diff --git a/charts/clamav/README.md b/charts/clamav/README.md index 5eb4f03..0663abb 100644 --- a/charts/clamav/README.md +++ b/charts/clamav/README.md @@ -1,8 +1,8 @@ # clamav -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.104.0](https://img.shields.io/badge/AppVersion-0.104.0-informational?style=flat-square) +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.104.0](https://img.shields.io/badge/AppVersion-0.104.0-informational?style=flat-square) -A Helm chart for deploying a Clamav on kubernetes +Chart for deploying a ClamavD on kubernetes as statfulSet **Homepage:** @@ -18,7 +18,7 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | ## Values @@ -32,11 +32,11 @@ Kubernetes: `>= 1.18.0` | clamav.limits.scanSize | int | `100` | The largest scan size permitted in clamav, in MB | | clamav.limits.sendBufTimeout | int | `500` | | | clamav.replicaCount | int | `1` | | -| clamav.resources | object | `{"limits":{"cpu":"1500m","ephemeral-storage":"1000M","memory":"2000M"},"requests":{"cpu":"300m","ephemeral-storage":"500M","memory":"1300M"}}` | The resource requests and limits for the clamav service | +| clamav.resources | object | `{"requests":{"cpu":"300m","memory":"1300M"}}` | The resource requests and limits for the clamav service | | clamav.version | string | `"unstable"` | The clamav docker image version - defaults to .Chart.appVersion | | fullnameOverride | string | `""` | override the full name of the clamav chart | | nameOverride | string | `""` | override the name of the clamav chart | | service.port | int | `3310` | The port to be used by the clamav service | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/charts/kubezero-addons/README.md b/charts/kubezero-addons/README.md index a2d8d63..96f64de 100644 --- a/charts/kubezero-addons/README.md +++ b/charts/kubezero-addons/README.md @@ -1,6 +1,6 @@ # kubezero-addons -![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.22.8](https://img.shields.io/badge/AppVersion-v1.22.8-informational?style=flat-square) KubeZero umbrella chart for various optional cluster addons @@ -10,7 +10,7 @@ KubeZero umbrella chart for various optional cluster addons | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,7 +18,8 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | aws-node-termination-handler | 0.16.0 | +| | aws-node-termination-handler | 0.18.0 | +| https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.7.1 | # MetalLB @@ -67,9 +68,28 @@ Create secret with the IAM user credential for ecr-renew to use, using the crede | clusterBackup.enabled | bool | `false` | | | clusterBackup.extraEnv | list | `[]` | | | clusterBackup.image.name | string | `"public.ecr.aws/zero-downtime/kubezero-admin"` | | -| clusterBackup.image.tag | string | `"v1.21.9"` | | | clusterBackup.password | string | `""` | | | clusterBackup.repository | string | `""` | | +| external-dns.enabled | bool | `false` | | +| external-dns.env[0] | object | `{"name":"AWS_ROLE_ARN","value":""}` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" | +| external-dns.env[1].name | string | `"AWS_WEB_IDENTITY_TOKEN_FILE"` | | +| external-dns.env[1].value | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/token"` | | +| external-dns.env[2].name | string | `"AWS_STS_REGIONAL_ENDPOINTS"` | | +| external-dns.env[2].value | string | `"regional"` | | +| external-dns.extraVolumeMounts[0].mountPath | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/"` | | +| external-dns.extraVolumeMounts[0].name | string | `"aws-token"` | | +| external-dns.extraVolumeMounts[0].readOnly | bool | `true` | | +| external-dns.extraVolumes[0].name | string | `"aws-token"` | | +| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.audience | string | `"sts.amazonaws.com"` | | +| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | | +| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | | +| external-dns.interval | string | `"3m"` | | +| external-dns.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| external-dns.provider | string | `"inmemory"` | | +| external-dns.sources[0] | string | `"service"` | | +| external-dns.tolerations[0].effect | string | `"NoSchedule"` | | +| external-dns.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| external-dns.triggerLoopOnEvent | bool | `true` | | | forseti.aws.iamRoleArn | string | `""` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" | | forseti.aws.region | string | `""` | | | forseti.enabled | bool | `false` | | diff --git a/charts/kubezero-argocd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml index c75d32e..b962e7b 100644 --- a/charts/kubezero-argocd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application name: kubezero-argocd -version: 0.9.6 +version: 0.10.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,6 +16,6 @@ dependencies: version: ">= 0.1.4" repository: https://cdn.zero-downtime.net/charts/ - name: argo-cd - version: 3.33.8 + version: 4.5.4 repository: https://argoproj.github.io/argo-helm kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-argocd/README.md b/charts/kubezero-argocd/README.md index b532773..5a6329c 100644 --- a/charts/kubezero-argocd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,6 +1,6 @@ # kubezero-argocd -![Version: 0.9.5](https://img.shields.io/badge/Version-0.9.5-informational?style=flat-square) +![Version: 0.10.1](https://img.shields.io/badge/Version-0.10.1-informational?style=flat-square) KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application @@ -10,7 +10,7 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,13 +18,14 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 3.32.1 | +| https://argoproj.github.io/argo-helm | argo-cd | 4.5.4 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| argo-cd.applicationSet.enabled | bool | `false` | | | argo-cd.configs.knownHosts.data.ssh_known_hosts | string | `"bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\ngitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=\ngitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf\ngitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9\ngit.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ==\n"` | | | argo-cd.configs.secret.createSecret | bool | `false` | | | argo-cd.controller.args.appResyncPeriod | string | `"300"` | | @@ -38,6 +39,7 @@ Kubernetes: `>= 1.20.0` | argo-cd.dex.enabled | bool | `false` | | | argo-cd.global | string | `nil` | | | argo-cd.installCRDs | bool | `false` | | +| argo-cd.notifications.enabled | bool | `false` | | | argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | diff --git a/charts/kubezero-argocd/update.sh b/charts/kubezero-argocd/update.sh index ccb8397..035ab68 100755 --- a/charts/kubezero-argocd/update.sh +++ b/charts/kubezero-argocd/update.sh @@ -1,4 +1,6 @@ #!/bin/bash +helm dep update + # Create ZDT dashboard configmap ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-argocd/values.yaml b/charts/kubezero-argocd/values.yaml index bc9d26b..466b1e6 100644 --- a/charts/kubezero-argocd/values.yaml +++ b/charts/kubezero-argocd/values.yaml @@ -116,3 +116,9 @@ argo-cd: dex: enabled: false + + applicationSet: + enabled: false + + notifications: + enabled: false diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index acf3a88..8c0d292 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.8.1](https://img.shields.io/badge/Version-0.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.1](https://img.shields.io/badge/AppVersion-1.6.1-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -10,7 +10,7 @@ KubeZero Umbrella Chart for cert-manager | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -19,7 +19,7 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | -| https://charts.jetstack.io | cert-manager | 1.6.1 | +| https://charts.jetstack.io | cert-manager | 1.8.0 | ## AWS - OIDC IAM roles diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index 84291d9..f840cf2 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.4.44 +version: 0.4.45 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -22,7 +22,7 @@ dependencies: repository: https://gocd.github.io/helm-chart condition: gocd.enabled - name: gitea - version: 5.0.3 + version: 5.0.5 repository: https://dl.gitea.io/charts/ condition: gitea.enabled - name: jenkins diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 021f6f9..b17cbba 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.4.24](https://img.shields.io/badge/Version-0.4.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.45](https://img.shields.io/badge/Version-0.4.45-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -10,7 +10,7 @@ KubeZero umbrella chart for all things CI | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,11 +18,11 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.9 | +| https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.12 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://charts.jenkins.io | jenkins | 3.11.3 | -| https://dl.gitea.io/charts/ | gitea | 5.0.0 | -| https://gocd.github.io/helm-chart | gocd | 1.39.4 | +| https://charts.jenkins.io | jenkins | 3.11.10 | +| https://dl.gitea.io/charts/ | gitea | 5.0.5 | +| https://gocd.github.io/helm-chart | gocd | 1.40.8 | # Jenkins - default build retention 10 builds, 32days @@ -39,6 +39,9 @@ Kubernetes: `>= 1.20.0` ## Resources +### JVM tuning in containers +- https://developers.redhat.com/blog/2017/04/04/openjdk-and-containers?extIdCarryOver=true&sc_cid=701f2000001Css5AAC + ## Values | Key | Type | Default | Description | @@ -51,7 +54,7 @@ Kubernetes: `>= 1.20.0` | gitea.gitea.metrics.enabled | bool | `false` | | | gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | | | gitea.image.rootless | bool | `true` | | -| gitea.image.tag | string | `"1.15.10"` | | +| gitea.image.tag | string | `"1.16.6"` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.url | string | `"git.example.com"` | | @@ -70,20 +73,19 @@ Kubernetes: `>= 1.20.0` | gocd.istio.url | string | `""` | | | gocd.server.ingress.enabled | bool | `false` | | | gocd.server.service.type | string | `"ClusterIP"` | | -| jenkins.agent.alwaysPullImage | bool | `true` | | | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | -| jenkins.agent.containerCap | int | `4` | | +| jenkins.agent.containerCap | int | `2` | | | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | | jenkins.agent.idleMinutes | int | `10` | | | jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | | | jenkins.agent.podName | string | `"podman-aws"` | | | jenkins.agent.podRetention | string | `"Default"` | | -| jenkins.agent.resources.limits.cpu | string | `"1"` | | -| jenkins.agent.resources.limits.memory | string | `"2048Mi"` | | +| jenkins.agent.resources.limits.cpu | string | `"4"` | | +| jenkins.agent.resources.limits.memory | string | `"6144Mi"` | | | jenkins.agent.resources.requests.cpu | string | `"512m"` | | -| jenkins.agent.resources.requests.memory | string | `"512Mi"` | | +| jenkins.agent.resources.requests.memory | string | `"1024Mi"` | | | jenkins.agent.showRawYaml | bool | `false` | | -| jenkins.agent.tag | string | `"v0.2.4-5"` | | +| jenkins.agent.tag | string | `"v0.2.4-21"` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | | | jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\""` | | | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | @@ -93,22 +95,23 @@ Kubernetes: `>= 1.20.0` | jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | | | jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | | | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | -| jenkins.controller.installPlugins[0] | string | `"kubernetes:1.31.3"` | | +| jenkins.controller.installPlugins[0] | string | `"kubernetes:3580.v78271e5631dc"` | | | jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:2.6"` | | -| jenkins.controller.installPlugins[2] | string | `"git:4.10.3"` | | -| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1.55.1"` | | +| jenkins.controller.installPlugins[2] | string | `"git:4.11.0"` | | +| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1414.v878271fc496f"` | | | jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | | -| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.10"` | | -| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.28"` | | +| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.11"` | | +| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.29"` | | | jenkins.controller.installPlugins[7] | string | `"build-discarder:60.v1747b0eb632a"` | | -| jenkins.controller.javaOpts | string | `"-XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | +| jenkins.controller.installPlugins[8] | string | `"dark-theme:156.v6cf16af6f9ef"` | | +| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | | jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=180 --sessionEviction=3600"` | | | jenkins.controller.prometheus.enabled | bool | `false` | | | jenkins.controller.resources.limits.cpu | string | `"2000m"` | | | jenkins.controller.resources.limits.memory | string | `"4096Mi"` | | | jenkins.controller.resources.requests.cpu | string | `"250m"` | | | jenkins.controller.resources.requests.memory | string | `"1280Mi"` | | -| jenkins.controller.tagLabel | string | `"alpine"` | | +| jenkins.controller.tag | string | `"2.332.2-lts-jdk17-preview"` | | | jenkins.controller.testEnabled | bool | `false` | | | jenkins.enabled | bool | `false` | | | jenkins.istio.enabled | bool | `false` | | diff --git a/charts/kubezero-ci/update.sh b/charts/kubezero-ci/update.sh index ccb8397..035ab68 100755 --- a/charts/kubezero-ci/update.sh +++ b/charts/kubezero-ci/update.sh @@ -1,4 +1,6 @@ #!/bin/bash +helm dep update + # Create ZDT dashboard configmap ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index 77c1e6b..e467465 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -17,7 +17,7 @@ gitea: enabled: false image: - tag: 1.16.5 + tag: 1.16.6 rootless: true securityContext: diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-gateway/Chart.yaml similarity index 56% rename from charts/kubezero-istio-ingress/Chart.yaml rename to charts/kubezero-istio-gateway/Chart.yaml index aff9a4b..3bf12e0 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-gateway/Chart.yaml @@ -1,9 +1,8 @@ apiVersion: v2 -name: kubezero-istio-ingress -description: KubeZero Umbrella Chart for Istio based Ingress +name: kubezero-istio-gateway +description: KubeZero Umbrella Chart for Istio gateways type: application -version: 0.7.6 -appVersion: 1.11.5 +version: 0.8.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,10 +16,7 @@ dependencies: - name: kubezero-lib version: ">= 0.1.4" repository: https://cdn.zero-downtime.net/charts/ - - name: istio-ingress - version: 1.11.5 - condition: istio-ingress.enabled - - name: istio-private-ingress - version: 1.11.5 - condition: istio-private-ingress.enabled + - name: gateway + version: 1.13.3 + repository: https://istio-release.storage.googleapis.com/charts kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-istio-gateway/README.md b/charts/kubezero-istio-gateway/README.md new file mode 100644 index 0000000..76f6836 --- /dev/null +++ b/charts/kubezero-istio-gateway/README.md @@ -0,0 +1,49 @@ +# kubezero-istio-gateway + +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +KubeZero Umbrella Chart for Istio gateways + +Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Stefan Reimer | | | + +## Requirements + +Kubernetes: `>= 1.20.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | +| https://istio-release.storage.googleapis.com/charts | gateway | 1.13.3 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| certificates | list | `[]` | | +| gateway.autoscaling.enabled | bool | `false` | | +| gateway.autoscaling.maxReplicas | int | `4` | | +| gateway.autoscaling.minReplicas | int | `1` | | +| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| gateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | +| gateway.replicaCount | int | `1` | | +| gateway.resources.limits.memory | string | `"512Mi"` | | +| gateway.resources.requests.cpu | string | `"50m"` | | +| gateway.resources.requests.memory | string | `"64Mi"` | | +| gateway.service.externalTrafficPolicy | string | `"Local"` | | +| gateway.service.type | string | `"NodePort"` | | +| proxyProtocol | bool | `true` | | +| telemetry.enabled | string | `"falser"` | | + +## Resources + +- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec +- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml +- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/README.md.gotmpl b/charts/kubezero-istio-gateway/README.md.gotmpl similarity index 100% rename from charts/kubezero-istio-ingress/README.md.gotmpl rename to charts/kubezero-istio-gateway/README.md.gotmpl diff --git a/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml new file mode 100644 index 0000000..320d8ed --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.13.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- http://github.com/istio/istio +type: application +version: 1.13.3 diff --git a/charts/kubezero-istio-gateway/charts/gateway/README.md b/charts/kubezero-istio-gateway/charts/gateway/README.md new file mode 100644 index 0000000..0e58c00 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/README.md @@ -0,0 +1,148 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt b/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000..78451d3 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl b/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000..e75d273 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +{{- if hasKey .Values.labels "app" }} +{{- with .Values.labels.app }}app: {{.|quote}} +{{- end}} +{{- else }}app: {{ include "gateway.name" . }} +{{- end }} +{{- if hasKey .Values.labels "istio" }} +{{- with .Values.labels.istio }} +istio: {{.