20,4 +21,4 @@ maintainers: name: fluent-bit sources: - https://github.com/fluent/fluent-bit/ -version: 0.15.4 +version: 0.15.15 diff --git a/charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl b/charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl index 8239767..3f13b47 100644 --- a/charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl +++ b/charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl @@ -13,8 +13,16 @@ securityContext: dnsConfig: {{- toYaml . | nindent 2 }} {{- end }} -#hostNetwork: true -#dnsPolicy: ClusterFirstWithHostNet +{{- with .Values.hostAliases }} +hostAliases: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .Values.initContainers }} +initContainers: + {{- toYaml .Values.initContainers | nindent 2 }} +{{- end }} +hostNetwork: true +dnsPolicy: ClusterFirstWithHostNet containers: - name: {{ .Chart.Name }} securityContext: @@ -23,11 +31,11 @@ containers: imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.env }} env: - {{- toYaml .Values.env | nindent 4 }} + {{- toYaml .Values.env | nindent 6 }} {{- end }} {{- if .Values.envFrom }} envFrom: - {{- toYaml .Values.envFrom | nindent 4 }} + {{- toYaml .Values.envFrom | nindent 6 }} {{- end }} {{- if .Values.args }} args: diff --git a/charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml b/charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml index 9414222..818c5ee 100644 --- a/charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml +++ b/charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml @@ -11,8 +11,8 @@ rules: resources: - pods - namespaces - #- nodes - #- nodes/proxy + - nodes + - nodes/proxy verbs: - get - list diff --git a/charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml b/charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml index 52cac5a..d2b212a 100644 --- a/charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml +++ b/charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: dashboard-{{ trimSuffix ".json" (base $path) }} + name: {{ include "fluent-bit.fullname" $ }}-dashboard-{{ trimSuffix ".json" (base $path) }} {{- with $.Values.dashboards.annotations }} annotations: {{- toYaml . | nindent 4 -}} diff --git a/charts/kubezero-logging/charts/fluent-bit/values.yaml b/charts/kubezero-logging/charts/fluent-bit/values.yaml index 38b0033..5725ccf 100644 --- a/charts/kubezero-logging/charts/fluent-bit/values.yaml +++ b/charts/kubezero-logging/charts/fluent-bit/values.yaml @@ -47,6 +47,13 @@ dnsConfig: {} # - name: ndots # value: "2" # - name: edns0 + +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "foo.local" + # - "bar.local" + securityContext: {} # capabilities: @@ -261,3 +268,8 @@ daemonSetVolumeMounts: args: [] command: [] + +initContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] diff --git a/charts/kubezero-logging/charts/fluentd/Chart.yaml b/charts/kubezero-logging/charts/fluentd/Chart.yaml index 3fcba93..7a33e77 100644 --- a/charts/kubezero-logging/charts/fluentd/Chart.yaml +++ b/charts/kubezero-logging/charts/fluentd/Chart.yaml @@ -10,4 +10,4 @@ name: fluentd sources: - https://github.com/fluent/fluentd/ - https://github.com/fluent/fluentd-kubernetes-daemonset -version: 0.2.2 +version: 0.2.6 diff --git a/charts/kubezero-logging/charts/fluentd/templates/_pod.tpl b/charts/kubezero-logging/charts/fluentd/templates/_pod.tpl index 3961bb6..0cb10b0 100644 --- a/charts/kubezero-logging/charts/fluentd/templates/_pod.tpl +++ b/charts/kubezero-logging/charts/fluentd/templates/_pod.tpl @@ -44,13 +44,9 @@ containers: protocol: {{ $port.protocol }} {{- end }} livenessProbe: - httpGet: - path: /metrics - port: metrics + {{- toYaml .Values.livenessProbe | nindent 6 }} readinessProbe: - httpGet: - path: /metrics - port: metrics + {{- toYaml .Values.readinessProbe | nindent 6 }} resources: {{- toYaml .Values.resources | nindent 8 }} volumeMounts: diff --git a/charts/kubezero-logging/charts/fluentd/templates/configmap-dashboards.yaml b/charts/kubezero-logging/charts/fluentd/templates/configmap-dashboards.yaml index 862114e..ce047b0 100644 --- a/charts/kubezero-logging/charts/fluentd/templates/configmap-dashboards.yaml +++ b/charts/kubezero-logging/charts/fluentd/templates/configmap-dashboards.yaml @@ -4,6 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: dashboard-{{ trimSuffix ".json" (base $path) }} + namespace: {{ $.Values.dashboards.namespace | default $.Release.Namespace }} labels: {{- include "fluentd.labels" $ | nindent 4 }} {{- range $key, $val := $.Values.dashboards.labels }} diff --git a/charts/kubezero-logging/charts/fluentd/templates/hpa.yaml b/charts/kubezero-logging/charts/fluentd/templates/hpa.yaml new file mode 100644 index 0000000..b2e8282 --- /dev/null +++ b/charts/kubezero-logging/charts/fluentd/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{- if and ( eq .Values.kind "Deployment" ) .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fluentd.fullname" . }} + labels: + {{- include "fluentd.labels" . | nindent 4 }} +spec: + {{- if .Values.autoscaling.behavior }} + behavior: + {{- toYaml .Values.autoscaling.behavior | nindent 4 }} + {{- end }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fluentd.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.customRules -}} + {{- toYaml .Values.autoscaling.customRules | nindent 4}} + {{- end -}} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-logging/charts/fluentd/templates/prometheusrules.yaml b/charts/kubezero-logging/charts/fluentd/templates/prometheusrules.yaml index 961e6e7..26361b7 100644 --- a/charts/kubezero-logging/charts/fluentd/templates/prometheusrules.yaml +++ b/charts/kubezero-logging/charts/fluentd/templates/prometheusrules.yaml @@ -14,7 +14,8 @@ metadata: spec: {{- with .Values.metrics.prometheusRule.rules }} groups: - - name: {{ template "fluentd.fullname" . }} - rules: {{- toYaml . | nindent 4 }} + - name: {{ template "fluentd.fullname" $ }} + rules: + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/kubezero-logging/charts/fluentd/templates/servicemonitor.yaml b/charts/kubezero-logging/charts/fluentd/templates/servicemonitor.yaml index 4b542bd..521b6c5 100644 --- a/charts/kubezero-logging/charts/fluentd/templates/servicemonitor.yaml +++ b/charts/kubezero-logging/charts/fluentd/templates/servicemonitor.yaml @@ -12,6 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | default .Release.Name }} endpoints: - port: metrics path: /metrics @@ -21,6 +22,14 @@ spec: {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ . }} {{- end }} +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 6) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 6 }} +{{- end }} {{- if .Values.metrics.serviceMonitor.namespaceSelector }} namespaceSelector: {{ toYaml .Values.metrics.serviceMonitor.namespaceSelector | indent 4 -}} diff --git a/charts/kubezero-logging/charts/fluentd/values.yaml b/charts/kubezero-logging/charts/fluentd/values.yaml index a2e7b5e..06c1a27 100644 --- a/charts/kubezero-logging/charts/fluentd/values.yaml +++ b/charts/kubezero-logging/charts/fluentd/values.yaml @@ -49,6 +49,30 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# Congigure the livessProbe +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: /metrics + port: metrics + # initialDelaySeconds: 0 + # periodSeconds: 10 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 3 + +# Congigure the readinessProbe +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +readinessProbe: + httpGet: + path: /metrics + port: metrics + # initialDelaySeconds: 0 + # periodSeconds: 10 + # timeoutSeconds: 1 + # successThreshold: 1 + # failureThreshold: 3 + resources: {} # requests: # cpu: 10m @@ -56,6 +80,33 @@ resources: {} # limits: # memory: 128Mi +## only available if kind is Deployment +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + ## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + customRules: [] + # - type: Pods + # pods: + # metric: + # name: packets-per-second + # target: + # type: AverageValue + # averageValue: 1k + ## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-configurable-scaling-behavior + # behavior: + # scaleDown: + # policies: + # - type: Pods + # value: 4 + # periodSeconds: 60 + # - type: Percent + # value: 10 + # periodSeconds: 60 + # priorityClassName: "system-node-critical" nodeSelector: {} @@ -138,6 +189,26 @@ metrics: release: prometheus-operator namespace: "" namespaceSelector: {} + ## metric relabel configs to apply to samples before ingestion. + ## + metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; + # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + # replacement: $1 + # action: drop + ## relabel configs to apply to samples after ingestion. + ## + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + ## Additional serviceMonitor config + ## + # jobLabel: fluentd # scrapeInterval: 30s # scrapeTimeout: 5s # honorLabels: true @@ -147,6 +218,24 @@ metrics: additionalLabels: {} namespace: "" rules: [] + # - alert: FluentdDown + # expr: up{job="fluentd"} == 0 + # for: 5m + # labels: + # context: fluentd + # severity: warning + # annotations: + # summary: "Fluentd Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + # - alert: FluentdScrapeMissing + # expr: absent(up{job="fluentd"} == 1) + # for: 15m + # labels: + # context: fluentd + # severity: warning + # annotations: + # summary: "Fluentd Scrape Missing" + # description: "Fluentd instance has disappeared from Prometheus target discovery" ## Grafana Monitoring Dashboard ## diff --git a/charts/kubezero-logging/fluent-bit.patch b/charts/kubezero-logging/fluent-bit.patch index c34ce1b..8698f25 100644 --- a/charts/kubezero-logging/fluent-bit.patch +++ b/charts/kubezero-logging/fluent-bit.patch @@ -1,42 +1,30 @@ -diff -tubrN charts/fluent-bit/Chart.yaml charts/fluent-bit.zdt/Chart.yaml ---- charts/fluent-bit/Chart.yaml 2021-04-06 13:55:48.000000000 +0200 -+++ charts/fluent-bit.zdt/Chart.yaml 2021-04-07 11:49:25.955685229 +0200 -@@ -1,7 +1,7 @@ - annotations: - artifacthub.io/changes: | - - Upgrade fluent-bit image to v1.7.3 --apiVersion: v1 -+apiVersion: v2 - appVersion: 1.7.3 - description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems. - home: https://fluentbit.io/ -diff -tubrN charts/fluent-bit/templates/_pod.tpl charts/fluent-bit.zdt/templates/_pod.tpl ---- charts/fluent-bit/templates/_pod.tpl 2021-04-06 13:55:48.000000000 +0200 -+++ charts/fluent-bit.zdt/templates/_pod.tpl 2021-04-07 11:53:45.609030378 +0200 -@@ -13,6 +13,8 @@ - dnsConfig: - {{- toYaml . | nindent 2 }} +diff -tubr charts/fluent-bit/templates/_pod.tpl charts/fluent-bit.zdt/templates/_pod.tpl +--- charts/fluent-bit/templates/_pod.tpl 2021-06-22 12:25:10.000000000 +0200 ++++ charts/fluent-bit.zdt/templates/_pod.tpl 2021-07-20 12:44:55.349873171 +0200 +@@ -21,6 +21,8 @@ + initContainers: + {{- toYaml .Values.initContainers | nindent 2 }} {{- end }} -+#hostNetwork: true -+#dnsPolicy: ClusterFirstWithHostNet ++hostNetwork: true ++dnsPolicy: ClusterFirstWithHostNet containers: - name: {{ .Chart.Name }} securityContext: -diff -tubrN charts/fluent-bit/templates/clusterrole.yaml charts/fluent-bit.zdt/templates/clusterrole.yaml ---- charts/fluent-bit/templates/clusterrole.yaml 2021-04-06 13:55:48.000000000 +0200 -+++ charts/fluent-bit.zdt/templates/clusterrole.yaml 2021-04-07 11:53:26.049029491 +0200 +diff -tubr charts/fluent-bit/templates/clusterrole.yaml charts/fluent-bit.zdt/templates/clusterrole.yaml +--- charts/fluent-bit/templates/clusterrole.yaml 2021-06-22 12:25:10.000000000 +0200 ++++ charts/fluent-bit.zdt/templates/clusterrole.yaml 2021-07-20 12:44:29.936278716 +0200 @@ -11,6 +11,8 @@ resources: - pods - namespaces -+ #- nodes -+ #- nodes/proxy ++ - nodes ++ - nodes/proxy verbs: - get - list -diff -tubrN charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent-bit.zdt/templates/tests/test-connection.yaml ---- charts/fluent-bit/templates/tests/test-connection.yaml 2021-04-06 13:55:48.000000000 +0200 -+++ charts/fluent-bit.zdt/templates/tests/test-connection.yaml 2021-04-07 11:52:34.199027132 +0200 +diff -tubr charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent-bit.zdt/templates/tests/test-connection.yaml +--- charts/fluent-bit/templates/tests/test-connection.yaml 2021-06-22 12:25:10.000000000 +0200 ++++ charts/fluent-bit.zdt/templates/tests/test-connection.yaml 2021-05-17 12:09:02.724057438 +0200 @@ -1,3 +1,4 @@ +{{- if .Values.testFramework.enabled }} apiVersion: v1 @@ -47,9 +35,9 @@ diff -tubrN charts/fluent-bit/templates/tests/test-connection.yaml