|quote}} +{{- end}} +{{- else }} +istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000..30dfc02 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml @@ -0,0 +1,112 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + # Give the LB 120s to detect and take into service + # should only be 40s by we are on AWS so ... + minReadySeconds: 120 + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.volumeMounts }} + volumeMounts: + {{- toYaml .Values.volumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000..956a5ee --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml new file mode 100644 index 0000000..3febf79 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/role.yaml @@ -0,0 +1,25 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml new file mode 100644 index 0000000..bfef1ff --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/service.yaml @@ -0,0 +1,52 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} + {{- range $key, $val := .Values.service.ports }} + - + {{- range $pkey, $pval := $val }} + {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000..e5b2304 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.schema.json b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json new file mode 100644 index 0000000..3109d60 --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json @@ -0,0 +1,199 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": ["object", "null"] + }, + "containerSecurityContext": { + "type": ["object", "null"] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "volumes": { + "type": "array" + }, + "volumeMounts": { + "type": "array" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "revision": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": ["string", "boolean"], + "enum": [true, false, "auto"] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + } + } +} diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.yaml b/charts/kubezero-istio-gateway/charts/gateway/values.yaml new file mode 100644 index 0000000..f225cee --- /dev/null +++ b/charts/kubezero-istio-gateway/charts/gateway/values.yaml @@ -0,0 +1,88 @@ +# Name allows overriding the release name. Generally this should not be set +name: "" +# revision declares which revision this gateway is a part of +revision: "" + +replicaCount: 1 + +rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + +serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + +podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + +# Define the security context for the pod. +# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. +# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. +securityContext: ~ +containerSecurityContext: ~ + +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +# Pod environment variables +env: {} + +# Labels to apply to all resources +labels: {} + +# Annotations to apply to all resources +annotations: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# If specified, the gateway will act as a network gateway for the given network. +networkGateway: "" + +imagePullSecrets: [] \ No newline at end of file diff --git a/charts/kubezero-istio-ingress/templates/_gateway.tpl b/charts/kubezero-istio-gateway/templates/_gateway.tpl similarity index 77% rename from charts/kubezero-istio-ingress/templates/_gateway.tpl rename to charts/kubezero-istio-gateway/templates/_gateway.tpl index 5983de1..ec8e0c6 100644 --- a/charts/kubezero-istio-ingress/templates/_gateway.tpl +++ b/charts/kubezero-istio-gateway/templates/_gateway.tpl @@ -40,3 +40,14 @@ {{- end }} {{- end }} + + +{{- define "gatewayName" -}} +{{ .Values.gateway.name | default .Release.Name | default "istio-ingressgateway" }} +{{- end }} + + +{{- define "gatewaySelectorLabels" -}} +app: {{ include "gatewayName" . }} +istio: {{ include "gatewayName" . | trimPrefix "istio-" }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml b/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml similarity index 84% rename from charts/kubezero-istio-ingress/templates/bootstrap-config.yaml rename to charts/kubezero-istio-gateway/templates/bootstrap-config.yaml index aa6ec25..976e9b6 100644 --- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml +++ b/charts/kubezero-istio-gateway/templates/bootstrap-config.yaml @@ -1,10 +1,9 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://github.com/istio/istio/issues/24715 apiVersion: v1 kind: ConfigMap metadata: - name: istio-gateway-bootstrap-config + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-bootstrap-config namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} @@ -41,7 +40,7 @@ data: { "name": "envoy.resource_monitors.fixed_heap", "typed_config": { - "@type": "type.googleapis.com/envoy.config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig", + "@type": "type.googleapis.com/envoy.extensions.resource_monitors.fixed_heap.v3.FixedHeapConfig", "max_heap_size_bytes": 536870912 } } @@ -58,4 +57,3 @@ data: ] } } -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml similarity index 85% rename from charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml rename to charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml index dd1d9d3..d97b363 100644 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-hardening.yaml +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-hardening.yaml @@ -1,12 +1,14 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: ingressgateway-hardening + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-hardening namespace: {{ .Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} + {{ include "kubezero-lib.labels" . | nindent 4 }} spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} configPatches: - applyTo: CLUSTER patch: @@ -35,4 +37,3 @@ spec: initial_connection_window_size: 1048576 # 1 MiB #stream_idle_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests #request_timeout: 300s # 5 mins, must be disabled for long-lived and streaming requests -{{- end }} diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml new file mode 100644 index 0000000..3888aa5 --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-keepalive-nlb.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-listener-tcp-keepalive + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + socket_options: + - level: 1 # SOL_SOCKET = 1 + name: 9 # SO_KEEPALIVE = 9 + int_value: 1 + state: STATE_PREBIND + - level: 6 # IPPROTO_TCP = 6 + name: 4 # TCP_KEEPIDLE = 4 + int_value: 120 + state: STATE_PREBIND + - level: 6 # IPPROTO_TCP = 6 + name: 5 # TCP_KEEPINTVL = 5 + int_value: 60 + state: STATE_PREBIND diff --git a/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml new file mode 100644 index 0000000..a1fa22d --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/envoyfilter-proxy-protocol.yaml @@ -0,0 +1,21 @@ +{{- if .Values.proxyProtocol }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: + {{ include "kubezero-lib.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.filters.listener.proxy_protocol + - name: envoy.filters.listener.tls_inspector +{{- end }} diff --git a/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml b/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml new file mode 100644 index 0000000..57d6c13 --- /dev/null +++ b/charts/kubezero-istio-gateway/templates/ingress-certificate.yaml @@ -0,0 +1,19 @@ +{{- range $cert := .Values.certificates }} +{{- if $cert.dnsNames }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" $ | indent 4 }} +spec: + secretName: {{ $cert.name }} + issuerRef: + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} + kind: ClusterIssuer + dnsNames: +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml similarity index 50% rename from charts/kubezero-istio-ingress/templates/ingress-gateway.yaml rename to charts/kubezero-istio-gateway/templates/ingress-gateway.yaml index d8d859b..1070db5 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-gateway/templates/ingress-gateway.yaml @@ -1,19 +1,15 @@ -# Public Ingress Gateway -{{- $gateway := index .Values "istio-ingress" }} - -{{- if and $gateway.enabled $gateway.certificates }} # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts - +{{- if .Values.certificates }} apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: - name: ingressgateway + name: {{ include "gatewayName" . | trimPrefix "istio-" }} namespace: {{ .Release.Namespace }} labels: {{- include "kubezero-lib.labels" . | nindent 4 }} spec: selector: - istio: ingressgateway + {{- include "gatewaySelectorLabels" . | nindent 4 }} servers: - {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} + {{- include "gatewayServers" (dict "certificates" .Values.certificates "ports" .Values.gateway.service.ports ) | nindent 2 }} {{- end }} diff --git a/charts/kubezero-istio-ingress/templates/podmonitor.yaml b/charts/kubezero-istio-gateway/templates/podmonitor.yaml similarity index 84% rename from charts/kubezero-istio-ingress/templates/podmonitor.yaml rename to charts/kubezero-istio-gateway/templates/podmonitor.yaml index e3d26ef..2020c4f 100644 --- a/charts/kubezero-istio-ingress/templates/podmonitor.yaml +++ b/charts/kubezero-istio-gateway/templates/podmonitor.yaml @@ -1,8 +1,8 @@ -{{- if or ( index .Values "istio-ingress" "telemetry" "enabled" ) ( index .Values "istio-private-ingress" "telemetry" "enabled" )}} +{{- if .Values.telemetry.enabled }} apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: - name: envoy-stats-monitor + name: {{ include "gatewayName" . | trimPrefix "istio-" }}-envoy-stats-monitor namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} @@ -10,6 +10,8 @@ spec: selector: matchExpressions: - {key: istio-prometheus-ignore, operator: DoesNotExist} + matchLabels: + {{- include "gatewaySelectorLabels" . | nindent 6 }} jobLabel: envoy-stats podMetricsEndpoints: - path: /stats/prometheus diff --git a/charts/kubezero-istio-gateway/update.sh b/charts/kubezero-istio-gateway/update.sh new file mode 100755 index 0000000..6180df3 --- /dev/null +++ b/charts/kubezero-istio-gateway/update.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -ex + +export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="gateway") | .version' Chart.yaml) + +helm dep update + +# Patch +tar xf charts/gateway-$ISTIO_VERSION.tgz -C charts && rm -f charts/gateway-$ISTIO_VERSION.tgz +#diff -tubr charts/gateway.orig charts/gateway +patch -p0 -i zdt.patch --no-backup-if-mismatch diff --git a/charts/kubezero-istio-gateway/values.yaml b/charts/kubezero-istio-gateway/values.yaml new file mode 100644 index 0000000..f99abba --- /dev/null +++ b/charts/kubezero-istio-gateway/values.yaml @@ -0,0 +1,38 @@ +gateway: + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 4 + targetCPUUtilizationPercentage: 80 + + replicaCount: 1 + + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + # cpu: 100m + memory: 512Mi + + service: + type: NodePort + externalTrafficPolicy: Local + # Map port 80/443 to 8080/8443 so we don't need to root + + # ports is extended as follows: + # noGateway: true -> this port does NOT get mapped to a Gateway port + # tls: optional gateway port setting + # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! + + podAnnotations: + proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' + +certificates: [] +#- name: ingress-cert +# dnsNames: [] + +telemetry: + enabled: falser + +proxyProtocol: true diff --git a/charts/kubezero-istio-gateway/zdt.patch b/charts/kubezero-istio-gateway/zdt.patch new file mode 100644 index 0000000..84fb52d --- /dev/null +++ b/charts/kubezero-istio-gateway/zdt.patch @@ -0,0 +1,75 @@ +diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml +--- charts/gateway.orig/templates/deployment.yaml 2022-04-21 17:33:30.042035869 +0200 ++++ charts/gateway/templates/deployment.yaml 2022-04-21 18:17:15.130605952 +0200 +@@ -11,6 +11,9 @@ + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} ++ # Give the LB 120s to detect and take into service ++ # should only be 40s by we are on AWS so ... ++ minReadySeconds: 120 + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} +@@ -31,6 +34,7 @@ + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} ++ terminationGracePeriodSeconds: 120 + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} +@@ -86,6 +90,10 @@ + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} ++ {{- if .Values.volumeMounts }} ++ volumeMounts: ++ {{- toYaml .Values.volumeMounts | nindent 12 }} ++ {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} +@@ -98,3 +106,7 @@ + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} ++ {{- with .Values.volumes }} ++ volumes: ++ {{- toYaml . | nindent 8 }} ++ {{- end }} +diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml +--- charts/gateway.orig/templates/service.yaml 2022-04-21 17:33:30.042035869 +0200 ++++ charts/gateway/templates/service.yaml 2022-04-21 17:33:41.801806959 +0200 +@@ -38,7 +38,14 @@ + port: 15017 + targetPort: 15017 + {{- else }} +-{{ .Values.service.ports | toYaml | indent 4 }} ++ {{- range $key, $val := .Values.service.ports }} ++ - ++ {{- range $pkey, $pval := $val }} ++ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} ++ {{ $pkey}}: {{ $pval }} ++ {{- end }} ++ {{- end }} ++ {{- end }} + {{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +diff -tubr charts/gateway.orig/values.schema.json charts/gateway/values.schema.json +--- charts/gateway.orig/values.schema.json 2022-04-21 17:33:30.042035869 +0200 ++++ charts/gateway/values.schema.json 2022-04-21 17:52:51.007536238 +0200 +@@ -47,6 +47,12 @@ + "labels": { + "type": "object" + }, ++ "volumes": { ++ "type": "array" ++ }, ++ "volumeMounts": { ++ "type": "array" ++ }, + "name": { + "type": "string" + }, diff --git a/charts/kubezero-istio-ingress/.helmignore b/charts/kubezero-istio-ingress/.helmignore deleted file mode 120000 index 1ff0487..0000000 --- a/charts/kubezero-istio-ingress/.helmignore +++ /dev/null @@ -1 +0,0 @@ -../kubezero-istio/.helmignore \ No newline at end of file diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md deleted file mode 100644 index a4f2f9b..0000000 --- a/charts/kubezero-istio-ingress/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# kubezero-istio-ingress - -![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) - -KubeZero Umbrella Chart for Istio based Ingress - -Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Quarky9 | | | - -## Requirements - -Kubernetes: `>= 1.18.0` - -| Repository | Name | Version | -|------------|------|---------| -| | istio-ingress | 1.11.3 | -| | istio-private-ingress | 1.11.3 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.arch.amd64 | int | `2` | | -| global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.logAsJson | bool | `true` | | -| global.priorityClassName | string | `"system-cluster-critical"` | | -| istio-ingress.certificates[0].dnsNames | list | `[]` | | -| istio-ingress.certificates[0].name | string | `"ingress-cert"` | | -| istio-ingress.enabled | bool | `false` | | -| istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | -| istio-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | -| istio-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | -| istio-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | -| istio-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.public" | string | `"Exists"` | | -| istio-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | -| istio-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-ingressgateway"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `30021` | | -| istio-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `30080` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| istio-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `30443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | -| istio-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | -| istio-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | -| istio-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | -| istio-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | -| istio-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | | -| istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | -| istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | -| istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-ingress.proxyProtocol | bool | `true` | | -| istio-ingress.telemetry.enabled | bool | `false` | | -| istio-private-ingress.certificates[0].dnsNames | list | `[]` | | -| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | | -| istio-private-ingress.enabled | bool | `false` | | -| istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | -| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | -| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | -| istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | -| istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.name | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.nodeSelector."node.kubernetes.io/ingress.private" | string | `"Exists"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAnnotations."proxy.istio.io/config" | string | `"{ \"terminationDrainDuration\": \"20s\" }"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].key | string | `"app"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].operator | string | `"In"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].topologyKey | string | `"kubernetes.io/hostname"` | | -| istio-private-ingress.gateways.istio-ingressgateway.podAntiAffinityLabelSelector[0].values | string | `"istio-private-ingressgateway"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].noGateway | bool | `true` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].nodePort | int | `31021` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].gatewayProtocol | string | `"HTTP2"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].nodePort | int | `31080` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[1].tls.httpsRedirect | bool | `true` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].gatewayProtocol | string | `"HTTPS"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].nodePort | int | `31443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[2].tls.mode | string | `"SIMPLE"` | | -| istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | -| istio-private-ingress.gateways.istio-ingressgateway.resources.requests.memory | string | `"64Mi"` | | -| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxSurge | int | `1` | | -| istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | -| istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | -| istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | -| istio-private-ingress.proxyProtocol | bool | `true` | | -| istio-private-ingress.telemetry.enabled | bool | `false` | | - -## Resources - -- https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec -- https://github.com/istio/istio/blob/master/manifests/profiles/default.yaml -- https://istio.io/latest/docs/setup/install/standalone-operator/ diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml deleted file mode 100644 index 36126fe..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-ingress -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt deleted file mode 100644 index 221ee56..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl deleted file mode 100644 index f958a95..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - {{- if eq $val "Exists" }} - - key: {{ $key }} - operator: Exists - {{- else }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml deleted file mode 100644 index 8cf8f66..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml deleted file mode 100644 index 9ce9008..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ /dev/null @@ -1,335 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} - # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ?? - minReadySeconds: 120 -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - terminationGracePeriodSeconds: 120 -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - #This needs kube-proxy support coming with 1.22 hopefully, cilium ? - #lifecycle: - # preStop: - # exec: - # command: ["/bin/sh","-c","sleep 30"] - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - volumeMounts: - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml deleted file mode 100644 index 1115d18..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 523a43f..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml deleted file mode 100644 index d452557..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml deleted file mode 100644 index e3893c5..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/service.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml deleted file mode 100644 index ab5a0da..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ /dev/null @@ -1,326 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # Enable cross-cluster access using SNI matching - zvpn: - enabled: false - suffix: global - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "standard" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.11.5 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml deleted file mode 100644 index 4b132cb..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-private-ingress -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio gateways -keywords: - - istio - - ingressgateway - - gateways -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt b/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt deleted file mode 100644 index 221ee56..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/NOTES.txt +++ /dev/null @@ -1,43 +0,0 @@ - -Changes: -- separate namespace allows: --- easier reconfig of just the gateway --- TLS secrets and domain name management is isolated, for better security --- simplified configuration --- multiple versions of the ingress can be used, to minimize upgrade risks - -- the new chart uses the default namespace service account, and doesn't require -additional RBAC permissions. - -- simplified label and chart structure. -- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades -and allows a bit more flexibility. -- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. - -# Port and basic host configuration - -In order to configure the Service object, the install/upgrade needs to provide a list of all ports. -In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured -both in upgrade, Gateway and VirtualService. - -The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, -Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual -config for the rest. - -All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. - -# Migration from istio-system - -Istio 1.0 includes the gateways in istio-system. Since the external IP is associated -with the Service and bound to the namespace, it is recommended to: - -1. Install the new gateway in a new namespace. -2. Copy any TLS certificate to the new namespace, and configure the domains. -3. Checking the new gateway work - for example by overriding the IP in /etc/hosts -4. Modify the DNS server to add the A record of the new namespace -5. Check traffic -6. Delete the A record corresponding to the gateway in istio-system -7. Upgrade istio-system, disabling the ingressgateway -8. Delete the domain TLS certs from istio-system. - -If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl deleted file mode 100644 index f958a95..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/_affinity.tpl +++ /dev/null @@ -1,105 +0,0 @@ -{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} - -{{ define "nodeaffinity" }} -nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityRequiredDuringScheduling" . }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "nodeAffinityPreferredDuringScheduling" . }} -{{- end }} - -{{- define "nodeAffinityRequiredDuringScheduling" }} - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - {{ $key | quote }} - {{- end }} - {{- end }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} - {{- if eq $val "Exists" }} - - key: {{ $key }} - operator: Exists - {{- else }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "nodeAffinityPreferredDuringScheduling" }} - {{- range $key, $val := .global.arch }} - {{- if gt ($val | int) 0 }} - - weight: {{ $val | int }} - preference: - matchExpressions: - - key: kubernetes.io/arch - operator: In - values: - - {{ $key | quote }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinity" }} -{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} - podAntiAffinity: - {{- if .podAntiAffinityLabelSelector }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityRequiredDuringScheduling" . }} - {{- end }} - {{- if .podAntiAffinityTermLabelSelector }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- include "podAntiAffinityPreferredDuringScheduling" . }} - {{- end }} -{{- end }} -{{- end }} - -{{- define "podAntiAffinityRequiredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityLabelSelector }} - - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - {{- if $item.namespaces }} - namespaces: - {{- $ns := split "," $item.namespaces }} - {{- range $i, $n := $ns }} - - {{ $n | quote }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "podAntiAffinityPreferredDuringScheduling" }} - {{- range $index, $item := .podAntiAffinityTermLabelSelector }} - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: {{ $item.key }} - operator: {{ $item.operator }} - {{- if $item.values }} - values: - {{- $vals := split "," $item.values }} - {{- range $i, $v := $vals }} - - {{ $v | quote }} - {{- end }} - {{- end }} - topologyKey: {{ $item.topologyKey }} - weight: 100 - {{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml deleted file mode 100644 index 8cf8f66..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/autoscale.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - maxReplicas: {{ $gateway.autoscaleMax }} - minReplicas: {{ $gateway.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ $gateway.name }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml deleted file mode 100644 index 9ce9008..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ /dev/null @@ -1,335 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if eq $gateway.injectionTemplate "" }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} - # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ?? - minReadySeconds: 120 -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - service.istio.io/canonical-name: {{ $gateway.name }} - {{- if not (eq .Values.revision "") }} - service.istio.io/canonical-revision: {{ .Values.revision }} - {{- else}} - service.istio.io/canonical-revision: latest - {{- end }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "false" - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "false" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - terminationGracePeriodSeconds: 120 -{{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - command: - - /bin/sh - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - securityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - privileged: true -{{- end }} - containers: - - name: istio-proxy -{{- if contains "/" .Values.global.proxy.image }} - image: "{{ .Values.global.proxy.image }}" -{{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - {{- if .Values.global.proxy.logLevel }} - - --proxyLogLevel={{ .Values.global.proxy.logLevel }} - {{- end}} - {{- if .Values.global.proxy.componentLogLevel }} - - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} - {{- end}} - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - #This needs kube-proxy support coming with 1.22 hopefully, cilium ? - #lifecycle: - # preStop: - # exec: - # command: ["/bin/sh","-c","sleep 30"] - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: {{ $gateway.name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} - {{- if $.Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.meshID }}" - {{- else if .Values.meshConfig.trustDomain }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if .Values.meshConfig.trustDomain }} - - name: TRUST_DOMAIN - value: "{{ .Values.meshConfig.trustDomain }}" - {{- end }} - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} - {{- if and (not $network_set) .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - volumeMounts: - - name: istio-envoy - mountPath: /etc/istio/proxy - - name: config-volume - mountPath: /etc/istio/config -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert -{{- end }} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - mountPath: /etc/certs - readOnly: true - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - - name: podinfo - mountPath: /etc/istio/pod - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: -{{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert -{{- end }} - - name: podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-envoy - emptyDir: {} - - name: istio-data - emptyDir: {} -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - secretName: istio.istio-ingressgateway-service-account - optional: true - {{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - optional: true - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml deleted file mode 100644 index 1115d18..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/injected-deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if ne $gateway.injectionTemplate "" }} -{{/* This provides a minimal gateway, ready to be injected. - Any settings from values.gateways should be here - these are options specific to the gateway. - Global settings, like the image, various env vars and volumes, etc will be injected. - The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $gateway.name | default "istio-ingressgateway" }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if not $gateway.autoscaleEnabled }} -{{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} -{{- end }} -{{- end }} - selector: - matchLabels: -{{ $gateway.labels | toYaml | indent 6 }} - strategy: - rollingUpdate: - maxSurge: {{ $gateway.rollingMaxSurge }} - maxUnavailable: {{ $gateway.rollingMaxUnavailable }} - template: - metadata: - labels: -{{ $gateway.labels | toYaml | indent 8 }} -{{- if eq .Release.Namespace "istio-system"}} - heritage: Tiller - release: istio - chart: gateways -{{- end }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . }} - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - {{- end }} - sidecar.istio.io/inject: "true" - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" -{{- if $gateway.podAnnotations }} -{{ toYaml $gateway.podAnnotations | indent 8 }} -{{ end }} - spec: -{{- if not $gateway.runAsRoot }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - fsGroup: 1337 -{{- end }} - serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: istio-proxy - image: auto - ports: - {{- range $key, $val := $gateway.ports }} - - containerPort: {{ $val.targetPort | default $val.port }} - protocol: {{ $val.protocol | default "TCP" }} - {{- end }} - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if not $gateway.runAsRoot }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - {{- end }} - resources: -{{- if $gateway.resources }} -{{ toYaml $gateway.resources | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | indent 12 }} -{{- end }} - env: - {{- if not $gateway.runAsRoot }} - - name: ISTIO_META_UNPRIVILEGED_POD - value: "true" - {{- end }} - {{- range $key, $val := $gateway.env }} - - name: {{ $key }} - value: {{ $val }} - {{- end }} - volumeMounts: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- range $gateway.configVolumes }} - {{- if .mountPath }} - - name: {{ .name }} - mountPath: {{ .mountPath | quote }} - readOnly: true - {{- end }} - {{- end }} -{{- if $gateway.additionalContainers }} -{{ toYaml $gateway.additionalContainers | indent 8 }} -{{- end }} - volumes: - {{- range $gateway.secretVolumes }} - - name: {{ .name }} - secret: - secretName: {{ .secretName | quote }} - optional: true - {{- end }} - {{- range $gateway.configVolumes }} - - name: {{ .name }} - configMap: - name: {{ .configMapName | quote }} - optional: true - {{- end }} - affinity: -{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} - {{- include "podAntiAffinity" $gateway | indent 6 }} -{{- if $gateway.tolerations }} - tolerations: -{{ toYaml $gateway.tolerations | indent 6 }} -{{- else if .Values.global.defaultTolerations }} - tolerations: -{{ toYaml .Values.global.defaultTolerations | indent 6 }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml deleted file mode 100644 index 523a43f..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: - minAvailable: 1 - selector: - matchLabels: -{{ $gateway.labels | toYaml | trim | indent 6 }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml deleted file mode 100644 index 3e21bca..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml deleted file mode 100644 index d452557..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/rolebindings.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $gateway.name }}-sds - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $gateway.name }}-sds -subjects: -- kind: ServiceAccount - name: {{ $gateway.name }}-service-account ---- diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml deleted file mode 100644 index e3893c5..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/service.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -{{- if not $gateway.customService }} -apiVersion: v1 -kind: Service -metadata: - name: {{ $gateway.name }} - namespace: {{ .Release.Namespace }} - annotations: - {{- range $key, $val := $gateway.serviceAnnotations }} - {{ $key }}: {{ $val | quote }} - {{- end }} - labels: -{{ $gateway.labels | toYaml | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" -spec: -{{- if $gateway.loadBalancerIP }} - loadBalancerIP: "{{ $gateway.loadBalancerIP }}" -{{- end }} -{{- if $gateway.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} -{{- end }} -{{- if $gateway.externalTrafficPolicy }} - externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} -{{- end }} - type: {{ $gateway.type }} - selector: -{{ $gateway.labels | toYaml | indent 4 }} - ports: - - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} - {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} - {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - - port: {{ $app.port }} - name: {{ $app.name }} - {{- end }} ---- -{{ end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml deleted file mode 100644 index 9cf3034..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ $gateway.name }}-service-account - namespace: {{ .Release.Namespace }} - labels: -{{ $gateway.labels | toYaml | trim | indent 4 }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "IngressGateways" - {{- with $gateway.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml deleted file mode 100644 index ab5a0da..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ /dev/null @@ -1,326 +0,0 @@ -# A-la-carte istio ingress gateway. -# Must be installed in a separate namespace, to minimize access to secrets. - -gateways: - istio-ingressgateway: - name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - protocol: TCP - - port: 80 - targetPort: 8080 - name: http2 - protocol: TCP - - port: 443 - targetPort: 8443 - name: https - protocol: TCP - - # Scalability tuning - # replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - - cpu: - targetAverageUtilization: 80 - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - serviceAnnotations: {} - - # Enable cross-cluster access using SNI matching - zvpn: - enabled: false - suffix: global - - # To generate an internal load balancer: - # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal - #serviceAnnotations: - # cloud.google.com/load-balancer-type: "internal" - - podAnnotations: {} - type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be - - ############## - secretVolumes: - - name: ingressgateway-certs - secretName: istio-ingressgateway-certs - mountPath: /etc/istio/ingressgateway-certs - - name: ingressgateway-ca-certs - secretName: istio-ingressgateway-ca-certs - mountPath: /etc/istio/ingressgateway-ca-certs - - customService: false - externalTrafficPolicy: "" - - ingressPorts: [] - additionalContainers: [] - configVolumes: [] - - serviceAccount: - # Annotations to add to the service account - annotations: {} - - ### Advanced options ############ - env: - # A gateway with this mode ensures that pilot generates an additional - # set of clusters for internal services but without Istio mTLS, to - # enable cross cluster routing. - ISTIO_META_ROUTER_MODE: "standard" - - nodeSelector: {} - tolerations: [] - - # Specify the pod anti-affinity that allows you to constrain which nodes - # your pod is eligible to be scheduled based on labels on pods that are - # already running on the node rather than based on labels on nodes. - # There are currently two types of anti-affinity: - # "requiredDuringSchedulingIgnoredDuringExecution" - # "preferredDuringSchedulingIgnoredDuringExecution" - # which denote "hard" vs. "soft" requirements, you can define your values - # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" - # correspondingly. - # For example: - # podAntiAffinityLabelSelector: - # - key: security - # operator: In - # values: S1,S2 - # topologyKey: "kubernetes.io/hostname" - # This pod anti-affinity rule says that the pod requires not to be scheduled - # onto a node if that node is already running a pod with label having key - # "security" and value "S1". - podAntiAffinityLabelSelector: [] - podAntiAffinityTermLabelSelector: [] - - # whether to run the gateway in a privileged container - runAsRoot: false - - # The injection template to use for the gateway. If not set, no injection will be performed. - injectionTemplate: "" - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # set the default set of namespaces to which services, service entries, virtual services, destination - # rules should be exported to. Currently only one value can be provided in this list. This value - # should be one of the following two options: - # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. - # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host - defaultConfigVisibilitySettings: [] - - # Default node selector to be applied to all deployments so that all pods can be - # constrained to run a particular nodes. Each component can overwrite these default - # values by adding its node selector block in the relevant section below and setting - # the desired values. - defaultNodeSelector: {} - - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default node tolerations to be applied to all deployments so that all pods can be - # scheduled to a particular nodes with matching taints. Each component can overwrite - # these default values by adding its tolerations block in the relevant section below - # and setting the desired values. - # Configure this field in case that all pods of Istio control plane are expected to - # be scheduled to particular nodes with specified taints. - defaultTolerations: [] - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.11.5 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: - # 0 - Never scheduled - # 1 - Least preferred - # 2 - No preference - # 3 - Most preferred - arch: - amd64: 2 - s390x: 2 - ppc64le: 2 - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # The suffix for global service names - globalDomainSuffix: "global" - # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication - includeEnvoyFilter: true - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - -meshConfig: - enablePrometheusMerge: true - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - defaultConfig: - proxyMetadata: {} - tracing: - # tlsSettings: - # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem - # privateKey: # example: /etc/istio/tracer/key.pem - # caCertificates: # example: /etc/istio/tracer/root-cert.pem - # sni: # example: tracer.somedomain - # subjectAltNames: [] - # - tracer.somedomain diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml deleted file mode 100644 index abb21c3..0000000 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if index .Values "istio-ingress" "enabled" }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - - level: 1 # SOL_SOCKET = 1 - name: 9 # SO_KEEPALIVE = 9 - int_value: 1 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 4 # TCP_KEEPIDLE = 4 - int_value: 120 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 5 # TCP_KEEPINTVL = 5 - int_value: 60 - state: STATE_PREBIND -{{- end }} - -{{- if index .Values "istio-private-ingress" "enabled" }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: private-ingressgateway-listener-tcp-keepalive - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - istio: private-ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - socket_options: - - level: 1 # SOL_SOCKET = 1 - name: 9 # SO_KEEPALIVE = 9 - int_value: 1 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 4 # TCP_KEEPIDLE = 4 - int_value: 120 - state: STATE_PREBIND - - level: 6 # IPPROTO_TCP = 6 - name: 5 # TCP_KEEPINTVL = 5 - int_value: 60 - state: STATE_PREBIND -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml deleted file mode 100644 index e3d4fe4..0000000 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: ingressgateway-proxy-protocol - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - listener_filters: - - name: envoy.listener.proxy_protocol - - name: envoy.listener.tls_inspector -{{- end }} - -{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: private-ingressgateway-proxy-protocol - namespace: {{ .Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" . | indent 4 }} -spec: - workloadSelector: - labels: - istio: private-ingressgateway - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - listener_filters: - - name: envoy.listener.proxy_protocol - - name: envoy.listener.tls_inspector -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml deleted file mode 100644 index 53d05a6..0000000 --- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- range $cert := (index .Values "istio-ingress" "certificates") }} -{{- if $cert.dnsNames }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $cert.name }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" $ | indent 4 }} -spec: - secretName: {{ $cert.name }} - issuerRef: - name: {{ default "letsencrypt-dns-prod" $cert.issuer }} - kind: ClusterIssuer - dnsNames: -{{ toYaml $cert.dnsNames | indent 4 }} ---- -{{- end }} -{{- end }} - -{{- range $cert := (index .Values "istio-private-ingress" "certificates") }} -{{- if $cert.dnsNames }} -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $cert.name }} - namespace: {{ $.Release.Namespace }} - labels: -{{ include "kubezero-lib.labels" $ | indent 4 }} -spec: - secretName: private-ingress-cert - issuerRef: - name: {{ default "letsencrypt-dns-prod" $cert.issuer }} - kind: ClusterIssuer - dnsNames: -{{ toYaml $cert.dnsNames | indent 4 }} ---- -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml deleted file mode 100644 index 6ee25df..0000000 --- a/charts/kubezero-istio-ingress/templates/ingress-private-gateway.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Private Ingress Gateway -{{- $gateway := index .Values "istio-private-ingress" }} - -{{- if and $gateway.enabled $gateway.certificates }} -# https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts - -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - name: private-ingressgateway - namespace: {{ .Release.Namespace }} - labels: - {{- include "kubezero-lib.labels" . | nindent 4 }} -spec: - selector: - istio: private-ingressgateway - servers: - {{- include "gatewayServers" (dict "certificates" $gateway.certificates "ports" (index $gateway "gateways" "istio-ingressgateway" "ports") ) | nindent 2}} -{{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml deleted file mode 100644 index 8c575e1..0000000 --- a/charts/kubezero-istio-ingress/values.yaml +++ /dev/null @@ -1,203 +0,0 @@ -# Make sure these values match kuberzero-istio !!! -global: - #hub: docker.io/istio - tag: 1.11.5-distroless - - logAsJson: true - - priorityClassName: "system-cluster-critical" - - defaultPodDisruptionBudget: - enabled: false - - arch: - amd64: 2 - -istio-ingress: - enabled: false - - telemetry: - enabled: false - - gateways: - istio-ingressgateway: - autoscaleEnabled: false - replicaCount: 1 - rollingMaxSurge: 1 - rollingMaxUnavailable: 0 - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - # cpu: 100m - memory: 512Mi - externalTrafficPolicy: Local - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-ingressgateway - type: NodePort - podAnnotations: - proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' - - # custom hardened bootstrap config - env: - ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json - configVolumes: - - name: custom-bootstrap-volume - mountPath: /etc/istio/custom-bootstrap - configMapName: istio-gateway-bootstrap-config - - # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch - nodeSelector: - node.kubernetes.io/ingress.public: "Exists" - # Only nodes who are fronted with matching NLB - #affintiy: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: node.kubernetes.io/ingress.public - # operator: Exists - - # Map port 80/443 to 8080/8443 so we don't need to root - - # ports is extended as follows: - # noGateway: true -> this port does NOT get mapped to a Gateway port - # tls: optional gateway port setting - # gatewayProtocol: Loadbalancer protocol which is NOT the same as Container Procotol ! - ports: - - name: status-port - port: 15021 - nodePort: 30021 - noGateway: true - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 30080 - gatewayProtocol: HTTP2 - tls: - httpsRedirect: true - - name: https - port: 443 - targetPort: 8443 - nodePort: 30443 - gatewayProtocol: HTTPS - tls: - mode: SIMPLE - - certificates: - - name: ingress-cert - dnsNames: [] - # - '*.example.com' - - proxyProtocol: true - - meshConfig: - defaultConfig: - proxyMetadata: - # ISTIO_META_HTTP10: 1 - -istio-private-ingress: - enabled: false - - telemetry: - enabled: false - - gateways: - istio-ingressgateway: - # name and labels make the ingress private - name: istio-private-ingressgateway - labels: - app: istio-private-ingressgateway - istio: private-ingressgateway - - autoscaleEnabled: false - replicaCount: 1 - rollingMaxSurge: 1 - rollingMaxUnavailable: 0 - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - # cpu: 100m - memory: 512Mi - externalTrafficPolicy: Local - podAntiAffinityLabelSelector: - - key: app - operator: In - topologyKey: kubernetes.io/hostname - values: istio-private-ingressgateway - type: NodePort - podAnnotations: - proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' - - # custom hardened bootstrap config - env: - ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json - configVolumes: - - name: custom-bootstrap-volume - mountPath: /etc/istio/custom-bootstrap - configMapName: istio-gateway-bootstrap-config - - # Unfortunately the upstream chart makes this complicated as they abuse the nodeSelector, see zdt.patch - nodeSelector: - node.kubernetes.io/ingress.private: "Exists" - # Only nodes who are fronted with matching NLB - #affintiy: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: node.kubernetes.io/ingress.private - # operator: Exists - - ports: - - name: status-port - port: 15021 - nodePort: 31021 - noGateway: true - - name: http2 - port: 80 - targetPort: 8080 - nodePort: 31080 - gatewayProtocol: HTTP2 - tls: - httpsRedirect: true - - name: https - port: 443 - targetPort: 8443 - nodePort: 31443 - gatewayProtocol: HTTPS - tls: - mode: SIMPLE - #- name: fluentd-forward - # port: 24224 - # nodePort: 31224 - # gatewayProtocol: TLS - # tls: - # mode: SIMPLE - #- name: amqps - # port: 5671 - # nodePort: 31671 - #- name: amqp - # port: 5672 - # nodePort: 31672 - #- name: redis - # port: 6379 - # nodePort: 31379 - - certificates: - - name: private-ingress-cert - dnsNames: [] - #- '*.example.com' - - proxyProtocol: true - - meshConfig: - defaultConfig: - proxyMetadata: - # ISTIO_META_HTTP10: 1 diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index e7547d4..6f319a3 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,7 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.7.6 -appVersion: 1.11.5 +version: 0.8.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,9 +16,11 @@ dependencies: version: ">= 0.1.4" repository: https://cdn.zero-downtime.net/charts/ - name: base - version: 1.11.5 - - name: istio-discovery - version: 1.11.5 + version: 1.13.3 + repository: https://istio-release.storage.googleapis.com/charts + - name: istiod + version: 1.13.3 + repository: https://istio-release.storage.googleapis.com/charts - name: kiali-server version: 1.38.1 # repository: https://github.com/kiali/helm-charts/tree/master/docs diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 64aa07f..fc57ab5 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.11.3](https://img.shields.io/badge/AppVersion-1.11.3-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -12,18 +12,18 @@ Installs the Istio control plane | Name | Email | Url | | ---- | ------ | --- | -| Quarky9 | | | +| Stefan Reimer | | | ## Requirements -Kubernetes: `>= 1.18.0` +Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | base | 1.11.3 | -| | istio-discovery | 1.11.3 | | | kiali-server | 1.38.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | +| https://istio-release.storage.googleapis.com/charts | base | 1.13.3 | +| https://istio-release.storage.googleapis.com/charts | istiod | 1.13.3 | ## Values @@ -32,18 +32,19 @@ Kubernetes: `>= 1.18.0` | global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | -| istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | -| istio-discovery.meshConfig.accessLogFile | string | `"/dev/stdout"` | | -| istio-discovery.meshConfig.tcpKeepalive.interval | string | `"60s"` | | -| istio-discovery.meshConfig.tcpKeepalive.time | string | `"120s"` | | -| istio-discovery.pilot.autoscaleEnabled | bool | `false` | | -| istio-discovery.pilot.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | -| istio-discovery.pilot.replicaCount | int | `1` | | -| istio-discovery.pilot.resources.requests.cpu | string | `"100m"` | | -| istio-discovery.pilot.resources.requests.memory | string | `"128Mi"` | | -| istio-discovery.pilot.tolerations[0].effect | string | `"NoSchedule"` | | -| istio-discovery.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | -| istio-discovery.telemetry.enabled | bool | `false` | | +| global.tag | string | `"1.13.3-distroless"` | | +| istiod.meshConfig.accessLogEncoding | string | `"JSON"` | | +| istiod.meshConfig.accessLogFile | string | `"/dev/stdout"` | | +| istiod.meshConfig.tcpKeepalive.interval | string | `"60s"` | | +| istiod.meshConfig.tcpKeepalive.time | string | `"120s"` | | +| istiod.pilot.autoscaleEnabled | bool | `false` | | +| istiod.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| istiod.pilot.replicaCount | int | `1` | | +| istiod.pilot.resources.requests.cpu | string | `"100m"` | | +| istiod.pilot.resources.requests.memory | string | `"128Mi"` | | +| istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | | +| istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| istiod.telemetry.enabled | bool | `false` | | | kiali-server.auth.strategy | string | `"anonymous"` | | | kiali-server.deployment.ingress_enabled | bool | `false` | | | kiali-server.deployment.view_only_mode | bool | `true` | | diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml deleted file mode 100644 index 63655dc..0000000 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -name: base -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for deploying Istio cluster resources and CRDs -keywords: - - istio -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/base/NOTES.txt b/charts/kubezero-istio/charts/base/NOTES.txt deleted file mode 100644 index 7cdd440..0000000 --- a/charts/kubezero-istio/charts/base/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts. diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index e93fbb8..0000000 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,5717 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - type: string - redirectCode: - type: integer - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - type: string - redirectCode: - type: integer - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: Telemetry defines how the telemetry is generated for workloads - within a mesh. - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation - is selected: CLIENT and/or SERVER.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- diff --git a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml deleted file mode 100644 index 2a80f41..0000000 --- a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml deleted file mode 100644 index 9fd002f..0000000 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ /dev/null @@ -1,6034 +0,0 @@ ---- -# Source: crds/crd-all.gen.yaml -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - items: - properties: - labels: - additionalProperties: - type: string - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to - a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - items: - type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - type: object - proxyVersion: - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - type: integer - vhost: - properties: - name: - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - type: string - redirectCode: - type: integer - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - type: string - redirectCode: - type: integer - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept - for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - type: string - jwksUri: - type: string - outputPayloadToHeader: - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: Telemetry defines how the telemetry is generated for workloads - within a mesh. - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows provides the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - type: string - metric: - description: One of the well-known Istio Standard - Metrics. - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation - is selected: CLIENT and/or SERVER.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - type: object - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - type: string - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - type: string - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - type: string - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - providers: - description: Optional. - items: - properties: - name: - description: Required. - type: string - type: object - type: array - randomSamplingPercentage: - nullable: true - type: number - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- - ---- -# Source: crds/crd-operator.yaml -# SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: istiooperators.install.istio.io - labels: - release: istio -spec: - conversion: - strategy: None - group: install.istio.io - names: - kind: IstioOperator - listKind: IstioOperatorList - plural: istiooperators - singular: istiooperator - shortNames: - - iop - - io - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Istio control plane revision - jsonPath: .spec.revision - name: Revision - type: string - - description: IOP current state - jsonPath: .status.status - name: Status - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - name: v1alpha1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true ---- - ---- -# Source: base/templates/reader-serviceaccount.yaml -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istio-reader-service-account - namespace: istio-system - labels: - app: istio-reader - release: istio ---- -# Source: base/templates/serviceaccount.yaml -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod-service-account - namespace: istio-system - labels: - app: istiod - release: istio ---- -# Source: base/templates/clusterrole.yaml -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] ---- -# Source: base/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list"] ---- -# Source: base/templates/clusterrolebinding.yaml -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -# Source: base/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system ---- -# Source: base/templates/role.yaml -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] ---- -# Source: base/templates/rolebinding.yaml -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-istio-system - namespace: istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-istio-system -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: istio-system diff --git a/charts/kubezero-istio/charts/base/kustomization.yaml b/charts/kubezero-istio/charts/base/kustomization.yaml deleted file mode 100644 index dbde62f..0000000 --- a/charts/kubezero-istio/charts/base/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - files/gen-istio-cluster.yaml diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml deleted file mode 100644 index e07d5cd..0000000 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ /dev/null @@ -1,171 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list"] -{{- if or .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} ---- diff --git a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml deleted file mode 100644 index d61729b..0000000 --- a/charts/kubezero-istio/charts/base/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-{{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} ---- diff --git a/charts/kubezero-istio/charts/base/templates/crds.yaml b/charts/kubezero-istio/charts/base/templates/crds.yaml deleted file mode 100644 index 871ee2a..0000000 --- a/charts/kubezero-istio/charts/base/templates/crds.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{ .Files.Get "crds/crd-operator.yaml" }} -{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/endpoints.yaml b/charts/kubezero-istio/charts/base/templates/endpoints.yaml deleted file mode 100644 index 996152b..0000000 --- a/charts/kubezero-istio/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} - {{- if not .Values.global.externalIstiod }} -apiVersion: v1 -kind: Endpoints -metadata: - name: istiod-remote - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Endpoints -metadata: - name: istiod - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - {{- end }} ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c..0000000 --- a/charts/kubezero-istio/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/charts/kubezero-istio/charts/base/templates/role.yaml b/charts/kubezero-istio/charts/base/templates/role.yaml deleted file mode 100644 index ca1a424..0000000 --- a/charts/kubezero-istio/charts/base/templates/role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml b/charts/kubezero-istio/charts/base/templates/rolebinding.yaml deleted file mode 100644 index 2b591fb..0000000 --- a/charts/kubezero-istio/charts/base/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod-{{ .Values.global.istioNamespace }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod-{{ .Values.global.istioNamespace }} -subjects: - - kind: ServiceAccount - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml deleted file mode 100644 index ec25fd2..0000000 --- a/charts/kubezero-istio/charts/base/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -# DO NOT EDIT! -# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT -# UPDATED CHART AT manifests/charts/istio-control/istio-discovery -# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} diff --git a/charts/kubezero-istio/charts/base/templates/services.yaml b/charts/kubezero-istio/charts/base/templates/services.yaml deleted file mode 100644 index 606fd44..0000000 --- a/charts/kubezero-istio/charts/base/templates/services.