charts/fluent {{- end }} restartPolicy: Never +{{- end }} -diff -tubrN charts/fluent-bit/values.yaml charts/fluent-bit.zdt/values.yaml ---- charts/fluent-bit/values.yaml 2021-04-06 13:55:48.000000000 +0200 -+++ charts/fluent-bit.zdt/values.yaml 2021-04-07 11:52:54.742361399 +0200 +diff -tubr charts/fluent-bit/values.yaml charts/fluent-bit.zdt/values.yaml +--- charts/fluent-bit/values.yaml 2021-06-22 12:25:10.000000000 +0200 ++++ charts/fluent-bit.zdt/values.yaml 2021-07-19 10:23:01.383398153 +0200 @@ -12,6 +12,7 @@ # tag: diff --git a/charts/kubezero-logging/update.sh b/charts/kubezero-logging/update.sh index 9089e39..c81f4e5 100755 --- a/charts/kubezero-logging/update.sh +++ b/charts/kubezero-logging/update.sh @@ -1,10 +1,10 @@ #!/bin/bash -ECK_VERSION=1.5.0 -FLUENT_BIT_VERSION=0.15.4 -FLUENTD_VERSION=0.2.2 +ECK_VERSION=1.6.0 +FLUENT_BIT_VERSION=0.15.15 +FLUENTD_VERSION=0.2.6 -# fix ECK crds handling to adhere to proper helm v3 support which also fixes ArgoCD applyong updates on upgrades +# fix ECK crds handling to adhere to proper helm v3 support which also fixes ArgoCD applying updates on upgrades helm repo list | grep elastic -qc || { helm repo add elastic https://helm.elastic.co; helm repo update; } rm -rf charts/eck-operator && helm pull elastic/eck-operator --untar --untardir charts --version $ECK_VERSION diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 46515e3..f8afa01 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -11,7 +11,7 @@ eck-operator: node-role.kubernetes.io/master: "" # Version for ElasticSearch and Kibana have to match so we define it at top-level -version: 7.11.1 +version: 7.13.2 elastic_password: "" # super_secret_elastic_password @@ -46,7 +46,7 @@ fluentd: enabled: false image: repository: fluent/fluentd-kubernetes-daemonset - tag: v1.12-debian-elasticsearch7-1 + tag: v1-debian-elasticsearch istio: enabled: false @@ -120,7 +120,9 @@ fluentd: 00_system.conf: |- root_dir /var/log/fluentd - # log_level debug + log_level info + ignore_repeated_log_interval 60s + ignore_same_log_interval 60s workers 2 01_sources.conf: |- @@ -165,7 +167,7 @@ fluentd: @id out_es @type elasticsearch - @log_level info + # @log_level debug include_tag_key true id_key id remove_keys id @@ -185,20 +187,26 @@ fluentd: reload_on_failure true request_timeout 60s suppress_type_name true - slow_flush_log_threshold 40.0 - # bulk_message_request_threshold 2097152 + slow_flush_log_threshold 55.0 + + # Retry failed bulk requests + # https://github.com/uken/fluent-plugin-elasticsearch#unrecoverable-error-types + unrecoverable_error_types ["out_of_memory_error"] + bulk_message_request_threshold 2097152 + + + @type file - - @type file_single - chunk_limit_size 16MB - total_limit_size 4GB flush_mode interval - flush_thread_count 2 - flush_interval 10s + flush_thread_count 1 + flush_interval 30s + + chunk_limit_size 8MB + total_limit_size 2GB + flush_at_shutdown true retry_type exponential_backoff - retry_timeout 2h - flush_thread_interval 30s + retry_timeout 6h overflow_action drop_oldest_chunk disable_chunk_backup true @@ -208,6 +216,9 @@ fluentd: fluent-bit: enabled: false + image: + tag: 1.8.1 + serviceMonitor: enabled: false selector: @@ -216,6 +227,9 @@ fluent-bit: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: kubezero-workergroup + effect: NoSchedule + operator: Exists resources: requests: @@ -234,7 +248,7 @@ fluent-bit: memBufLimit: 4MB refreshInterval: 10 - logLevel: warn + logLevel: info flushInterval: 5 #extraRecords: @@ -255,10 +269,12 @@ fluent-bit: Name tail Path /var/log/containers/*.log Parser cri-log + #multiline.parser cri Tag cri.* Skip_Long_Lines On DB /var/log/flb_kube.db DB.Sync Normal + DB.locking true {{- with .Values.config.input }} Mem_Buf_Limit {{ default "4MB" .memBufLimit }} Refresh_Interval {{ default 10 .refreshInterval }} @@ -280,8 +296,9 @@ fluent-bit: Keep_Log Off K8S-Logging.Parser Off K8S-Logging.Exclude Off + Kube_Meta_Cache_TTL 3600s + Buffer_Size 0 #Use_Kubelet true - #Kubelet_Port 10250 {{- if index .Values "config" "extraRecords" }} @@ -320,7 +337,7 @@ fluent-bit: [PARSER] Name cri-log Format regex - Regex ^(?