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} - {{- if not .Values.global.externalIstiod }} -# when istiod is enabled in remote cluster, we can't use istiod service name -apiVersion: v1 -kind: Service -metadata: - name: istiod-remote - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - clusterIP: None - {{- else }} -# when istiod isn't enabled in remote cluster, we can use istiod service name -apiVersion: v1 -kind: Service -metadata: - name: istiod - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - # if the remotePilotAddress is IP addr, we use clusterIP: None. - # else, we use externalName - {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} - clusterIP: None - {{- else }} - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} - {{- end }} ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/base/values.yaml b/charts/kubezero-istio/charts/base/values.yaml deleted file mode 100644 index 8f86ba0..0000000 --- a/charts/kubezero-istio/charts/base/values.yaml +++ /dev/null @@ -1,27 +0,0 @@ -global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - istiod: - enableAnalysis: false - - configValidation: true - externalIstiod: false - remotePilotAddress: "" - -base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml deleted file mode 100644 index 74c4c07..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -name: istio-discovery -version: 1.11.5 -tillerVersion: ">=2.7.2" -description: Helm chart for istio control plane -keywords: - - istio - - istiod - - istio-discovery -sources: - - http://github.com/istio/istio -engine: gotpl -icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt deleted file mode 100644 index 298b692..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt +++ /dev/null @@ -1,8 +0,0 @@ -Minimal control plane for Istio. Pilot and mesh config are included. - -MCP and injector should optionally be installed in the same namespace. Alternatively remote -address of an MCP server can be set. - - -Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience! - https://forms.gle/kWULBRjUv7hHci7T6 diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml deleted file mode 100644 index 6d75883..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml +++ /dev/null @@ -1,205 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ .Revision | default "default" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml deleted file mode 100644 index 5f37436..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ /dev/null @@ -1,3020 +0,0 @@ ---- -# Source: istio-discovery/templates/poddisruptionbudget.yaml -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - release: istio - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - istio: pilot ---- -# Source: istio-discovery/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio ---- -# Source: istio-discovery/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - release: istio -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - networks: {} - - mesh: |- - defaultConfig: - discoveryAddress: istiod.istio-system.svc:15012 - tracing: - zipkin: - address: zipkin.istio-system:9411 - enablePrometheusMerge: true - rootNamespace: istio-system - trustDomain: cluster.local ---- -# Source: istio-discovery/templates/istiod-injector-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - release: istio -data: - - values: |- - { - "global": { - "caAddress": "", - "configCluster": false, - "configValidation": true, - "defaultPodDisruptionBudget": { - "enabled": true - }, - "defaultResources": { - "requests": { - "cpu": "10m" - } - }, - "externalIstiod": false, - "hub": "gcr.io/istio-testing", - "imagePullPolicy": "", - "imagePullSecrets": [], - "istioNamespace": "istio-system", - "istiod": { - "enableAnalysis": false - }, - "jwtPolicy": "third-party-jwt", - "logAsJson": false, - "logging": { - "level": "default:info" - }, - "meshID": "", - "meshNetworks": {}, - "mountMtlsCerts": false, - "multiCluster": { - "clusterName": "", - "enabled": false - }, - "network": "", - "omitSidecarInjectorConfigMap": false, - "oneNamespace": false, - "operatorManageWebhooks": false, - "pilotCertProvider": "istiod", - "priorityClassName": "", - "proxy": { - "autoInject": "enabled", - "clusterDomain": "cluster.local", - "componentLogLevel": "misc:error", - "enableCoreDump": false, - "excludeIPRanges": "", - "excludeInboundPorts": "", - "excludeOutboundPorts": "", - "holdApplicationUntilProxyStarts": false, - "image": "proxyv2", - "includeIPRanges": "*", - "logLevel": "warning", - "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "100m", - "memory": "128Mi" - } - }, - "statusPort": 15020, - "tracer": "zipkin" - }, - "proxy_init": { - "image": "proxyv2", - "resources": { - "limits": { - "cpu": "2000m", - "memory": "1024Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } - } - }, - "remotePilotAddress": "", - "sds": { - "token": { - "aud": "istio-ca" - } - }, - "sts": { - "servicePort": 0 - }, - "tag": "latest", - "tracer": { - "datadog": { - "address": "$(HOST_IP):8126" - }, - "lightstep": { - "accessToken": "", - "address": "" - }, - "stackdriver": { - "debug": false, - "maxNumberOfAnnotations": 200, - "maxNumberOfAttributes": 200, - "maxNumberOfMessageEvents": 200 - }, - "zipkin": { - "address": "" - } - }, - "useMCP": false - }, - "revision": "", - "sidecarInjectorWebhook": { - "alwaysInjectSelector": [], - "defaultTemplates": [], - "enableNamespacesByDefault": false, - "injectedAnnotations": {}, - "neverInjectSelector": [], - "objectSelector": { - "autoInject": true, - "enabled": true - }, - "rewriteAppHTTPProbe": true, - "templates": {} - } - } - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - defaultTemplates: [sidecar] - policy: enabled - alwaysInjectSelector: - [] - neverInjectSelector: - [] - injectedAnnotations: - template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" - templates: - sidecar: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - {{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{- end }} - } - spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - istio-iptables - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .EstimatedConcurrency 0 }} - - --concurrency - - "{{ .EstimatedConcurrency }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - fsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} - gateway: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - istio.io/rev: {{ .Revision | default "default" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } - spec: - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} - grpc-simple: | - spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - echo ' - { - "xds_servers": [ - { - "server_uri": "dns:///istiod.istio-system.svc:15010", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} - grpc-agent: | - {{- $containers := list }} - {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} - metadata: - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } - spec: - containers: - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_BOOTSTRAP" - value: "/var/lib/istio/data/grpc-bootstrap.json" - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- end }} - {{- end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: "GRPC_XDS_BOOTSTRAP" - value: "/var/lib/istio/data/grpc-bootstrap.json" - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: {{ .Values.global.proxy.statusPort }} - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - # UDS channel between istioagent and gRPC client for XDS/SDS - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} ---- -# Source: istio-discovery/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole-istio-system - labels: - app: istiod - release: istio -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] ---- -# Source: istio-discovery/templates/reader-clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole-istio-system - labels: - app: istio-reader - release: istio -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] ---- -# Source: istio-discovery/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole-istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole-istio-system -subjects: - - kind: ServiceAccount - name: istiod - namespace: istio-system ---- -# Source: istio-discovery/templates/reader-clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole-istio-system - labels: - app: istio-reader - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole-istio-system -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: istio-system ---- -# Source: istio-discovery/templates/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] ---- -# Source: istio-discovery/templates/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod -subjects: - - kind: ServiceAccount - name: istiod - namespace: istio-system ---- -# Source: istio-discovery/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: istiod - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: istio -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot ---- -# Source: istio-discovery/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - istio: pilot - release: istio -spec: - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - selector: - matchLabels: - istio: pilot - template: - metadata: - labels: - app: istiod - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - istio: pilot - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - spec: - serviceAccountName: istiod - securityContext: - fsGroup: 1337 - containers: - - name: discovery - image: "gcr.io/istio-testing/pilot:latest" - args: - - "discovery" - - --monitoringAddr=:15014 - - --log_output_level=default:info - - --domain - - cluster.local - - --keepaliveMaxServerConnectionAge - - "30m" - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "default" - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - - name: PILOT_TRACE_SAMPLING - value: "1" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "true" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "true" - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "false" - - name: CLUSTER_ID - value: "Kubernetes" - resources: - requests: - cpu: 500m - memory: 2048Mi - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true ---- -# Source: istio-discovery/templates/autoscale.yaml -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod - namespace: istio-system - labels: - app: istiod - release: istio - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - maxReplicas: 5 - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 ---- -# Source: istio-discovery/templates/revision-tags.yaml -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision ---- -# Source: istio-discovery/templates/telemetryv2_1.10.yaml -# Note: metadata exchange filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.10 - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.10.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.10 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.10.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.10.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.10.yaml -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.10 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Source: istio-discovery/templates/telemetryv2_1.10.yaml -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.10 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.10.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -# Source: istio-discovery/templates/telemetryv2_1.11.yaml -# Note: metadata exchange filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.11 - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.11.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.11 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.11.yaml -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.11 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Source: istio-discovery/templates/telemetryv2_1.11.yaml -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.11 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio" - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -# Source: istio-discovery/templates/telemetryv2_1.9.yaml -# Note: metadata exchange filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.9 - namespace: istio-system - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.9.yaml -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.9 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.9.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.9.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Source: istio-discovery/templates/telemetryv2_1.9.yaml -# Note: http stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.9 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats ---- -# Source: istio-discovery/templates/telemetryv2_1.9.yaml -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.9 - namespace: istio-system - labels: - istio.io/rev: default -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_inbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.9.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] - } - vm_config: - vm_id: tcp_stats_outbound - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" ---- -# Source: istio-discovery/templates/mutatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: istio-sidecar-injector - labels: - istio.io/rev: default - install.operator.istio.io/owning-resource: unknown - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: istio -webhooks: -- name: rev.namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: rev.object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "default" -- name: namespace.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -- name: object.sidecar-injector.istio.io - clientConfig: - service: - name: istiod - namespace: istio-system - path: "/inject" - port: 443 - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist ---- -# Source: istio-discovery/templates/validatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator-istio-system - labels: - app: istiod - release: istio - istio: istiod - istio.io/rev: default -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "default" - # Webhook handling default validation - - name: validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - service: - name: istiod - namespace: istio-system - path: "/validate" - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - apiVersions: - - "*" - resources: - - "*" - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist diff --git a/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml b/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml deleted file mode 100644 index b20a9c4..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/files/grpc-agent.yaml +++ /dev/null @@ -1,234 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - containers: - {{- range $index, $container := .Spec.Containers }} - {{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_BOOTSTRAP" - value: "/var/lib/istio/data/grpc-bootstrap.json" - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- end }} - {{- end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: "GRPC_XDS_BOOTSTRAP" - value: "/var/lib/istio/data/grpc-bootstrap.json" - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: {{ .Values.global.proxy.statusPort }} - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - # UDS channel between istioagent and gRPC client for XDS/SDS - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations -{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} -{{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml b/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml deleted file mode 100644 index cf592e6..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/files/grpc-simple.yaml +++ /dev/null @@ -1,58 +0,0 @@ -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - echo ' - { - "xds_servers": [ - { - "server_uri": "dns:///istiod.istio-system.svc:15010", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml deleted file mode 100644 index e8659bb..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ /dev/null @@ -1,466 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - args: - - istio-iptables - - "-p" - - "15001" - - "-z" - - "15006" - - "-u" - - "1337" - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 - runAsNonRoot: true - {{- end }} - restartPolicy: Always - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: {} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if gt .EstimatedConcurrency 0 }} - - --concurrency - - "{{ .EstimatedConcurrency }}" - {{- end -}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 - fsGroup: 1337 - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: 1337 - {{- end }} - resources: - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} - volumeMounts: - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} - securityContext: - fsGroup: 1337 - {{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml b/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml deleted file mode 100644 index 7f9bbc3..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - files/gen-istio.yaml diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml deleted file mode 100644 index b8b14ad..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/autoscale.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml deleted file mode 100644 index 0956c9b..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrole.yaml +++ /dev/null @@ -1,112 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" - verbs: ["approve"] - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["multicluster.x-k8s.io"] - resources: ["serviceexports"] - verbs: ["get", "watch", "list", "create", "delete"] diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml deleted file mode 100644 index cadb599..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml deleted file mode 100644 index 7b719ac..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml deleted file mode 100644 index 17b52f1..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: {{ .Values.global.meshID }} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - {{- if $.Values.global.tracer.stackdriver.debug }} - debug: {{ $.Values.global.tracer.stackdriver.debug }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} - {{- end }} - {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} - {{- end }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if not .Values.global.externalIstiod }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml deleted file mode 100644 index 27987ce..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +++ /dev/null @@ -1,222 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - securityContext: - fsGroup: 1337 - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.global.oneNamespace }} - - "-a" - - {{ .Release.Namespace }} -{{- end }} -{{- if .Values.pilot.plugins }} - - --plugins={{ .Values.pilot.plugins }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" - - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND - value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" - - name: ISTIOD_ADDR - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" -{{- if not .Values.telemetry.v2.enabled }} - - name: PILOT_ENDPOINT_TELEMETRY_LABEL - value: "false" -{{- end }} - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - {{- end }} - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} ---- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml deleted file mode 100644 index b6b1fa8..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": "{{ $val }}" - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml deleted file mode 100644 index dcb84dd..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,144 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .Values.istiodRemote.injectionURL }} - url: "{{ .Values.istiodRemote.injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - path: "{{ .Values.istiodRemote.injectionPath }}" - port: 443 - {{- end }} - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml deleted file mode 100644 index 40b2e60..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml deleted file mode 100644 index f19f1e8..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml deleted file mode 100644 index fc500eb..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml +++ /dev/null @@ -1,113 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- define "core" }} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .Values.istiodRemote.injectionURL }} - url: "{{ .Values.istiodRemote.injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - path: "{{ .Values.istiodRemote.injectionPath }}" - {{- end }} - caBundle: "" - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} - -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml deleted file mode 100644 index 25c4f5c..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml deleted file mode 100644 index 0d700f0..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml deleted file mode 100644 index 1d4d9fe..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} ---- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml deleted file mode 100644 index ee6cbc3..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml deleted file mode 100644 index 0fe4ff6..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.11.yaml +++ /dev/null @@ -1,783 +0,0 @@ -{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} -# Note: metadata exchange filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {} - vm_config: - {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.metadata_exchange - {{- end }} ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: {} - patch: - operation: INSERT_BEFORE - value: - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange - - applyTo: CLUSTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - cluster: {} - patch: - operation: MERGE - value: - filters: - - name: istio.metadata_exchange - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange - value: - protocol: istio-peer-exchange ---- -# Note: http stats filter is wasm enabled only in sidecars. -{{- if .Values.telemetry.v2.prometheus.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio", - "disable_host_header_fallback": true - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: envoy.wasm.stats - {{- end }} ---- -# Note: tcp stats filter is wasm enabled only in sidecars. -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "destination_cluster": "node.metadata['CLUSTER_ID']", - "source_cluster": "downstream_peer.cluster_id" - } - } - ] - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_inbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stats - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stats_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} - { - "debug": "false", - "stat_prefix": "istio" - } - {{- else }} - {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} - {{- end }} - vm_config: - vm_id: tcp_stats_outbound - {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} - runtime: envoy.wasm.runtime.v8 - allow_precompiled: true - code: - local: - filename: /etc/istio/extensions/stats-filter.compiled.wasm - {{- else }} - runtime: envoy.wasm.runtime.null - code: - local: - inline_string: "envoy.wasm.stats" - {{- end }} ---- -{{- end }} -{{- if .Values.telemetry.v2.stackdriver.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: -{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } -{{- end }} - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: HTTP_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "envoy.filters.http.router" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: - {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_OUTBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - {{- end }} - - applyTo: NETWORK_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_inbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_inbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } - - applyTo: NETWORK_FILTER - match: - context: GATEWAY - proxy: - proxyVersion: '^1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.tcp_proxy" - patch: - operation: INSERT_BEFORE - value: - name: istio.stackdriver - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm - value: - config: - root_id: stackdriver_outbound - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} - {{- else }} - {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} - {{- end }} - vm_config: - vm_id: stackdriver_outbound - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: envoy.wasm.null.stackdriver } ---- -{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- if .Values.meshConfig.rootNamespace }} - namespace: {{ .Values.meshConfig.rootNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} -spec: - configPatches: - - applyTo: HTTP_FILTER - match: - context: SIDECAR_INBOUND - proxy: - proxyVersion: '1\.11.*' - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - subFilter: - name: "istio.stackdriver" - patch: - operation: INSERT_BEFORE - value: - name: istio.access_log - typed_config: - "@type": type.googleapis.com/udpa.type.v1.TypedStruct - type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm - value: - config: - configuration: - "@type": "type.googleapis.com/google.protobuf.StringValue" - value: | - { - "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" - } - vm_config: - runtime: envoy.wasm.runtime.null - code: - local: { inline_string: "envoy.wasm.access_log_policy" } ---- -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 890370e..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,86 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - caBundle: "" # patched at runtime when the webhook is ready. - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - # Webhook handling default validation - - name: validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - caBundle: "" - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - apiVersions: - - "*" - resources: - - "*" - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist ---- -{{- end }} diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml deleted file mode 100644 index a7f42cc..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ /dev/null @@ -1,525 +0,0 @@ -#.Values.pilot for discovery and mesh wide config - -## Discovery Settings -pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - env: {} - - cpu: - targetAverageUtilization: 80 - - # if protocol sniffing is enabled for outbound - enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound - enableProtocolSniffingForInbound: true - - nodeSelector: {} - podAnnotations: {} - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specificed - # the default MCP is assumed. - configSource: - subscribedResources: [] - - plugins: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - -sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. - # It is enabled by default as the minimum supported Kubernetes version is 1.15+ - objectSelector: - enabled: true - autoInject: true - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] -istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" -telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - metadataExchange: - # Indicates whether to enable WebAssembly runtime for metadata exchange filter. - wasmEnabled: false - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # Indicates whether to enable WebAssembly runtime for stats filter. - wasmEnabled: false - # overrides stats EnvoyFilter configuration. - configOverride: - gateway: {} - inboundSidecar: {} - outboundSidecar: {} - # stackdriver filter settings. - stackdriver: - enabled: false - logging: false - monitoring: false - topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. - disableOutbound: false - # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. - - configOverride: {} - # e.g. - # disable_server_access_logging: false - # disable_host_header_fallback: true - # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. - accessLogPolicy: - enabled: false - # To reduce the number of successful logs, default log window duration is - # set to 12 hours. - logWindowDuration: "43200s" -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# Revision tags are aliases to Istio control plane revisions -revisionTags: [] - -# For Helm compatibility. -ownerName: "" - -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior -# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options -meshConfig: - enablePrometheusMerge: true - # Config for the default ProxyConfig. - # Initially using directly the proxy metadata - can also be activated using annotations - # on the pod. This is an unsupported low-level API, pending review and decisions on - # enabling the feature. Enabling the DNS listener is safe - and allows further testing - # and gradual adoption by setting capture only on specific workloads. It also allows - # VMs to use other DNS options, like dnsmasq or unbound. - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - - rootNamespace: - - # The trust domain corresponds to the trust root of a system - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # TODO: the intent is to eventually have this enabled by default when security is used. - # It is not clear if user should normally need to configure - the metadata is typically - # used as an escape and to control testing and rollout, but it is not intended as a long-term - # stable API. - - # What we may configure in mesh config is the ".global" - and use of other suffixes. - # No hurry to do this in 1.6, we're trying to prove the code. - -global: - # Used to locate istiod. - istioNamespace: istio-system - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.11.5 - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 30 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 1 - - # The period between readiness probes. - readinessPeriodSeconds: 2 - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - - # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready - holdApplicationUntilProxyStarts: false - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 10m - memory: 10Mi - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # Configuration for each of the supported tracers - tracer: - # Configuration for envoy to send trace data to LightStep. - # Disabled by default. - # address: the : of the satellite pool - # accessToken: required for sending data to the pool - # - datadog: - # Host:Port for submitting traces to the Datadog agent. - address: "$(HOST_IP):8126" - lightstep: - address: "" # example: lightstep-satellite:443 - accessToken: "" # example: abcdefg1234567 - stackdriver: - # enables trace output to stdout. - debug: false - # The global default max number of message events per span. - maxNumberOfMessageEvents: 200 - # The global default max number of annotation events per span. - maxNumberOfAnnotations: 200 - # The global default max number of attributes per span. - maxNumberOfAttributes: 200 - zipkin: - # Host:Port for reporting trace data in zipkin format. If not specified, will default to - # zipkin service (port 9411) in the same namespace as the other istio components. - address: "" - - # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. - useMCP: false - - # Determines whether this istiod performs resource validation. - configValidation: true - -base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/dashboards.yaml b/charts/kubezero-istio/dashboards.yaml index 4c0a715..b04bff9 100644 --- a/charts/kubezero-istio/dashboards.yaml +++ b/charts/kubezero-istio/dashboards.yaml @@ -1,21 +1,22 @@ +# Revision 115 = 1.13.3 configmap: grafana-dashboards gzip: true folder: Istio -condition: 'index .Values "istio-discovery" "telemetry" "enabled"' +condition: '.Values.istiod.telemetry.enabled' dashboards: - name: istio-control-plane - url: https://grafana.com/api/dashboards/7645/revisions/82/download + url: https://grafana.com/api/dashboards/7645/revisions/115/download tags: - Istio - name: istio-mesh - url: https://grafana.com/api/dashboards/7639/revisions/82/download + url: https://grafana.com/api/dashboards/7639/revisions/115/download tags: - Istio - name: istio-service - url: https://grafana.com/api/dashboards/7636/revisions/82/download + url: https://grafana.com/api/dashboards/7636/revisions/115/download tags: - Istio - name: istio-workload - url: https://grafana.com/api/dashboards/7630/revisions/82/download + url: https://grafana.com/api/dashboards/7630/revisions/115/download tags: - Istio diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index 1e63b28..eff48c9 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "istio-discovery" "telemetry" "enabled" }} +{{- if .Values.istiod.telemetry.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -11,11 +11,11 @@ metadata: k8s-sidecar-target-directory: Istio binaryData: istio-control-plane.json.gz: - H4sIAAAAAAAC/+1dW1PcOBZ+z69Q+WELtoDq5pZkquaBAMlQS2YoSDJbuZRLbYtuLW7LkWToHpb97Xsk2e17X91gGL8kbclI56ZzPh1dfP8KIcu2qR+EUli/oG/wjNC9/hdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqlaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oUH+PfHlmGJk58h5aSEqbj/PsfX2MdJ49QtLY6F8CFfcUu4iLg73Nnf2YuI2CrvLsA+CKvYWTAo7SpdnOpoeh9lIqWVwvSLYizr8mCns9NZgjeJex4p9vYpW1zkbaJE7PtMYmVASoumU8ujQk50mpACNb2QevJMtdTdSkpTIilnFd4hvqbpFyR5SFLlA+qWlFKH+cfMY1w1yPs9vNHZQrvdLvxzcLCFupvppmOujxJe0D/QkUe4zJCQaFAMegxz14rqHvT/P15Fws8PqzMBv9Ax8yVnHrrwQBHoJG4DRcJF3Z1uF3SoGyAulRG719gTmjOr7xOpR93rw/0DU6JM8BNjnqRBLFIQvn+jR5RRkFZ7yQhzmOfhQBA33Yeu6XPqXrBEnUbMOZXdwfPufqpgBAWd1PNYPcfyyVrdYSfxFRPqfiS+h0rPeDQSeGxMXPTFiEgU/RNnd+VWjz2KhbYAzUhCQQ/rkizLSqPnxO9LzWYnU07KXp9hr9Y19by0xKqFerCoULvlQj04TFw+6RPfzXaFb/t5NpQRhJwTX5bUDPGorJT6JaViwO6KQ1DCWPJK3r7FXpjItMAMmK+uTbemC++oKzNWmLN0M5RDz7tg1JcfmXYLuiAVmgjozJe4Two6DdRfcezSUKS1YsqLJgBicwkn2r9ce0wmfQjCKRF/wLAGlZMcfSLADimzNCGxc1PoRUgSBMQ9B/YLdRLzPkkBgqynVU5kFGjyRDjcoMoF2cr7uvcOGwbMBzH8+t0KKND+3XrYRL0x2gDBpB2jsmPGh1jqSEGHxDa8ZV8B8RAOSn2PHan9bTdTbYzx/aSd+3sE3aCHh2wrnFwbRHFkTYofol8p1zAAtDBgnltwGUPyHoYhlCqFZ8ovST+KTrk/uBrQa1n8i8j5XCjJlHmeibu9T48AzLUnzY0BwbjMDWFt/nbsv6jv0lvqhjBSCiMhhYHSQGOERzTnR3qhc2NMIc2LGq/RKFDslkS83Nvl43gyXr/9KJA4xiMyxQIT64GmucxqPAamWSJUBeu/w4IULMm4pMLrxicVilPMJAa11Vg6086wzPLHRa1DiOuXuWNdfk5uJ1RnUEo+UD4GDjiswAG78+GAS2KCLfoslOd+gSDgdU6ihzME+roCA7QQoIUAZRAAZpYOEcK+pVxCrLGHZMj42O6NJRH3OAgACWiE4AIUWAIAAOVlFlQGDnangoMvhj70UdNXgRDOsuVKQKrhmV4+LwyAEqAdX9YtjYU4voyImM7ybyuy3GeKSVCTFPaA4MAWY1ETv6Xz78XloKhCQNUcqHBRXrHnMaeB3Gq6Kvg9WY7fOlldkKWjKdy8r9t8qR8KUq9KV/ZdvymdUn8bKKsQw2mNYtDBolY5LMjulSJgOr8fVuTXYRCnIe7x2EPfMX5D/T6QLyOmJ6/8+r/vlkuFwyDojr9bWyhgrioz8tje+ed/9a9tPeGFx6e0lJOYTrQxoX+zQobvHlmGkZQ4G61LigvmC65A6A7mc4jquCGZg1wkbzMGS2UMtG22GYMGZgxezKz6cL5ZdZtYb2fV1Yl1jiVJYpPtBKEdqjQVxD4odYWt1ZUKsgvjlG/d4Y/NteflFwElC8zGjHziKbeSTlYuOdSqeW0CMIsorsYaq8GyZU1nYXi2pPHUJdH50dtMoPuUkO744nOL59oVoEeks4VzC8O57u58eO51i+daPDc9V3Itokicz5CsP8m0LGRZe/5oikyamjRq+BYT0N1NCyvWliayrCcGFWCDdIg9UdZOwoHPfLIoA530los2gfRkiOPNfIhj/6kRR764hRwNgRx9ZvcZZ6FUkn3sJbzfw2GPcMSu0YcJDZUhs8Gz8xLq22ha9yT9yaPp33iK/hh7NLv7FXsK38y3SdPsl74IxQCd+UZX6vhLfZs1M0GndlCQO7JzBQoXCN5BKkmrXKSevaAg1O0vgSXe5BTyZpY+Dqo2ze6+rPxFVlOroQmEBfqLcJZCFRUxvfloI2PvNa9XaWO2R66wjUHfq9EJ0MNxxaMtOB17IXDF59jMsbUqW+QR2Tr13chQVt7ZN5sx7xEZOwdcSnzCa9iiOZsx/oiMXQJ4rAS+p3VyJSq5ikkuAVr51BZxOKm0rnd1kuvXQK46Bq6PsorKvaFNOu91kYvv06cRhfj4ouYRaXWZGD8pWWGKwYK17uqyOla7qev55eRy8PsYBzKEoY8wusXg4OU4geCAphhfCwR/My8Er3cFUe21OB0Gclx+ucFXhWcLNe2y44vaRpaEYIDgNif/IY7MpwM3EeNoA/cESGjOP9jO3nRR996fGbhKE0VcdHxypW6/uKZ9UQ/aT5gni0qLNF5apzOldbKstPii0uKNl9blTGkdLSstb1FpeY2X1vlMaS04gcjNH+44lYB2gR+YU5Xu7Vz7bO5PRQL6ZEiYZ9KxGJc6ampeNV0+PBhAUhO3dan8LKIOnWbhUv5c6epyMBbfNP6NlSNj+ep6pUugvZ45fsmc2Va7YchINtMWdFL+2FA43R7+9dxHv2Z1xuD/0KiMQ04f7cJlu7u43V28/mU9Hb+QsltEJZL4hkA50+t7CCPHRI8wcNXqH5RjpHc3riPr0D2ce+Vvv925XF8KYfcFpRAGEGYZ+PGh/TPEvqQe2ejsHGyhXJDWNqywClAO9uOYYG0b924CtL4HziPrj9TBQQetPmMrZfxtsxl/21l97lXOd9MZf7t6+qeC8cZzvvN2jmTOk6JRJS80wc8tIF0RkLZgtAWjS288z2PGzNG2st1iu3sVO88P2qWqOnFmyQazv+V9gjrEqlmSRx1pU7/HQt+1vWiL0CPeyTUrC6oJQ7P2Li2AvHKss1BmebcHUga2OpJnR+PIlk7QGIn8EdGbiARtKIqRohhFFCOguIa7H2aKCrp5XpIC+uYW1PE6BaVU9rwkpSjebDgGPo400KZj23Rsu8+r4RC4cN1DJQZuL3xod16Vxl1QfZQtUhdjqxh5S53iOcy154fia6+vIgJWh14JZ0/G1Axm3i25Lae4tUZl8QLmrv/ACvP9aItWfMYD3d9Dz5XfMjltCK45OrlCH5lPgUvq91tw04Kb9pjsksdk9yo+v3W4P98x2VP/lo3XdEL2KdbSXSIx9QTCMAOUyHCnll7A2SLq66X2Ibi5xzgxu7dbgf86Lf5r8d/0I3BEGa7tmCOpdhgIyQke2s4ovoMzqlHBBtAH4JDtPg+cp9/b92+zo9c3uxxFnadpq2XimA7taxj6z0U06D0Qq84U1XR81XdAGiKWkkLZKvcLGBW6AAOUNgmYM3isM8fK7V6ajucB3E8JRg2xJyZutFh0NSy65tOUNSHRJ6KyTbLVfSKyEmJ1W4jVQqyqWFkNJCC80VsyBUJsrvsONAUSjjQVc8GoBt+CNoOTNsC2yZ52L9f6DxYI+pe+L0wNR05+ggVKgbDvwoMIYECu5/awwiGCyki9u7YNYWV10Y6wNsC/2AAPqtyYkS7gI3Nn+HPIpVxGoxS9UxSjj2CoKx/Cz57JeLnCOgKrTH+ge+kFvzlsSq5ZTEtJQ3v7mZZztITlzGE4jZfIdPNoytcbU3QLdAXBvEXQqyHod22KqoEpquq10gz2zYyR+lZR9ztVR1wP51tG/ZP0BozdiEaunmaEVsD4quCDgoIGUXfWcBpkv7hIDWHfJf6V8et56iPZv22nBvNNDWbMA1ggo8iTEp+ykPPJlKLQ+9/y2PLkyGYfex4Z26Ah6updEXaABTin1e4e/TJpTqCNq9CZ9kHHoyVuPilSrRZE66MabURrlpsNX9Izl+2E3FCdMNBCpzb52CYf68MSuaSj9aggo7DffjmUsdepHWW0SKJFEnFMFubLfzb1o4vfbGECv0mLrBaaz+JG14MnirRfm/hfN+3PBFbEH4+ekN7iiRZPvAw88SpqVg06NZ4U13sdk86whDMgQ/yFcGECvfnMIDjKsRkXLubmu6HgH/uJ4q0zdSbGmjQtyTDwAIf7/QnJljpRnLKU+7IQm1GKIJ4+81KwSN3BSKvLJdc49HIK0wabri3Tf7wakR6a1He80CVHXlnkLTcDawgd0JLXoxGWhlSp2iS6Jm4JqaS7+pyuOpZdXPeNq7/E3KVrEl12M6V9Msq/Km5o8Jl7V2PfKfs8Y+RzUmRnzEe5gAejY6oZjLR7bfyv5bO77W7srMBXRmVW5s8CCu6KJ38cUW/HISXtUayDVKat20k97KUfusPk90Hqdzf9sNdJ16Rc6m7qd9c1HP+IeVCrEil9zewl3fBhuuF0L7v76Qc3+f3aTdMb05IR319M4xWrx9mdiD5jlIQuPRT1nauceejCwz5BJwD3ewxz07YVajxs7W1vfzz/8vVrNKJvk1HfffXwf2l43t/7owAA + H4sIAAAAAAAC/+1dW1PcOBZ+z69Q+WELtoDq5pZkquaBAMlQS2YoSDJbuZRLbYtuLW7LkWToHpb97Xsk2e17X91gGL8kbclI56ZzPh1dfP8KIcu2qR+EUli/oG/wjNC9/hdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqlaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oUH+PfHlmGJk58h5aSEqbj/PsfX2MdJ49QtLY6F8CFfcUu4iLg73Nnf2YuI2CrvLsA+CKvYWTAo7SpdnOpoeh9lIqWVwvSLYizr8mCns9NZgjeJex4p9vYpW1zkbaJE7PtMYmVASoumU8ujQk50mpACNb2QevJMtdTdSkpTIilnFd4hvqbpFyR5SFLlA+qWlFKH+cfMY1w1yPs9vNHZQrvdLvxzcLCFupvppmOujxJe0D/QkUe4zJCQaFAMegxz14rqHvT/P15Fws8PqzMBv9Ax8yVnHrrwQBHoJG4DRcJF3Z3uHtinboC4VEbsXmNPaM6svk+kHnWvD/cPTIkywU+MeZIGsUhB+P6NHlFGQVrtJSPMYZ6HA0HcdB+6ps+pe8ESdRox51R2B8+7+6mCERR0Us9j9RzLJ2t1h53EV0yo+5H4Hio949FI4LExcdEXIyJR9E+c3ZVbPfYoFtoCNCMJBT2sS7IsK42eE78vNZudTDkpe32GvVrX1PPSEqsW6sGiQu2WC/XgMHH5pE98N9sVvu3n2VBGEHJOfFlSM8SjslLql5SKAbsrDkEJY8krefsWe2Ei0wIzYL66Nt2aLryjrsxYYc7SzVAOPe+CUV9+ZNot6IJUaCKgM1/iPinoNFB/xbFLQ5HWiikvmgCIzSWcaP9y7TGZ9CEIp0T8AcMaVE5y9IkAO6TM0oTEzk2hFyFJEBD3HNgv1EnM+yQFCLKeVjmRUaDJE+FwgyoXZCvv6947bBgwH8Tw63croED7d+thE/XGaAMEk3aMyo4ZH2KpIwUdEtvwln0FxEM4KPU9dqT2t91MtTHG95N27u8RdIMeHrKtcHJtEMWRNSl+iH6lXMMA0MKAeW7BZQzJexiGUKoUnim/JP0oOuX+4GpAr2XxLyLnc6EkU+Z5Ju72Pj0CMNeeNDcGBOMyN4S1+dux/6K+S2+pG8JIKYyEFAZKA40RHtGcH+mFzo0xhTQvarxGo0CxWxLxcm+Xj+PJeP32o0DiGI/IFAtMrAea5jKr8RiYZolQFaz/DgtSsCTjkgqvG59UKE4xkxjUVmPpTDvDMssfF7UOIa5f5o51+Tm5nVCdQSn5QPkYOOCwAgfszocDLokJtuizUJ77BYKA1zmJHs4Q6OsKDNBCgBYClEEAmFk6RAj7lnIJscYekiHjY7s3lkTc4yAAJKARggtQYAkAAJSXWVAZONidCg6+GPrQR01fBUI4y5YrAamGZ3r5vDAASoB2fFm3NBbi+DIiYjrLv63Icp8pJkFNUtgDggNbjEVN/JbOvxeXg6IKAVVzoMJFecWex5wGcqvpquD3ZDl+62R1QZaOpnDzvm7zpX4oSL0qXdl3/aZ0Sv1toKxCDKc1ikEHi1rlsCC7V4qA6fx+WJFfh0GchrjHYw99x/gN9ftAvoyYnrzy6/++Wy4VDoOgO/5ubaGAuarMyGN755//1b+29YQXHp/SUk5iOtHGhP7NChm+e2QZRlLibLQuKS6YL7gCoTuYzyGq44ZkDnKRvM0YLJUx0LbZZgwamDF4MbPqw/lm1W1ivZ1VVyfWOZYkiU22E4R2qNJUEPug1BW2VlcqyC6MU751hz82156XXwSULDAbM/KJp9xKOlm55FCr5rUJwCyiuBprrAbLljWdheHZksZTl0TnR28zge5TQrrji88tnmtXgB6RzhbOLQznurvz4bnXLZ5r8dz0XMm1iCJxPkOy/iTTspBl7fmjKTJpatKo4VtMQHc3LaxYW5rIsp4YVIAN0iH2RFk7CQc+88miDHTSWy7aBNKTIY438yGO/adGHPniFnI0BHL0md1nnIVSSfaxl/B+D4c9whG7Rh8mNFSGzAbPzkuob6Np3ZP0J4+mf+Mp+mPs0ezuV+wpfDPfJk2zX/oiFAN05htdqeMv9W3WzASd2kFB7sjOFShcIHgHqSStcpF69oKCULe/BJZ4k1PIm1n6OKjaNLv7svIXWU2thiYQFugvwlkKVVTE9OajjYy917xepY3ZHrnCNgZ9r0YnQA/HFY+24HTshcAVn2Mzx9aqbJFHZOvUdyNDWXln32zGvEdk7BxwKfEJr2GL5mzG+CMydgngsRL4ntbJlajkKia5BGjlU1vE4aTSut7VSa5fA7nqGLg+yioq94Y26bzXRS6+T59GFOLji5pHpNVlYvykZIUpBgvWuqvL6ljtpq7nl5PLwe9jHMgQhj7C6BaDg5fjBIIDmmJ8LRD8zbwQvN4VRLXX4nQYyHH55QZfFZ4t1LTLji9qG1kSggGC25z8hzgynw7cRIyjDdwTIKE5/2A7e9NF3Xt/ZuAqTRRx0fHJlbr94pr2RT1oP2GeLCot0nhpnc6U1smy0uKLSos3XlqXM6V1tKy0vEWl5TVeWuczpbXgBCI3f7jjVALaBX5gTlW6t3Pts7k/FQnokyFhnknHYlzqqKl51XT58GAASU3c1qXys4g6dJqFS/lzpavLwVh80/g3Vo6M5avrlS6B9nrm+CVzZlvthiEj2Uxb0En5Y0PhdHv413Mf/ZrVGYP/Q6MyDjl9tAuX7e7idnfx+pf1dPxCym4RlUjiGwLlTK/vIYwcEz3CwFWrf1COkd7duI6sQ/dw7pW//Xbncn0phN0XlEIYQJhl4MeH9s8Q+5J6ZKOzc7CFckFa27DCKkA52I9jgrVt3LsJ0PoeOI+sP1IHBx20+oytlPG3zWb8bWf1uVc5301n/O3q6Z8KxhvP+c7bOZI5T4pGlbzQBD+3gHRFQNqC0RaMLr3xPI8ZM0fbynaL7e5V7Dw/aJeq6sSZJRvM/pb3CeoQq2ZJHnWkTf0eC33X9qItQo94J9esLKgmDM3au7QA8sqxzkKZ5d0eSBnY6kieHY0jWzpBYyTyR0RvIhK0oShGimIUUYyA4hrufpgpKujmeUkK6JtbUMfrFJRS2fOSlKJ4s+EY+DjSQJuObdOx7T6vhkPgwnUPlRi4vfCh3XlVGndB9VG2SF2MrWLkLXWK5zDXnh+Kr72+ighYHXolnD0ZUzOYebfktpzi1hqVxQuYu/4DK8z3oy1a8RkPdH8PPVd+y+S0Ibjm6OQKfWQ+BS6p32/BTQtu2mOySx6T3av4/Nbh/nzHZE/9WzZe0wnZp1hLd4nE1BMIwwxQIsOdWnoBZ4uor5fah+DmHuPE7N5uBf7rtPivxX/Tj8ARZbi2Y46k2mEgJCd4aDuj+A7OqEYFG0AfgEO2+zxwnn5v37/Njl7f7HIUdZ6mrZaJYzq0r2HoPxfRoPdArDpTVNPxVd8BaYhYSgplq9wvYFToAgxQ2iRgzuCxzhwrt3tpOp4HcD8lGDXEnpi40WLR1bDomk9T1oREn4jKNslW94nISojVbSFWC7GqYmU1kIDwRm/JFAixue470BRIONJUzAWjGnwL2gxO2gDbJnvavVzrP1gg6F/6vjA1HDn5CRYoBcK+Cw8igAG5ntvDCocIKiP17to2hJXVRTvC2gD/YgM8qHJjRrqAj8yd4c8hl3IZjVL0TlGMPoKhrnwIP3sm4+UK6wisMv2B7qUX/OawKblmMS0lDe3tZ1rO0RKWM4fhNF4i082jKV9vTNEt0BUE8xZBr4ag37UpqgamqKrXSjPYNzNG6ltF3e9UHXE9nG8Z9U/SGzB2Ixq5epoRWgHjq4IPCgoaRN1Zw2mQ/eIiNYR9l/hXxq/nqY9k/7adGsw3NZgxD2CBjCJPSnzKQs4nU4pC73/LY8uTI5t97HlkbIOGqKt3RdgBFuCcVrt79MukOYE2rkJn2gcdj5a4+aRItVoQrY9qtBGtWW42fEnPXLYTckN1wkALndrkY5t8rA9L5JKO1qOCjMJ+++VQxl6ndpTRIokWScQxWZgv/9nUjy5+s4UJ/CYtslpoPosbXQ+eKNJ+beJ/3bQ/E1gRfzx6QnqLJ1o88TLwxKuoWTXo1HhSXO91TDrDEs6ADPEXwoUJ9OYzg+Aox2ZcuJib74aCf+wnirfO1JkYa9K0JMPAAxzu9yckW+pEccpS7stCbEYpgnj6zEvBInUHI60ul1zj0MspTBtsurZM//FqRHpoUt/xQpcceWWRt9wMrCF0QEtej0ZYGlKlapPomrglpJLu6nO66lh2cd03rv4Sc5euSXTZzZT2ySj/qrihwWfuXY19p+zzjJHPSZGdMR/lAh6MjqlmMNLutfG/ls/utruxswJfGZVZmT8LKLgrnvxxRL0dh5S0R7EOUpm2bif1sJd+6A6T3wep3930w14nXZNyqbup313XcPwj5kGtSqT0NbOXdMOH6YbTvezupx/c5PdrN01vTEtGfH8xjVesHmd3IvqMURK69FDUd65y5qELD/sEnQDc7zHMTdtWqPGwtbe9/fH8y9ev0Yi+TUZ999XD/wEwC4Jp+6MAAA== istio-mesh.json.gz: - H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugMhTggl7GtK6bbdKV2msL1zb+lkFFtJtPi1khxgGe5nv0eyHcux8iDQlqbqTEOiI+txnj89LF0/Qsjp9WiUpII7++g9/EboWn0CJcIhgVTn8KR3/PaPo+enL5//eeJsFuQA90kg6ccsDokYkZSXRJ9wj9FE0DiSWUqCuEpUoT4WmMcp80hJS4J0SKNXvqQnhkIz+pu8WVq1KsMNfH7YzLrEyN8pZcTQqaL+IcMDHOGycOobkwsmvJgmjAnjee92GzuNdt6ITXN1CY6AWfXKkpGxKj1Zq2h+HSaW0pnMjOpsNFXZaTQbzRX6JnA/IPXaTqvJ9b5NhIijKBZYKpCUYlapE1AuJjItmwKUfkoD8UqW5G6WqRpLzF2FPCRSbdpHgqVESx9R35BKvTh6FgcxkwWyYR9vNDdRy3Xho9PZRO5jveii10/LvqDv0dOAMFFpQilBPurHmPlOTrtRfz88ypk/bVavOHxDR4SP0GHxKMp5ityG64Lo1HPEpyLv5QAHXHXIGUZEKGN7stvuZilS807jOBA0gfSmSlTyjNIgUL8CGp0rs8qkpGRvMDPgkiCRlJXzk0/Hv5xFCMkviIurgPx85iQxp7Ib+wj3eRykgvyI+rEQcQj1njnqAXgEoxEjA8g/EiLh+9vbVHa5QeMzBwnMhkQArdcPcHQOKUXhA6h9i9N/yD5qN5PLH5Egl2LLJ17McFZpFEdQoScFuY9oNCKMCqj1JxoOEWeeocLtAAvCxTbkyNK2+kFKgngYb0VxH3vnQxankb+VRgMGYvcbfDzUmjQidDgS+6gD7YGKkBLdT9s448z27Xn0I2JZifBN66/bUeVn7Mv0g3KEIwMrh1SM0n7Di8OsQ9mnibG/xAmJUAIcGMQslK1GYoQFAr8yBiuB8lEaUUlDF/gKiXiO4Lb92OPboB8eSQTf5sRLgfdX28Z6FZXICjcXKcRUuQL89YB6WyE47SEJQRfNNcADEfGEqgLY5KNb1hP3OWFj3KfBzE6EcURFzBTbQuqxWD5BPcIbeV19lsvrDSE+GpEg+XVeA6D4LRqN42BMfHONv8c0AgmRXAFAwiHIR1zJJjR0hcv+lv54yKh/HJcON3OE8LOteasL+N3a0RIuC1+R/76SvwsPNik7swAVU8AGpuKF2y5xRcXDqKQwVq4YWBFqgUaZSbWpE0OQud29RDi1Zggq1FM6JmE44glmmcPSHf7EM0sHYo6CHvZG5JSGJE6F5ihzLwj+5WDiG3TvW9LfYfAjZhLXYh3Kw01rB8JMZyf732x0KwEny9F+AoGo1d1EO02ZZc+QpwMU90kLsnRUKU8eF5wqub4weDrS4rESaZxoyUOcDqcEE+LLop9uU9eVkEYFQU/mo/himidSHGATQAr81xJ88nk5jjA7J4qDUqA1NVha03cXKHq7VrRS6Faz/A2hEFxEMK0dBkWPkyrgKVXhKDeBsWKW1gYVswsq6DDWiX+l4AAGVxNyKmKdHDMKOo8LODGC3/+ABeGgoi/ETz3yh6FlSvsDr6ql+diAizexeAPddTTKh0392QElgc8rppiBQtnFiWwnlBtdymCOlU7VhBDiJKHR8DSzX9eUXm13pVsFcFNNkfFM2X+9lbJoUwONhYGXGS4orFUWVjNHMKFDsMhj8O1qtKbZkSP1ShEKpuRhjfhOJc+prHlKDQFliAG9rLrEPPE30IaT3J12mt9pdIhNtWdU2sxHVPePcDKH7QPwMfI52b4qg0TWcOfN9tMpQjx5YA7vpHc/B3ubDhc0CKpgvg1A3nX34GOvKx2ju1fxnQNZT21MIAvWi8lKaUkX221Xns/dmtEjKYAOxaTh9JBZxfc5bCOXSVa1DDIbPA03KOBcsqEQgxoLA3DlPQFjkOCakSRm4JAAL2TO/cy5ee+GHx4/lv1tNisjGM17/YY9oXroVsgg82zAPiUXLogcQuzMEcrEVfOp/hYR+kUAwDpAb7MOoHeSN6Q+lcDBngPIgIU2sJQGpavinq6KijpfFWPZeufnJbWwsN+FiqgyFjMYeDy0mGI2pkgIZIuERK53xhZ7Hwtc6DHqHtDF7pLowrXowqILiy4suvh06ELiilvBik0E3jIBsyY9DxTnX/87czqNHyZwA22jWxeZP1oVUhkxBITMHifgd/jnATFdiHzdrvzf6MwGNCep5xHO0VvoOtqI4mirc3k5YRZ/bCGOnTZZt2kTt7UksmlZZGORjUU2Ftl8WmRD7wJtfgZos6NBmweLTwyYZOfyklvAYQHH2gGOvSUBR9sCDgs4LOCwgOMLAxydLxRwdCzguG/A8U2r2/V2dm+LML7xd3ZwG98NUciddF/p1o9dM6JwXQspLKSwkGI9IcW013komAJUZCOhQSx653u85w2GPTIGA+fXMsICknhHmUhxcJLtPZWIQtGBgn0fgMRjtIU2Vi/EJwERRJUTMyTLSRP0A2p+VGyyEgwJyW+ZqlUsQaafjOhA1Ak5bsn7jvLOrxOG8VKmNr9aHPNV4JjdZXHMjsUxFsdYHGNxzAPCMYcQYGmk7P1tGqwKZOaUsv5IRus8kr23UMZCmXXZVjITy3QslrFYxmIZi2UeEJZ5gQW5wFcrYhjD0+uPXfJOW8hiIcu6bEyZCVl2LWSxkMVCFgtZHhBk+XcMXIix/zwSbFXgMrOM9YcvRdeR7Du1My8Wxqz9ZpgnFsVYFGNRjEUxDwjF5Hs47gJiZhWx/hgm77mFMBbCfBX7YLr2KDeLYCyCsQjmISGYY0LY0xS8eCSop8x+RRwzv6D1RzP1/qPjOKCeRTYW2az9tpiuPUfOQhsLbSy0eUjQJj/v9V7QzcKy1h/gGFlgMY7FOF/JPpquPVHOYhyLcSzGeUgYR0ZjaePK4lUsXnUdakFJ649vKgz4+nCN0tKp4LUMYij7DO7ruyWugGq5t70Dqlu/A4r6CoT9MSaMZffrVfGUithP5l4GleAhyZteUQhGEoKFOfWQMvDBeXAda1dIeSyuHRSlXMNLgn3CapSYiRokgISOfucg4d4sx6KurJqjTjigmOv7xKr6o+MPvZezoKiGPeecRrgsQi3zzT6VsI4tQBfBwgrn8h/4t3V0tHV4iF6+3A/DfT7lZHzi0RArRNmqEKQm1B1+TjhVfvlAXn82O8/kXsNyF1554WIt+59MXW66Pcmy7ffzi/8u8se3JrRfx5htSXQB4c0jP3973et5JAh67X2GL26+l9TioZLYUsRqzQkW4GSVmvrlW5q9C6M6QJiXV8mV7K13nOOIisxY6sSKL35fFVvhNcFifRJV61U3cuwrO2HCWYi6JkptldkgZukOnc8qlnyCgFvxGMSjxsTom6e3F1GUhn2IIEYRyWNYlxfQcaeJXkPXIu/Kymi2jA7uV0a3klDXSmgJCT37nBLqWgktltDh55OQfivKbBE5Ejo5X7eQns8TUrXVjW5nuiPIbTSbs5u9jFj1m9mWF7Ad08wY01RPKa4PV77NBgz3O1qZNR75fu5Q5lajlR4Udc/+5JbQNt+qbDXuk2pcfr/5lMLlqaVGuctrFDfJcRll4oLRaGiHrx8tJBntfuI+Pu7Atj65vOz0fCBXLXt/xTTauOu1dkBpNZvlrXb9K7RhYsomms+qKj1X+Meb6Gyma5VNOXMa2R9TptmUstozZ/ZCgFwFqRJHhjnbfG2ACxwJk2tZsGwQkCGJ/FIrr6+NjLq5acyglH1BN1PexLgksbm0amyMQCfiIcNh7+8UekcDstFsSIMzK03PT1nWtpAGAeXEiyOf9/qpd07EnOsMlc4ExKwhi/RGXaToNptNtcCzcos/VWOtQt+LQh/co0J3vziF7lqFfngKje6m0c/uU6O7X5xGd61Gr5tGH66m0fd+z/KqiPQuNzSvXuk6qV991PggFPP53DHUzI04+X6bl6enx9sv3h4/Q8WEnr7ZhuGIS37WuTkZ4mXJn3k3S2X36FK7WdrNFbezuM3u6vtZ7M4Vu3PlY08F240rC3T64EoQjk7kJjyr1avtkai2+m7LTwe32j2RCe8t8QgdE+uWPt0GituJyQrmQW4Os+H8IS3afoJIvdqirV1nW+N1NrvKblfZ723LxsdYtBVe0mM5wOv1Jd77eBNUdp120dTUva7BGiTNYRxmpfxApXxwp7nF02fHH2FWUQWqZ0XIuS4ntfqY1V5dd6Q/fU2ioVDThM1KOjFlXzg7SdVEnbt4UrJ72znJnb1Zpy6XtWUirVYGHBlGT/mp4ln9LVp5p309tXgPsU4J8aUplUaGVEaHI3Fi1Fz9nVz9FXNp5IbcxrfTb/SpVsKnp0Fl4gX1M9nOm5WtvcddeRO62AGLh/U530Q+xbBPU67Pr2bpdf0BlvqEqQlbZxDE2sup2Tu4xdzyVPuUuzCpKVi+V5tKhFSSJMR/nb14XaUtHYClL87ccD+lgZ95Vy8OkzgCXmwiYMe9v1VscEiTGsELgVZfy3qXCzvz30Z+/2Gpt5HfkmF+/sLUA/NfU34lGYeeFW3nknnvCONyar/MPQGH17pVYEb8ul3kU/rNaZPoFS6RRj4dUz/FQf1UhiKPOrSibMAlvqRTjilbbuY1GO+EuWWI6iRFccrCVG6zbU9s+P2HWhOv8OW8FYdStzKIWVUbiSBMI48gHh5gTmp6lrmwWvbMh9WS64cHzAY1D6CdU8d31Mzgqi51FSFMoUGmvybjSasf6YXKT1WstD9pWrLb7WZm8g73RiTEhdIXa3DZ0pIai2B2nuUEiy4ln5mOMylakDAJAI9Ew0mTwYNzoanKtSlqVaTCSZCdymHASMX7+z4Z4DSYcUDIhGo8FiWHZrpt0sgLUp88NZ9bYdQDJ4QKqCF7cZCJBj70w2QmJ8To4zXn75SwK/X6Rh2kFOTiCCCneu5MIUu3kjokl9NZ+TlNYMx6chV5pjOBcqejNbuiPtIH3GQypmF5Qkh5Gkl8seUW3qo4cAQ0vPJYQsFfsfLhvPW9ItDoLsXpaDjNbWo/2voPNyy/d7Tvrv6j3dQpmk9tad9dP+vxh6IPMixq8lpYi17wrl6wXktrR/+hnTzzxNfbW7Slwr5/YgURnD6LL3g+qJ+OYkfAT3RYmbVwUgU8nRd7F6/Z76/+mxvyeGLsnUc3/wfxZH2NcLQAAA== + H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugMhTggl7GtK6bbdKV2msL1zb+lkFFtJtPi1khxgGe5nv0eyHcux8iDQlqbqTEOiI+txnj89LF0/Qsjp9WiUpII7++g9/EboWn0CJcIhgVTn8KR3/PaPo+enL5//eeJsFuQA90kg6ccsDokYkZSXRJ9wj9FE0DiSWUqCuEpUoT4WmMcp80hJS4J0SKNXvqQnhkIz+pu8WVq1KsMNfH7YzLrEyN8pZcTQqaL+IcMDHOGycOobkwsmvJgmjAnjee92GzuNdt6ITXN1CY6AWfXKkpGxKj1Zq2h+HSaW0pnMjOpsNFXZaTQbzRX6JnA/IPXaTqvJ9b5NhIijKBZYKpCUYlapE1AuJjItmwKUfkoD8UqW5G6WqRpLzF2FPCRSbdpHgqVESx9R35BKvTh6FgcxkwWyYR9vNDdRy3Xho9PZRO5jveii10/LvqDv0dOAMFFpQilBPurHmPlOTrtRfz88ypk/bVavOHxDR4SP0GHxKMp5ityG2wa1VM8Rn4q8lwMccNUhZxgRoYztyW67m6VIzTuN40DQBNKbKlHJM0qDQP0KaHSuzCqTkpK9wcyAS4JEUlbOTz4d/3IWISS/IC6uAvLzmZPEnMpu7CPc53GQCvIj6sdCxCHUe+aoB+ARjEaMDCD/SIiE729vU9nlBo3PHCQwGxIBtF4/wNE5pBSFD6D2LU7/Ifuo3Uwuf0SCXIotn3gxw1mlURxBhZ4U5D6i0YgwKqDWn2g4RJx5hgq3AywIF9uQI0vb6gcpCeJhvBXFfeydD1mcRv5WGg0YiN1v8PFQa9KI0OFI7KMOtAcqQkp0P23jjDPbt+fRj4hlJcI3rb9uR5WfsS/TD8oRjgysHFIxSvsNLw6zDmWfJsb+EickQglwYBCzULYaiREWCPzKGKwEykdpRCUNXeArJOI5gtv2Y49vg354JBF8mxMvBd5fbRvrVVQiK9xcpBBT5Qrw1wPqbYXgtIckBF001wAPRMQTqgpgk49uWU/c54SNcZ8GMzsRxhEVMVNsC6nHYvkE9Qhv5HX1WS6vN4T4aESC5Nd5DYDit2g0joMx8c01/h7TCCREcgUACYcgH3Elm9DQFS77W/rjIaP+cVw63MwRws+25q0u4HdrR0u4LHxF/vtK/i482KTszAJUTAEbmIoXbrvEFRUPo5LCWLliYEWoBRplJtWmTgxB5nb3EuHUmiGoUE/pmIThiCeYZQ5Ld/gTzywdiDkKetgbkVMakjgVmqPMvSD4l4OJb9C9b0l/h8GPmElci3UoDzetHQgznZ3sf7PRrQScLEf7CQSiVncT7TRllj1Dng5Q3CctyNJRpTx5XHCq5PrC4OlIi8dKpHGiJQ9xOpwSTIgvi366TV1XQhoVBD2Zj+KLaZ5IcYBNACnwX0vwyeflOMLsnCgOSoHW1GBpTd9doOjtWtFKoVvN8jeEQnARwbR2GBQ9TqqAp1SFo9wExopZWhtUzC6ooMNYJ/6VggMYXE3IqYh1cswo6Dwu4MQIfv8DFoSDir4QP/XIH4aWKe0PvKqW5mMDLt7E4g1019EoHzb1ZweUBD6vmGIGCmUXJ7KdUG50KYM5VjpVE0KIk4RGw9PMfl1TerXdlW4VwE01RcYzZf/1VsqiTQ00FgZeZrigsFZZWM0cwYQOwSKPwber0ZpmR47UK0UomJKHNeI7lTynsuYpNQSUIQb0suoS88TfQBtOcnfaaX6n0SE21Z5RaTMfUd0/wskctg/Ax8jnZPuqDBJZw50320+nCPHkgTm8k979HOxtOlzQIKiC+TYAedfdg4+9rnSM7l7Fdw5kPbUxgSxYLyYrpSVdbLddeT53a0aPpAA6FJOG00NmFd/nsI1cJlnVMshs8DTcoIBzyYZCDGosDMCV9wSMQYJrRpKYgUMCvJA59zPn5r0bfnj8WPa32ayMYDTv9Rv2hOqhWyGDzLMB+5RcuCByCLEzRygTV82n+ltE6BcBAOsAvc06gN5J3pD6VAIHew4gAxbawFIalK6Ke7oqKup8VYxl652fl9TCwn4XKqLKWMxg4PHQYorZmCIhkC0SErneGVvsfSxwoceoe0AXu0uiC9eiC4suLLqw6OLToQuJK24FKzYReMsEzJr0PFCcf/3vzOk0fpjADbSNbl1k/mhVSGXEEBAye5yA3+GfB8R0IfJ1u/J/ozMb0Jyknkc4R2+h62gjiqOtzuXlhFn8sYU4dtpk3aZN3NaSyKZlkY1FNhbZWGTzaZENvQu0+RmgzY4GbR4sPjFgkp3LS24BhwUcawc49pYEHG0LOCzgsIDDAo4vDHB0vlDA0bGA474Bxzetbtfb2b0twvjG39nBbXw3RCF30n2lWz92zYjCdS2ksJDCQor1hBTTXuehYApQkY2EBrHone/xnjcY9sgYDJxfywgLSOIdZSLFwUm291QiCkUHCvZ9ABKP0RbaWL0QnwREEFVOzJAsJ03QD6j5UbHJSjAkJL9lqlaxBJl+MqIDUSfkuCXvO8o7v04YxkuZ2vxqccxXgWN2l8UxOxbHWBxjcYzFMQ8IxxxCgKWRsve3abAqkJlTyvojGa3zSPbeQhkLZdZlW8lMLNOxWMZiGYtlLJZ5QFjmBRbkAl+tiGEMT68/dsk7bSGLhSzrsjFlJmTZtZDFQhYLWSxkeUCQ5d8xcCHG/vNIsFWBy8wy1h++FF1Hsu/UzrxYGLP2m2GeWBRjUYxFMRbFPCAUk+/huAuImVXE+mOYvOcWwlgI81Xsg+nao9wsgrEIxiKYh4RgjglhT1Pw4pGgnjL7FXHM/ILWH83U+4+O44B6FtlYZLP222K69hw5C20stLHQ5iFBm/y813tBNwvLWn+AY2SBxTgW43wl+2i69kQ5i3EsxrEY5yFhHBmNpY0ri1exeNV1qAUlrT++qTDg68M1SkungtcyiKHsM7iv75a4Aqrl3vYOqG79DijqKxD2x5gwlt2vV8VTKmI/mXsZVIKHJG96RSEYSQgW5tRDysAH58F1rF0h5bG4dlCUcg0vCfYJq1FiJmqQABI6+p2DhHuzHIu6smqOOuGAYq7vE6vqj44/9F7OgqIa9pxzGuGyCLXMN/tUwjq2AF0ECyucy3/g39bR0dbhIXr5cj8M9/mUk/GJR0OsEGWrQpCaUHf4OeFU+eUDef3Z7DyTew3LXXjlhYu17H8ydbnp9iTLtt/PL/67yB/fmtB+HWO2JdEFhDeP/Pztda/nkSDotfcZvrj5XlKLh0piSxGrNSdYgJNVauqXb2n2LozqAGFeXiVXsrfecY4jKjJjqRMrvvh9VWyF1wSL9UlUrVfdyLGv7IQJZyHqmii1VWaDmKU7dD6rWPIJAm7FYxCPGhOjb57eXkRRGvYhghhFJI9hXV5Ax50meg1di7wrK6PZMjq4XxndSkJdK6ElJPTsc0qoayW0WEKHn09C+q0os0XkSOjkfN1Cej5PSNVWN7qd6Y4gt9Fszm72MmLVb2ZbXsB2TDNjTFM9pbg+XPk2GzDc72hl1njk+7lDmVuNVnpQ1D37k1tC23yrstW4T6px+f3mUwqXp5Ya5S6vUdwkx2WUiQtGo6Edvn60kGS0+4n7+LgD2/rk8rLT84Fctez9FdNo467X2gGl1WyWt9r1r9CGiSmbaD6rqvRc4R9vorOZrlU25cxpZH9MmWZTymrPnNkLAXIVpEocGeZs87UBLnAkTK5lwbJBQIYk8kutvL42MurmpjGDUvYF3Ux5E+OSxObSqrExAp2IhwyHvb9T6B0NyEazIQ3OrDQ9P2VZ20IaBJQTL4583uun3jkRc64zVDoTELOGLNIbdZGi22w21QLPyi3+VI21Cn0vCn1wjwrd/eIUumsV+uEpNLqbRj+7T43ufnEa3bUavW4afbiaRt/7PcurItK73NC8eqXrpH71UeODUMznc8dQMzfi5PttXp6eHm+/eHv8DBUTevpmG4YjLvlZ5+ZkiJclf+bdLJXdo0vtZmk3V9zO4ja7q+9nsTtX7M6Vjz0VbDeuLNDpgytBODqRm/CsVq+2R6La6rstPx3cavdEJry3xCN0TKxb+nQbKG4nJiuYB7k5zIbzh7Ro+wki9WqLtnadbY3X2ewqu11lv7ctGx9j0VZ4SY/lAK/Xl3jv401Q2XXaRVNT97oGa5A0h3GYlfIDlfLBneYWT58df4RZRRWonhUh57qc1OpjVnt13ZH+9DWJhkJNEzYr6cSUfeHsJFUTde7iScnubeckd/Zmnbpc1paJtFoZcGQYPeWnimf1t2jlnfb11OI9xDolxJemVBoZUhkdjsSJUXP1d3L1V8ylkRtyG99Ov9GnWgmfngaViRfUz2Q7b1a29h535U3oYgcsHtbnfBP5FMM+Tbk+v5ql1/UHWOoTpiZsnUEQay+nZu/gFnPLU+1T7sKkpmD5Xm0qEVJJkhD/dfbidZW2dACWvjhzw/2UBn7mXb04TOIIeLGJgB33/laxwSFNagQvBFp9LetdLuzMfxv5/Yel3kZ+S4b5+QtTD8x/TfmVZBx6VrSdS+a9I4zLqf0y9wQcXutWgRnx63aRT+k3p02iV7hEGvl0TP0UB/VTGYo86tCKsgGX+JJOOaZsuZnXYLwT5pYhqpMUxSkLU7nNtj2x4fcfak28wpfzVhxK3cogZlVtJIIwjTyCeHiAOanpWebCatkzH1ZLrh8eMBvUPIB2Th3fUTODq7rUVYQwhQaZ/pqMJ61+pBcqP1Wx0v6kaclut5uZyTvcG5EQF0pfrMFlS0tqLILZeZYTLLqUfGY6zqRoQcIkADwSDSdNBg/OhaYq16aoVZEKJ0F2KocBIxXv7/tkgNNgxgEhE6rxWJQcmum2SSMvSH3y1HxuhVEPnBAqoIbsxUEmGvjQD5OZnBCjj9ecv1PCrtTrG3WQUpCLI4Cc6rkzhSzdSuqQXE5n5ec0gTHryVXkmc4Eyp2O1uyK+kgfcJPJmIblCSHlaSTxxZZbeKviwBHQ8MpjCQV/xcqH89b3ikCjuxSno+E0t6n9aOs/3LD83tG+u/qPdlOnaD61pX13/azHH4o+yLCoyWthLXrBu3rBei2tHf2HdvLME19vb9GWCvv+iRVEcPosvuD5oH46ih0BP9FhZdbCSRXwdF7sXbxmv7/6b27I44mxdx7d/B88fadhcLQAAA== istio-service.json.gz: - H4sIAAAAAAAC/+1da1PbSBb9zq9oa2a3IEWIZTBYU5lUgSGz2WESFjOZqhmyLiE1thZZcvQgEIr57dvdekstI78k2b4fQkAtS63ue2+fc8+1+mkLIaHf14yx69jCT+gv8jdCT+wnaTHkESZHhdNe/+Ly029nV/86+70n7AbNunyDddp+YZkj7Ayxa0eNKrYVSxs7mmnQU6IG53HMLqrKjmybrqXgqG2suwPN+KDS9jHnol77R79bsduyE57Jzy+73iNZ+KurWZjzUMH9B5Z8KxtydHFN5R4OBuGXdMM9tmz/6Q73Dvb2/U7s8m83lg0yWNmbjYfcW8UPx240+R68IdVyB9PIDiPvlu295l5zhmdz5BsdZ+92lTycfbZwEmXDMB2ZGhCdRe+mgq7ZTjinUVdIy42r6c4HeiVxNzoaGxL+o5JzsMH69BNyLBfHjg81lXNUU0yja+qmRS9oDW7k7eYuaoki+dFu7yJxJ37p4KmPo2dB/0THOracRBeiGbSHN6ZsqYLf9sz+/7LlD37arT7Y5DfUw9a9pmB0Gnwa+cOKxD1RJLPHPopVzfEf9FbWbfZMwsDADvO3o8P9Q+8INb4r09QdbUyON9lBzcGW7N9UbEvttiS2JPFIOmKtumbcMU/zJo6ZA8fzFFPX5bGN1dSgkltq6oUZzbI3+qmZ/Eb+bh3EDjwEvfP/fqR/B8OWNEaxeRjFkGTvklbEemk42KBGJrxVtXuk6LJt/3wdTc3rIZZVbCEHPzivFXIqtq6Fd9fGW5tc+l3v7PLzh+7ZT+hH25uVt2/YcdL+hlzuXWzWyc1uNayrXdO41QaJp/dD6K3s6o6daaG9dG3HHNGW50TT827yGiaxBDK6XiD8spVzIncGwlnYT10zPRO82QhnRMy9J5uZjpQ4lrSk8PDIZJ4oDJ2RnhxAc5wMEJVMY7qHuY/srV+fo5h3tBe4ZxQKNIf5qJA6bMkG6YHlPVMyJsUCCH2a6P6xuydtXFaG+EobYdOlVzNcXd9N+gCJbyeycjewTNdQ4xEjec5nWXdxfnPSzdhxFjFbByRStg+8f809aSc9nN5Z+0cknrakXXTQpKd1cs5rk1bxqEVOa7OrHe3EZyBpSQXWgxq55a1pjWRmw+Y41cWB7A5wtnMj+SGYE7GZ9scRsT2/Md1kD81vvHmkpjUkOGpo6uo5xXv2S2f9Jlt3mM08NdLZIs4BJ+IcFgw4B5MDjthKHqN+fy/rPC/ICUYTQg4x+d/8QHDPBjrVP7a2BmcQX5bTJ/yP2I92+xie4jpm+hTT0kgMCBZjYUj+/k5inaxnfAOrroI/5fSWRQFdyXqoD+1t56PpfCRDIqRav+ymr8O8xc6ELA/f0WEIbWaiT9DQlXjw3IkcyeOxZgyuvJgn5rVlny0zBAE+Y91EjslWg5ynSC1mmQfIvTiJ3IMCF28lL54bwoiLn5IodmES27Wzfi5QO2aNwWCSpdDAikNwV+a8K9ojjumPTdu51R6yy5Df8J5YXE/7zi7fbv4jdY6F+Z9lxyd+lA3VbwQkvjx1txYLtOwxsoPqeA8mfHxzzGk0ww8WHHO68t6ReMCJuLearif5wD7hAqLYIT8IuiELktjJrFu39N7ZZdwLOjh+Oe9qLbrESfuZ6/hhe2KkZaCfXNIdGRxYIVsD7BQYbvww9rpEAcG27Y62NcII8LZGGQij29h27L5DaI7+ZOGxaZHA+vPf18KPX8lf18IuWewczWBxq+9jKtbs/34tPP/VHn3Z2aEj1myKO9lpi1ZDh0AXehEN29nTgpD+XlYcNoxi5hRiiF6SgWMctoPHqWVkkmWE657NGdwAynV1GrPRpTdK6DOdDCxwAZxNgpdOTpKTkcKLEnHf6aR9h51RzHdM+oTCz1O6TRCopvIc9qEgY6O4FgOwtQeoHEg5D0LN4t05AaqKFW0kMzCWGZv6gdcxtijBcg3NWSiI7ZSBYtPAZQkw9nAGGHsAMBZgLMBYgLEAY2eBscsAsLtk7RiTIIX7CjHZBmlr770KcS16g5aImktCyzOBYomAH0mi//bakwFyz1UUbNvokowR2jZM43X74QEFw2rvbCBklu8HL8NlWddkuxsA2qek49zIFhfusFT4OTYGDpNampk2nPexlUqhaixEiZmDv1iyqnnZ9ObiIV0yzfgiphtqqoqNnuejvEH3xJKjJLDDA8y4T6qfxBoGxrF9lRb74qfcD3JaAorGb6WS6Nlo7DxOaP8TW2ZOM1nz81o0I6fF0gZD4sEcKTa9dKSBGA2qORfNxXPPaeiMbZ7cQhu+aaozzJhWDtrOoJnMeh+wJHnA56tFtKMxvQO1a5d2oZ1t4xsXmXAVW5gtjLe6mQqj3srxKeFuaVSh4LxAQsKycse9K020jLF67sGRbPvUa/r2kCyrJiEno/5XVzYcTcfbzT1K5XMW3r7qeqp2f0QCgmZjAjFVu3/jKnfYmXU5Ftlif/OItnXMVn0CbJs7yLTQ7N1bRs/mRgx8plQAT3hx6314t4t2UygOOnbnMQap3sYgrZwx+DUynBg7oy1Ik2zhZKG2INXbFiSwBWmCLXRnIiOppYs+z3uPgWeSB7TtEg/8tBPng72hduvwP8nP+5/605aiMWGt1VMa2shWplgqaCPzzBHAGa7pB8RIM1TtXlNdeUJJSqwcMlZz6OFY+UHjwGDP1nip51gdDB2fNMv3E0mcT+WDuBCoTYD4j/JDkSRZZMUc2w1qWbOdo43m4ES2MddoPUjL/ZiHablN/ITHyxEt9gxDagE1eQ5OVjTXHR/5VsVISx5boW3n+D58si3ejWqoJf3QkiTl4HBW7egH9eBA3pfXr5rpBKqZeDmDzvQ6UAd0INCBQAcCHQh0oIXoQI4yJixLwdo9Vvs3jw6eJM6gotyqNpRKWLi4kyPoXHUvCO3xxhGd0HEE7QZq8aEWf7Nq8TuTwat0BOAVwCuAVwCvAF6XX4t/LcTg6oYX5NNvTGMLCvKhIB8K8qEgv1BB/ktYtgNYFrAsYFnAsoBll1mQPzWKXVhV/qz4ecVL832oDKX5UJq/xqX5nTlL8yUJSvOhNB9K80suzZ9hTS6zPn/u7kGRfk3NQlpNs9jocv0SrEICq1iLwv2UPgCF+1C4D4X7ULgPhftQ+lS0cP8FvSidXQfBCAQjEIxAMALBaI7KfZsEJKjan69qv0e/sQwV+7HPfIn2rgkG6hdsYCu20oWjYxE34O6VUsLmF2Le5hcHZW1+0T3/cPbxCv3x6fLX80/Hp70N3/uiNRkCHrTruffFNLO4cltfgB77kh7bXJAee8hxnYz2muc67Tn12Fa7mB67ALGVg51mEVNXWS1Fso2+U20ZVNNFqqaF6vt9UuUrC66lOY/9salryiOJ+CPXcWW97+h2wVKpLFz24lf/m0l4hymr3ics5ZuebetToskGLzjLsKNKKypTpD6wi3KvsIsSdVulfAshjbufntL9Q8/Pe9mjUa9JOyJB5inZeXp0+9pVO/sq+amKzdHVeW9HmOVbEK2ZFLU5DamRtqSXKRSdPg71mmRMaJWsadEUb4GmNlGQLWhXddTkPhiKSZbPQaDK2YSloh4bHnRsqOSwNw6oS1emKZU67oq8cVJdNj/lyCkivUA1L/096iXrYAKnVAHkvPLkPGBeZVXCFmZe3FLYuanXYZXUawllrlDHCoxs9m0jUHGChmb9Mkt1wHrGbS0WOyjVPf2K84dKSelizaYBzrQo5g7eNJM3rT3vfukrgBEfhzrZautk897vsAhqKhBIKArAsYFjF30ziq1Y2jgoE9xYAt4pqHyK4rz8u1a7RJVD0ePfRAUKDxS+2l2iashuxZlEs1J3sFqrUasRlUn1lBGZ3N4/P6OLdrPaxEAJW3dtlodK4KHr5aHSlB56Uo6HtsFDZ/XQNnjoenloezoP7ZbjoRJ46KweKoGHrpeHStN56GkpHloWD20AEd2QYVttJjrBIc/WinY2gHeCQ64A8ZzgkO/XimU2gGaCQ64Az5zgkL+sFalsAKsEh1wBWjnBIf+1Tt+/Ct+KCHVfG/l+RKj1glovG8q5YuVcnaWUc3VqXs4F9VpQr7XEeq2pU73e+99AgoFCo5lMSwLTWn3Tqr5EZur8G9gW1HbMY1oSmNY6hK2KqxJKRVuQmlxfNb1UbAWGtL4qcKlACgxpfdXLUmETGBKobstR3ejr9UFxq4vipmLlJrNXAghvILyB8Fai8CYeLkN5OwTlDZQ3UN6K5IL896hBohGkt4Wnh8C2QHtbWsoIjAvEt2VlkcC2QH1bmvq2AOOCHCXIb2BJoL/VCUyBJYEAB5YEClyNFLhwXzFQ3kB5A+UNlDfYQiwmvXFfYX40p/LWaS51CzHYBAx0sTl0Mf5uuo4yJsBVwdo9Vn3gulL7X80CW9dhH9167s28KGtqbJY5lWQx67rV0wk1NHTp2x26JXdCYQHiVfcCdUNDA/pTLf05gc2TF8x8ss8BxAeIz3R7J8/PfFrAfID5rB7zscm4JnDqFASHC2kBpq4vsZnCWBpgLUBqFkFqesTmkGMCnQE6A3SmNDqzlbpd5JVdnWJz9IcfiKLZD83fIo+xFZuAoHeCYuq6PLYzfsgF9kIKQDJA3zqIHUipGAzHB2EtnHsPnYvNEJ4LY9nAetLGE5SNrGmOB8SFt8TnkaLLtk1WM0q8bkzZUl8PsUxAIXLwg/Oa4lJsXQvvro23JB4b73pnl58/dM/QH58ufz3/dHzae/uGHSftb8jl3tWTjE2kVvscahWfiYma0n7uPb3vaklFOEIQCofOKEUNTLZBMafjZU5juoe5j1yEqYSeljpsyQbpgc8RM7QrcD76NAKkJeZOSzTroMcezpmUkJYrxy7hW46rnLNAso2+0+2xIXex/NyF/66P6bMWLzPOkKiSxSI6OfXRBB1VbYfRUd4JKUpKTvUoaTukpLxPJZkxr+4wrLVUiAlWxVV5nfQJ6+T+k5MQiUNPycdA9Ux9FLa1mUTbXHNDL9obWmGDW0IBweKtcV1TK+mX09i0PPY0GqOQ3qFjQ0VhIW2XrnZTJly4q/zGZVzSpuKhmcTRBSZlTEjKQHUtsLm6icxz0zmxSjpHm/+k9AYUalCoF87yXsDc+SB5oQW5CfzXIG3tvVd1Q+J0c7p6jFa9hmVtmEilDHgJltUAR1z2cIEnLsMT157991xFwbaNLokBo23DNF63Hx7CJIi9k5cVgKKLaosufLTpGtriCbJAgKkoANMHpl+M6ZMoqlgaU+GzovWGv96W+x3b1rxZgIOav912CYkCePktJBL+mmev+0k7IRXb636lqLQ4p9ZHX2pD2I3YbDZ3kGmh2ccUhrN+7wiaLz1R+SuIt6feogo8fDYPl8DDN9LDq34P9PbUe4eBh8/o4W3w8I308Irfxr099aZu4OEzergEHr6RHl7xK9FrwMMbQMQX6uIN8PG6MfES30xfA9rdAN4NDr3exLvEDQJqwLIbQLPBodebZ5e4T0MNSHUDWDU49HrT6o3ZsP7Ut2O2dYZnXVABWJMKQPh+H1T9wff7Kivs6yylsK8N29ZD5R5sW184t83fZQ40K6gsW/7mq2CB62iB1Zc+TZ0+BBOE0pyqdnsFC1zTIFhx7Uj5SBDyrJtc2lA+7gN722TlvXyQB/a2ycJw+ZAO7A10y6p0y572HYNmWT/NUsUKiysgXYJ0CdJlVdKleLgU7fIQtEvQLkG7LJCx8l9sCFlTEC+rSmKBCYJ6WbV6CTYI8mXF8iWYIOiXVeuXi7JBSLiCgFkq9gODAwWzVKAHBgcSZqmwDgwONMySNMxwh0XQLkG7BO0StEvQLrnbKnI3VOjMq122lrqtImyMCMriHMoif0tyRxkTpKtg7R6rPtJd5a3/5sO567UZedU7AJZgcA2wuNKNal03szuhtogufdNEt+ROKCwJvepeoG5ohkCiqiVRJ7At/YL5U/Y5gD4BfZpuV/r5+dM+8CfgT6vHn2wyrgkoOwVDyke9gGTnRLI13yB9IfbUAIOqkUGtNzXqEbNEjgmkCEgRkKLSSNFW6naRV6al3Wj6Q/u3yHNsBZdhl6ARicYR2rrf9D4i2MoQj+QI/LUOvcPOo3cnVbbuvDMJfoyMUvhAlywhvLSDR2OdhEcjIkUEsNpOzIqj8YmB9ackHtRJPOFGCHKDB19EZQwr6djMqeKtPGIZJGhjIYYEFEV3VXysc+B8juWRNZdEN87pfjSI08hYq8l2N0+HYeGriy1KoIQxj256zZ+Dp4u3RHMpJo4O8EP6VPtOG/9u6b1HQ+F0O7CXWLe3UmMXmzlZ14PupIYlNqfxQS9AqumsaYbG2f195ikLHESYYt7s7EdemjR2u74X0rc5GGtnKTOWXSqpb7Jpsf8TdE1ItmaegR7jn+zbg/eQsQbXxlfeheLUdmYjmd7xw+HNdf7oDG4AqMgWL31YzjPG5OOGtviVQPmZDTGgAUu1vtZqW195ZpGa4dAqujpN0oUrOPoYkIkpzMS2FMOexk7YL7S8kVzX45/xV7Zk5DhK6agp5lHIOIN89uieN5A8Tkf3wYhuySW7hW/891R3nsYR3uy9iijttbD913+vhS+vdvZevQEXqdhFpnOMb3qFjpHKreSapnci9eI8M16e28zXrSl9KswozedS++BS87lUmjjOtOywLN8SvatQ+pKzAryQVJzGk6bPoBbrAyxF6+E303nLHGsRWpC7FMj25+Ty8+16yR61qF5u9FLF/qep5mcvT6cxo/QzdLeebiAY5rfXYpAsFxzTPyYkPjbWlDum5Pof9keyH0gt8Yy10B5FGUkx/sd+M94SJeiFVux3UfUI/JegR1TqibnNi3eJX/gwfuH4XVoH8T8ilxaO1Hh/g74kBuO7aUQpudh7BKkjhF+8OZXt4Y0pW97lBJdVOgjn/+67/z6+H/lp1fsw9SpuPf8f+1Wz9pSxAQA= + H4sIAAAAAAAC/+1da1PbSBb9zq9oa2a3IEWIZTBYU5lUgSGz2WESFjOZqhmyLiE1thZZcvQgEIr57dvdekstI78k2b4fQkAtS63ue2+fc8+1+mkLIaHf14yx69jCT+gv8jdCT+wnaTHkESZHhdNe/+Ly029nV/86+70n7AbNunyDddp+YZkj7Ayxa0eNKrYVSxs7mmnQU6IG53HMLqrKjmybrqXgqG2suwPN+KDS9jHnol77R79bsduyE57Jzy+73iNZ+KurWZjzUMH9B5Z8KxtydHFN5R4OBuGXdMM9tmz/6Q73Dvb2/U7s8m83lg0yWNmbjYfcW8UPx240+R68IdVyB9PIDiPvlu295l5zhmdz5BsdZ+92lTycfbZwEmXDMB2ZGhCdRe+mgq7ZTjinUVdIy42r6c4HeiVxNzoaGxL+o5JzsMH69BNyLBfHjg81lXNUU0yja+qmRS9oDW7k7eYuaoki+dFu7yJxJ37p4KmPo2dB/0THOracRBeiGbSHN6ZsqYLf9sz+/7LlD37arT7Y5DfUw9a9pmB0Gnwa+cOKxD1xn1gm+yhWNcd/0FtZt9kzCQMDO8zfjg73D70j1PiuTFN3tDE53mQHNQdbsn9TsS2125LYksQj6Yi16ppxxzzNmzhmDhzPU0xdl8c2VlODSm6pqRdmNMve6Kdm8hv5u3UQO/AQ9M7/+5H+HQxb0hjF5mEUQ5K9S1oR66XhYIMamfBW1e6Rosu2/fN1NDWvh1hWsYUc/OC8Vsip2LoW3l0bb21y6Xe9s8vPH7pnP6EfbW9W3r5hx0n7G3K5d7FZJze71bCudk3jVhsknt4Pobeyqzt2poX20rUdc0RbnhNNz7vJa5jEEsjoeoHwy1bOidwZCGdhP3XN9EzwZiOcETH3nmxmOlLiWNKSwsMjk3miMHRGenIAzXEyQFQyjeke5j6yt359jmLe0Z5IgmviHEdzmI8KqcOWbJAeWN4zJWNSLIDQp4nuH7t70sZlZYivtBE2XXo1w9X13aQPkPh2Iit3A8t0DTUeMZLnfJZ1F+c3J92MHWcRs3VAImX7wPvX3JN20sPpnbV/ROJpS9pFB016WifnvDZpFY9a5LQ2u9rRTnwGkpZUYD2okVvemtZIZjZsjlNdHMjuAGc7N5IfgjkRm2l/HBHb8xvTTfbQ/MabR2paQ4KjhqaunlO8Z7901m+ydYfZzFMjnS3iHHAizmHBgHMwOeCIreQx6vf3ss7zgpxgNCHkEJP/zQ8E92ygU/1ja2twBvFlOX3C/4j9aLeP4SmuY6ZPMS2NxIBgMRaG5O/vJNbJesY3sOoq+FNOb1kU0JWsh/rQ3nY+ms5HMiRCqvXLbvo6zFvsTMjy8B0dhtBmJvoEDV2JB8+dyJE8HmvG4MqLeWJeW/bZMkMQ4DPWTeSYbDXIeYrUYpZ5gNyLk8g9KHDxVvLiuSGMuPgpiWIXJrFdO+vnArVj1hgMJlkKDaw4BHdlzruiPeKY/ti0nVvtIbsM+Q3vicX1tO/s8u3mP1LnWJj/WXZ84kfZUP1GQOLLU3drsUDLHiM7qI73YMLHN8ecRjP8YMExpyvvHYkHnIh7q+l6kg/sEy4gih3yg6AbsiCJncy6dUvvnV3GvaCD45fzrtaiS5y0n7mOH7YnRloG+skl3ZHBgRWyNcBOgeHGD2OvSxQQbNvuaFsjjABva5SBMLqNbcfuO4Tm6E8WHpsWCaw//30t/PiV/HUt7JLFztEMFrf6PqZizf7v18LzX+3Rl50dOmLNpriTnbZoNXQIdKEX0bCdPS0I6e9lxWHDKGZOIYboJRk4xmE7eJxaRiZZRrju2ZzBDaBcV6cxG116o4Q+08nAAhfA2SR46eQkORkpvCgR951O2nfYGcV8x6RPKPw8pdsEgWoqz2EfCjI2imsxAFt7gMqBlPMg1CzenROgqljRRjIDY5mxqR94HWOLEizX0JyFgthOGSg2DVyWAGMPZ4CxBwBjAcYCjAUYCzB2Fhi7DAC7S9aOMQlSuK8Qk22QtvbeqxDXojdoiai5JLQ8EyiWCPiRJPpvrz0ZIPdcRcG2jS7JGKFtwzRetx8eUDCs9s4GQmb5fvAyXJZ1Tba7AaB9SjrOjWxx4Q5LhZ9jY+AwqaWZacN5H1upFKrGQpSYOfiLJaual01vLh7SJdOML2K6oaaq2Oh5PsobdE8sOUoCOzzAjPuk+kmsYWAc21dpsS9+yv0gpyWgaPxWKomejcbO44T2P7Fl5jSTNT+vRTNyWixtMCQezJFi00tHGojRoJpz0Vw895yGztjmyS204ZumOsOMaeWg7Qyayaz3AUuSB3y+WkQ7GtM7ULt2aRfa2Ta+cZEJV7GF2cJ4q5upMOqtHJ8S7pZGFQrOCyQkLCt33LvSRMsYq+ceHMm2T72mbw/JsmoScjLqf3Vlw9F0vN3co1Q+Z+Htq66navdHJCBoNiYQU7X7N65yh51Zl2ORLfY3j2hbx2zVJ8C2uYNMC83evWX0bG7EwGdKBfCEF7feh3e7aDeF4qBjdx5jkOptDNLKGYNfI8OJsTPagjTJFk4WagtSvW1BAluQJthCdyYyklq66PO89xh4JnlA2y7xwE87cT7YG2q3Dv+T/Lz/qT9tKRoT1lo9paGNbGWKpYI2Ms8cAZzhmn5AjDRD1e411ZUnlKTEyiFjNYcejpUfNA4M9myNl3qO1cHQ8UmzfD+RxPlUPogLgdoEiP8oPxRJkkVWzLHdoJY12znaaA5OZBtzjdaDtNyPeZiW28RPeLwc0WLPMKQWUJPn4GRFc93xkW9VjLTksRXado7vwyfb4t2ohlrSDy1JUg4OZ9WOflAPDuR9ef2qmU6gmomXM+hMrwN1QAcCHQh0INCBQAdaiA7kKGPCshSs3WO1f/Po4EniDCrKrWpDqYSFizs5gs5V94LQHm8c0QkdR9BuoBYfavE3qxa/Mxm8SkcAXgG8AngF8Argdfm1+NdCDK5ueEE+/cY0tqAgHwryoSAfCvILFeS/hGU7gGUBywKWBSwLWHaZBflTo9iFVeXPip9XvDTfh8pQmg+l+Wtcmt+ZszRfkqA0H0rzoTS/5NL8GdbkMuvz5+4eFOnX1Cyk1TSLjS7XL8EqJLCKtSjcT+kDULgPhftQuA+F+1C4D6VPRQv3X9CL0tl1EIxAMALBCAQjEIzmqNy3SUCCqv35qvZ79BvLULEf+8yXaO+aYKB+wQa2YitdODoWcQPuXiklbH4h5m1+cVDW5hfd8w9nH6/QH58ufz3/dHza2/C9L1qTIeBBu557X0wziyu39QXosS/psc0F6bGHHNfJaK95rtOeU49ttYvpsQsQWznYaRYxdZXVUiTb6DvVlkE1XaRqWqi+3ydVvrLgWprz2B+buqY8kog/ch1X1vuObhcslcrCZS9+9b+ZhHeYsup9wlK+6dm2PiWabPCCsww7qrSiMkXqA7so9wq7KFG3Vcq3ENK4++kp3T/0/LyXPRr1mrQjEmSekp2nR7evXbWzr5KfqtgcXZ33doRZvgXRmklRm9OQGmlLeplC0enjUK9JxoRWyZoWTfEWaGoTBdmCdlVHTe6DoZhk+RwEqpxNWCrqseFBx4ZKDnvjgLp0ZZpSqeOuyBsn1WXzU46cItILVPPS36Nesg4mcEoVQM4rT84D5lVWJWxh5sUthZ2beh1WSb2WUOYKdazAyGbfNgIVJ2ho1i+zVAesZ9zWYrGDUt3Trzh/qJSULtZsGuBMi2Lu4E0zedPa8+6XvgIY8XGok622Tjbv/Q6LoKYCgYSiABwbOHbRN6PYiqWNgzLBjSXgnYLKpyjOy79rtUtUORQ9/k1UoPBA4avdJaqG7FacSTQrdQertRq1GlGZVE8Zkcnt/fMzumg3q00MlLB112Z5qAQeul4eKk3poSfleGgbPHRWD22Dh66Xh7an89BuOR4qgYfO6qESeOh6eag0nYeeluKhZfHQBhDRDRm21WaiExzybK1oZwN4JzjkChDPCQ75fq1YZgNoJjjkCvDMCQ75y1qRygawSnDIFaCVExzyX+v0/avwrYhQ97WR70eEWi+o9bKhnCtWztVZSjlXp+blXFCvBfVaS6zXmjrV673/DSQYKDSaybQkMK3VN63qS2Smzr+BbUFtxzymJYFprUPYqrgqoVS0BanJ9VXTS8VWYEjrqwKXCqTAkNZXvSwVNoEhgeq2HNWNvl4fFLe6KG4qVm4yeyWA8AbCGwhvJQpv4uEylLdDUN5AeQPlrUguyH+PGiQaQXpbeHoIbAu0t6WljMC4QHxbVhYJbAvUt6WpbwswLshRgvwGlgT6W53AFFgSCHBgSaDA1UiBC/cVA+UNlDdQ3kB5gy3EYtIb9xXmR3Mqb53mUrcQg03AQBebQxfj76brKGMCXBWs3WPVB64rtf/VLLB1HfbRrefezIuypsZmmVNJFrOuWz2dUENDl77doVtyJxQWIF51L1A3NDSgP9XSnxPYPHnBzCf7HEB8gPhMt3fy/MynBcwHmM/qMR+bjGsCp05BcLiQFmDq+hKbKYylAdYCpGYRpKZHbA45JtAZoDNAZ0qjM1up20Ve2dUpNkd/+IEomv3Q/C3yGFuxCQh6JyimrstjO+OHXGAvpAAkA/Stg9iBlIrBcHwQ1sK599C52AzhuTCWDawnbTxB2cia5nhAXHhLfB4pumzbZDWjxOvGlC319RDLBBQiBz84rykuxda18O7aeEvisfGud3b5+UP3DP3x6fLX80/Hp723b9hx0v6GXO5dPcnYRGq1z6FW8ZmYqCnt597T+66WVIQjBKFw6IxS1MBkGxRzOl7mNKZ7mPvIRZhK6Gmpw5ZskB74HDFDuwLno08jQFpi7rREsw567OGcSQlpuXLsEr7luMo5CyTb6DvdHhtyF8vPXfjv+pg+a/Ey4wyJKlksopNTH03QUdV2GB3lnZCipORUj5K2Q0rK+1SSGfPqDsNaS4WYYFVclddJn7BO7j85CZE49JR8DFTP1EdhW5tJtM01N/SivaEVNrglFBAs3hrXNbWSfjmNTctjT6MxCukdOjZUFBbSdulqN2XChbvKb1zGJW0qHppJHF1gUsaEpAxU1wKbq5vIPDedE6ukc7T5T0pvQKEGhXrhLO8FzJ0PkhdakJvAfw3S1t57VTckTjenq8do1WtY1oaJVMqAl2BZDXDEZQ8XeOIyPHHt2X/PVRRs2+iSGDDaNkzjdfvhIUyC2Dt5WQEouqi26MJHm66hLZ4gCwSYigIwfWD6xZg+iaKKpTEVPitab/jrbbnfsW3NmwU4qPnbbZeQKICX30Ii4a959rqftBNSsb3uV4pKi3NqffSlNoTdiM1mcweZFpp9TGE46/eOoPnSE5W/gnh76i2qwMNn83AJPHwjPbzq90BvT713GHj4jB7eBg/fSA+v+G3c21Nv6gYePqOHS+DhG+nhFb8SvQY8vAFEfKEu3gAfrxsTL/HN9DWg3Q3g3eDQ6028S9wgoAYsuwE0Gxx6vXl2ifs01IBUN4BVg0OvN63emA3rT307ZltneNYFFYA1qQCE7/dB1R98v6+ywr7OUgr72rBtPVTuwbb1hXPb/F3mQLOCyrLlb74KFriOFlh96dPU6UMwQSjNqWq3V7DANQ2CFdeOlI8EIc+6yaUN5eM+sLdNVt7LB3lgb5ssDJcP6cDeQLesSrfsad8xaJb10yxVrLC4AtIlSJcgXVYlXYqHS9EuD0G7BO0StMsCGSv/xYaQNQXxsqokFpggqJdVq5dggyBfVixfggmCflm1frkoG4SEKwiYpWI/MDhQMEsFemBwIGGWCuvA4EDDLEnDDHdYBO0StEvQLkG7BO2Su60id0OFzrzaZWup2yrCxoigLM6hLPK3JHeUMUG6Ctbuseoj3VXe+m8+nLtem5FXvQNgCQbXAIsr3ajWdTO7E2qL6NI3TXRL7oTCktCr7gXqhmYIJKpaEnUC29IvmD9lnwPoE9Cn6Xaln58/7QN/Av60evzJJuOagLJTMKR81AtIdk4kW/MN0hdiTw0wqBoZ1HpTox4xS+SYQIqAFAEpKo0UbaVuF3llWtqNpj+0f4s8x1ZwGXYJGpFoHKGt+03vI4KtDPFIjsBf69A77Dx6d1Jl6847k+DHyCiFD3TJEsJLO3g01kl4NCJSRACr7cSsOBqfGFh/SuJBncQTboQgN3jwRVTGsJKOzZwq3sojlkGCNhZiSEBRdFfFxzoHzudYHllzSXTjnO5HgziNjLWabHfzdBgWvrrYogRKGPPoptf8OXi6eEs0l2Li6AA/pE+177Tx75beezQUTrcDe4l1eys1drGZk3U96E5qWGJzGh/0AqSazppmaJzd32eessBBhCnmzc5+5KVJY7freyF9m4OxdpYyY9mlkvommxb7P0HXhGRr5hnoMf7Jvj14DxlrcG185V0oTm1nNpLpHT8c3lznj87gBoCKbPHSh+U8Y0w+bmiLXwmUn9kQAxqwVOtrrbb1lWcWqRkOraKr0yRduIKjjwGZmMJMbEsx7GnshP1CyxvJdT3+GX9lS0aOo5SOmmIehYwzyGeP7nkDyeN0dB+M6JZcslv4xn9PdedpHOHN3quI0l4L23/991r48mpn79UbcJGKXWQ6x/imV+gYqdxKrml6J1IvzjPj5bnNfN2a0qfCjNJ8LrUPLjWfS6WJ40zLDsvyLdG7CqUvOSvAC0nFaTxp+gxqsT7AUrQefjOdt8yxFqEFuUuBbH9OLj/frpfsUYvq5UYvVex/mmp+9vJ0GjNKP0N36+kGgmF+ey0GyXLBMf1jQuJjY025Y0qu/2F/JPuB1BLPWAvtUZSRFON/7DfjLVGCXmjFfhdVj8B/CXpEpZ6Y27x4l/iFD+MXjt+ldRD/I3Jp4UiN9zfoS2IwvptGlJKLvUeQOkL4xZtT2R7emLLlXU5wWaWDcP7vvvvv4/uRn1a9D1Ov4tbz/wEY8UjylLEBAA== istio-workload.json.gz: - H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnimT44tjx+H77AeA7CcqiXkhK2g91IwIEQWB38Ty7S+BxByFhMFB103Vs4Wf0F/mN0CP7S0p0aYLJVeGsP7i4PP/93dVv7z73hf2gWJNusEbLLyxjgp0xdu2oUMG2bKmmoxo6rRIVOA8ma1SRHMk2XEvGUZmpuSNV/6DQcpPTqFf+ye9W7LGswhP5+3XfeyULf3NVC3NeKnj+yJKGki5FjasK93IwCL+mC+6wZftvd3jQOWj7ndjnP86UdDJY2YeZY+6j4pdjD5r+DN6QqrmDqWeHkffI7kHzoDnHuznSjYazT7tKXs6+WziJkq4bjkQFiM6i91BBU20nnNOoK6TkxlU15wNtSdyPrsaGhP+qpA7WWZ9+Ro7l4tj1sapwrqqyoZ8ammHRBq3RjdRo7qOWKJI/3e4+EvfiTQdv/TZ6F/QP9FbDlpPoQjSD9vjGkCxF8Mue2P+/7viDn1arDzb5F/rDsG41Q1LQWXA78scViQeiSKaP3YsV1fHfdChpNnspYaRjhync0WG76V2h0ndlGJqjmuS6d1F1sCX5TxW7bbHd6XYOxc5hl5Vqqn7LVM2bOSYPHNWTDU2TTBsrqVElj1SVCyOaZm/4U1P5nfxudWIX7oPe+b8f6O9g3JLS2OtGNiTZuaQUsU7qDtapkAmvFfUOyZpk279cR1PzcowlBVvIwffOS5lUxda18OZaf22Tpt/8cX75r4/nb89+Rj9996fl4CcqBqRUxq9fsUqk8ivS9puYCJAnD1WsKaeGPlRHiZHw7elQcjXHzpTQLru2Y0xoyVOi6Gk/2YZBpIKMtGcVv+7kVOTORjgj7VSb6VnhzUw4O2LuM9ksHfcS15JSFV6eGEwthbEz0ZIDaJhJa1H9nKa7m/v+3sr2JbKGRweB3kZGQnWY8gqpy5akkx5Y3gsmrVXMtNBXi54fe3pS+iV5jK/UCTZc2pruatp+UjuI5TuR5NuRZbi6EjclyTpfJM3F+cVJBWTXmS1tdYgN7Xa8/5oHvb30cHq12kfE0rZ6+6jTpNWOc+p1Sal41CLVuqy1o734DCTFaoaVokY6OjSsicQE2jBTXRxJ7ghnOzeR7oM5EZtp5ZwQ2fML00X22PjOm0cqWmOCsMaGpnykSNB+rtbvknWL2cxTIZ3P/HQ45ud4RuvTmW59xFbyGjUCd5LG04IcyzTF/hCR/903BHdsoFP9Y4tuUIPospSu8F8iP+rwIaziOka6imGpxAYEq7QwJr9/EMMnaRndwIor4/Oc3jIroMlZDfVBv+18MpxPZEiEVOnX/XQ7TFvsjMnykB8dhlBmpuoENV2JF8+dyIlkmqo+uvJsnphXln23zBAEyI11EzkGWxpy3iK1smVeILdxYrlHMzTeSjaea8KIip8RK3ZhENm1s3ouUDlmhcFgknVRx7JDAFmm3hXtEUf0TcN2hup9dhnyC94TieurP1jz3ebfU3UszL+XXZ96Kxuq3wl6fH7qhhYztOw1soPqeC8mfHr1llNohDfOOOZ05b0l9oBjcYeqpiWZQpuwBFE8Jn8I1CELknicWbeG9NnZZdwzOjjenNdaiy5xvXamHd9sT7W0jA2QJt2JzoEVkjXCzgzDje9Nr0sUEDRsd9JQCVXADZVyE0bEse3YA4cQIO3RwqZhEcP6y/+uhZ++kV/Xwj5Z7BxVZ3ZrEOCrQQivWM3wV051Vin4cS08/dWdfN3bo0PcbIp72XmOlk+HYJ2BjYnptLPVgjXgvSQ7bNzFTBUiuZ6/giNNtoPN1LozTZTChdLmzEaA/T7oskFW6xG69AYWfaHzhwUu5rNJRY1UkpLGxTMscXU7TqsbqzGbuhn0HYVfCmpaYNsKKRu7KXD/yK7FMG/tMS0HhS4CarMQeUFMq2BZnUgMv2XGpn5418QWJWiurjpLxb3HZQDfNNZZAfI9ngP5dgD5AvIF5AvIF5DvPMi3Fph3nyw2JrFqeCATGd8lhd2DFyEURq9QnZB5SYh8LuDdI/Cq16P/HXSfA+F9V5axbaNLMqyooRv6y+79PQpmwt7bQlgu3Y2eh+SSpkr2aQCaH5PKeSNZXEjF3PUfsT5yWGiomSnDebetlWdXZWZQzFz81ZIU1XPyN5cPG8XDQrhxrCoK1vuelvIG3QvoHCXBIx5hxq9S/STSMNLf2lfp4GS8yt0opySggfxSGsN9NzGdhynlf2LLyCkmuCKvRNVzSix1NCYazIkdp5enNNijdjin0VzM+JSG59jmRYFowXdVccYZ0cpB9BnElMEUAROTRnxOPEtIy6RPoHLt0i50s2V84SITrmALs8V3qBkpM+qtHecJdUsjFxnnGRJiluVb7lOpO8fEykcP8mTLC+OGxpisxAYhQJPBN1fSHVXDjeYBdRfkrNUDxfWi8IMJMQiqjQmMVezBjSvfYmfmFTwNHFCxZf7pL5EhipsH1NAwgxYEbjf3kGGh+V+oHu+yMC7hM74ZUItnG9+HT7voNoXZoc3+IgLX2zSB622BwPnJSZy1Yk55602Tt5Olyltv0+StB/JWXN56U+TtdC7qllrm6fu89zwiGWcOLbvEI98NyLmxP1aHDv9OnwQGAZgzf4ZTXC9MoHtM4z/JymTABWVEJDjJCwz8DQL2qOqKeqcqrjQlnSiW5BrLJPXAvnSvcriCJ5a8GEAsh4kOTNrd4nv0OHflI90QzU7hQQ/S/Szeykh8OUIbZChnO0cLjdGJZGOutHq4n3ubB/y5RXzP0/PmMvYOYyoBNXkPjns6Vw8f+FLFmF0epaNlH/Fd+GY7vAfVMKj3t1avJ3cO5w3i/U3pdKS2tHmZaCdbn4mWTCGbkop2/EwiLATkICAHATkIyEFAbikBOUc2CbHRncHNg4OnBbwKsit+/UzIy6Ng/0S8bllYxuodVqrsWm1IobD0YF5OAO/q9AL1Se+wha4saThUZYjUAc4GnL3OODtzcRag3QWgDUAbgDYAbQDa5QJtb+GdCcimqq4IXi+7Q9sJqk81uh4BqE7e8zXa/SQYrF+xjq3YMh2OjkV0mLvbRgm7J4g5uye0y9o94cOnk/PPn85Q8MV9f9s3TGhPx6+dbj13TCg0j2u3SQJkrz6XvdpcUvbq4SJBFvFwwfTVVne29NUl5KZysN88uafrnFyKJBv9oKm4kGS6zCTTmT7L9kmhn6fkWqrzMDANTZUfiM2fuI4raQNHs1fkht5HsyByVmZb8nftebhOqul29PELzX5K3TClhX2U+JSmlM/I06D98THdP/T0dJC9GvWalCNimh6TnadXG9euctxWyF9FbE6uPvb3hHk+Y2/NlQK4oPjtgvwtLn/LZpRLFM6pOaczSmIdkwPT2zTY6OQB9dnwoLe6Qi5744BO6QpYMHOQu/JvXepg1o/nSCnOvsTswvQ2WyvOyxM42diQXlheeiFQvLI+UDxcKL63OMc7rJLjreDzQ/i+EKjf/PsSoIqZIH8Tg+qw+JwbJ1Q9jNWN15qTlEq58nIFbRcUdo3GETR2Po3deAfCc1vMRI4F+ACx2g8Q83YmXAbHFgi0FQVwFoCzYNY9PfnH72ybJ2HWveFbrUX9CLXa6qgcV0N8pyNwRYArotqtjhbl3AvutLEcBC/OFS8sdRumLR/nGtGlVE8ZWcrt/dMTuug2q3VwlLD/FFiBcvbGAiuwtlagV9AKnJRjBbpgBcqzAl2wAttuBbrFrMBpOVagB1agPCvQAyuw7VagV8wKnJViBcryC+yCGSjHMbALdqDunoEpSv9uo9wAoPQl+QFA6WvvCJii9O83ivWD0pdE+0Hpa8/7pyj9rxtF8kHpS2L5oPS1p/lTlP63TfrQMjyOAfIit/JgBsiFhFxIG9IdY+mOxytJdzyueboj5DNCPuMK8xkLO9K9/SchiAZpdctPqyvs4AVh3FhhrD69q7DnEaQRsoxWlWVU2CMGwrjJprHibJdSUSM4ZSHnoiKMCKIHkf+KACGIHsSfK4J/IHoQBa1LFJQeoQIR0LpEQBUsM8MCgVAIhEIgtKpAqHi4ikjoIURCIRIKkdBZfFr+TpHgYoVQaA1CoSCNEAutUSwUxBGCofUJhoI0QjS0RtHQJYgjeGchHFoVTgTZg3hoVaAQZA8ColVBQJA9iIhWFBEND9iESChEQiESCpFQOEszFgrlHoFxvGAk9Li50qM04TBMiFMuEKfkH0TvyCaBujJW77DiQ90NP9VxHqC7CUfQV32442rlbxcEcLoAliRjm3oc4QkVTXTpSyoakiehMOn06vQCnYaiCRSrWop1YgK7Wi67yr4HkCsgV7nkKnNxOeyqBewK2NX6sSubjGsC2RYgUVwQDMAWyNNc4rUL8gXEqRri1CdSihwDKBNQJqBMpVGmndTj4t/L3tAVBf3hW6Jo+kP5t8h77MRmIOieIBuaJpl2RhG57EFIoVTGGlqd2IVUOMYjCzupyfcoQC9sSDAlHWtJGU/QQrIKOh7YF14TnUeyJtk2Wf8oubsxJEt5OcYSAZ7IwffOS4p9sXUtvLnWXxN7rL85/3x1cv750xnqv7v88uH0Xf/1K3adlL8izb2pJ+GbSt/aHPoWn4ipsTGxk/tQ7yPA3ixEJLCFY2eS4h+G6fiLTKrnZc5juoe5rzwLHQpVLXXZknTSA5+IZrhdoHz0bQTwfSzs+2jWIbAsHi3o+jhabWB5Bd/PrrNnBEk2+oEtAzwkJXhI/H1nAvIa55KmpeqyakoaZYG2qQ6H+ODF83Tx2czIOC0NCTB5AquaJrRkeO9Uv2WF9PNOpky0GzJRTl3aqp87KhOxqoqBcnpGWCgiVuMx2UFUT+fGLJKxu+WSsYKsgiJis6k+i3PXGRmx3YRsmj97Fg0MekuoU5hge0rXjoIODO6auXUejLSEeNggcXWJTg4DnByQdQvkqG6B4cXZkVglO6LFf1K2AGFlCCsvnTQ9A4q5ILVAfHl5eDkBDSks73qIfEHETE93XJsxWPhl14AHVEoUlysJu6AOqx2ELdCHjWfAfVeWsW2jSyJwqKEb+svu/X3oCLD3UswYAvnVBvJ9wOXq6vJJokCwmSgA2wW2OxvbJRZTtlQW2M3GQbd8K17u96ftRYlwq+Y78a6AK8NGvcClZ+TSjcKnTyn+UeqDCTEIKkHOhq5kt4JZDu98LmN21gxcPs4Wp4el6DYuhFqIzWZzDxkWmn+kNnyQ1oChV74FcaPwUVugZ4VHCvSscj2rem/lRuFzxUDPCo8U6Fn1elbxrtGNwoeogZ4VHinQs+r1rOLtsKvlZ7tA0DZilNaDoZW403e1dGwX+BioVWmErMRNzKtlX7tAv0CtSuNfJe7PXi3Z2gW2BWpVGt3a1K3n05/PoDNf7iBZqFbJQvA5DCQIwecwleUAHa8kB6gNp3FDkg+cxj2zY5R/vBOEHbYmXaWwzw8kZssTLwq7s0BitjyFoLCnBiRmy4PhpeIYcOitXVS3VNQC8rF24clSMQrIx9rF2UpFJCAfEDAqFDAKziyGYBEcXAwxI4gZQcwo2EHtcCVBow4EjSBoBEGjGZwt/rZO4J+DqNGs/hcQGQgbFXTJgMhA3KiglwZEphYis1aRoyXIDLj2Njl0BAICsaNVAxUQkE0OHoGAQPRoxdGj8CAeiBpB1AiiRhA1goN30mEj7nbDvUWjRocrPXcHTs6BmM4CMR3+oZKObBJQKmP1Dis+KPWOzSjgFePC11JPzZgKSWt23mgNTxadQwh2QQrgmJQs9TihwoP6xFAjQ0dhGtvV6QU6DWUJOEi1HOQEzv1cMv3IvgewD2AfxY79XJx+HAP9APqxfvTDJuOaQJ1rdYAlUI/9qgVgFyQAaAehHZc+hUVD8iQgH0A+gHyURj52Uo9LfMt2Q00/6ntmKJr+UP4t8h47QTOsCWqXqDWhpe2md4tgy2M8kSKQ1Tr0LjsP3pMUybr1ahKcFgml8IGuNELYtIMnpkYsox6RDwIMbScmxdH4xEDxYxJ3acSecC0EecC9H+tjTCap2Eyp4qU8AhfEwWMmhhgUWXMV/FbjwOYcySOrIrFunOq+NYjTtVipwY6oTBtj4ZuLrQd2piqP1nnFX4K3i5dEcykmro7wfbqqfauany2t/6DLnG4H8hLr9k5q7GIzJ2la0J3UsMTmND7oM5BXOmuqrnKO8Jx7yoRPARwRCsyczrvpuYlj/6A5KKRxD4lxDszOQpksjGK77UYN8EDcTM3sFRCTVwcvYjjuWmj89Z9r4euLvYMXr2aXoOzSTW0FExP738EwCcnSzHjSa/zKvnx6Ax4rcG185TUUp7TrLLR/+JNZRGa/c+4pJLK5Mvs4Xc7SqP8pXzhTkp16zMy8wn9Cqv4ea70xXXFW9i7chy38RgVVOORZiymwuN4KXBxJ5CRwxdBEVIOLKCqyE5c+lefZieTrhmbiG6H/RUwEe9bAIyuNwHWwtxIA4ktfC5aP2cQiNcOhVHzQPUoQrCJoKgbKkRPbknV76fAncj5RA0hlMe0FipmwXE/RvPa0EMSqTVcLrgHLQnGghktWw2LK911bW+V7zkPMTEsu5qmPZi72HtVAtzZo7WJaG8vmD3xqBRTXi1usUHOnpH/N/13KU36ApYg2lt23ghrGizUtpmydeigb+z8NIjx5HliVyaLvex16cSFBN76/FIMwiOAY/jUhcZupyrcsFu7f7A/qIIiSxWMRQncS+ZrF+I92M14ShV6EVuzfouIxqa9Bj2iULqYszz4l3vBhvOH4U1qd+I9oCRaOlHh/g74kBuOHoUfO1sjjzvzdEbY+k+zxjSFZXnuCy5JFhM83dv/PqzPV95jfhV51cefp//LI6F4GjgEA + H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnimT44tjx+H77AeA7CcqiXkhK2g91IwIEQWB38Ty7S+BxByFhMFB103Vs4Wf0F/mN0CP7S0p0aYLJVeGsP7i4PP/93dVv7z73hf2gWJNusEbLLyxjgp0xdu2oUMG2bKmmoxo6rRIVOA8ma1SRHMk2XEvGUZmpuSNV/6DQcpPTqFf+ye9W7LGswhP5+3XfeyULf3NVC3NeKnj+yJKGki5FjasK93IwCL+mC+6wZftvd3jQOWj7ndjnP86UdDJY2YeZY+6j4pdjD5r+DN6QqrmDqWeHkffI7kHzoDnHuznSjYazT7tKXs6+WziJkq4bjkQFiM6i91BBU20nnNOoK6TkxlU15wNtSdyPrsaGhP+qpA7WWZ9+Ro7l4tj1sapwrqqyoZ8ammHRBq3RjdRo7qOWKJI/3e4+EvfiTQdv/TZ6F/QP9FbDlpPoQjSD9vjGkCxF8Mue2P+/7viDn1arDzb5F/rDsG41Q1LQWXA78scViQdim4gmuxcrquO/6VDSbPZSwkjHDlO4o8N207tCpe/KMDRHNcl176LqYEvynyp222K70+0cip3DLivVVP2WqZo3c0weOKonG5ommTZWUqNKHqkqF0Y0zd7wp6byO/nd6sQu3Ae9838/0N/BuCWlsdeNbEiyc0kpYp3UHaxTIRNeK+odkjXJtn+5jqbm5RhLCraQg++dlzKpiq1r4c21/tomTb/54/zyXx/P3579jH767k/LwU9UDEipjF+/YpVI5Vek7TcxESBPHqpYU04NfaiOEiPh29Oh5GqOnSmhXXZtx5jQkqdE0dN+sg2DSAUZac8qft3JqcidjXBG2qk207PCm5lwdsTcZ7JZOu4lriWlKrw8MZhaCmNnoiUH0DCT1qL6OU13N/f9vZXtS2QNjw5EYnYTdRzVYcorpC5bkk56YHkvmLRWMdNCXy16fuzpSemX5DG+UifYcGlruqtp+0ntIJbvRJJvR5bh6krclCTrfJE0F+cXJxWQXWe2tNUhNrTb8f5rHvT20sPp1WofEUvb6u2jTpNWO86p1yWl4lGLVOuy1o724jOQFKsZVooa6ejQsCYSE2jDTHVxJLkjnO3cRLoP5kRsppVzQmTPL0wX2WPjO28eqWiNCcIaG5rykSJB+7lav0vWLWYzT4V0PvPT4Zif4xmtT2e69RFbyWvUCNxJGk8LcizTFPtDRP533xDcsYFO9Y8tukENostSusJ/ifyow4ewiusY6SqGpRIbEKzSwpj8/kEMn6RldAMrrozPc3rLrIAmZzXUB/2288lwPpEhEVKlX/fT7TBtsTMmy0N+dBhCmZmqE9R0JV48dyInkmmq+ujKs3liXln23TJDECA31k3kGGxpyHmL1MqWeYHcxonlHs3QeCvZeK4JIyp+RqzYhUFk187quUDlmBUGg0nWRR3LDgFkmXpXtEcc0TcN2xmq99llyC94TySur/5gzXebf0/VsTD/XnZ96q1sqH4n6PH5qRtazNCy18gOquO9mPDp1VtOoRHeOOOY05X3ltgDjsUdqpqWZAptwhJE8Zj8IVCHLEjicWbdGtJnZ5dxz+jgeHNeay26xPXamXZ8sz3V0jI2QJp0JzoHVkjWCDszDDe+N70uUUDQsN1JQyVUATdUyk0YEce2Yw8cQoC0RwubhkUM6y//uxZ++kZ+XQv7ZLFzVJ3ZrUGArwYhvGI1w1851Vml4Me18PRXd/J1b48OcbMp7mXnOVo+HYJ1BjYmptPOVgvWgPeS7LBxFzNViOR6/gqONNkONlPrzjRRChdKmzMbAfb7oMsGWa1H6NIbWPSFzh8WuJjPJhU1UklKGhfPsMTV7TitbqzGbOpm0HcUfimoaYFtK6Rs7KbA/SO7FsO8tce0HBS6CKjNQuQFMa2CZXUiMfyWGZv64V0TW5SgubrqLBX3HpcBfNNYZwXI93gO5NsB5AvIF5AvIF9AvvMg31pg3n2y2JjEquGBTGR8lxR2D16EUBi9QnVC5iUh8rmAd4/Aq16P/nfQfQ6E911ZxraNLsmwooZu6C+79/comAl7bwthuXQ3eh6SS5oq2acBaH5MKueNZHEhFXPXf8T6yGGhoWamDOfdtlaeXZWZQTFz8VdLUlTPyd9cPmwUDwvhxrGqKFjve1rKG3QvoHOUBI94hBm/SvWTSMNIf2tfpYOT8Sp3o5ySgAbyS2kM993EdB6mlP+JLSOnmOCKvBJVzymx1NGYaDAndpxentJgj9rhnEZzMeNTGp5jmxcFogXfVcUZZ0QrB9FnEFMGUwRMTBrxOfEsIS2TPoHKtUu70M2W8YWLTLiCLcwW36FmpMyot3acJ9QtjVxknGdIiFmWb7lPpe4cEysfPciTLS+MGxpjshIbhABNBt9cSXdUDTeaB9RdkLNWDxTXi8IPJsQgqDYmMFaxBzeufIudmVfwNHBAxZb5p79EhihuHlBDwwxaELjd3EOGheZ/oXq8y8K4hM/4ZkAtnm18Hz7totsUZoc2+4sIXG/TBK63BQLnJydx1oo55a03Td5OlipvvU2Ttx7IW3F5602Rt9O5qFtqmafv897ziGScObTsEo98NyDnxv5YHTr8O30SGARgzvwZTnG9MIHuMY3/JCuTAReUEZHgJC8w8DcI2KOqK+qdqrjSlHSiWJJrLJPUA/vSvcrhCp5Y8mIAsRwmOjBpd4vv0ePclY90QzQ7hQc9SPezeCsj8eUIbZChnO0cLTRGJ5KNudLq4X7ubR7w5xbxPU/Pm8vYO4ypBNTkPTju6Vw9fOBLFWN2eZSOln3Ed+Gb7fAeVMOg3t9avZ7cOZw3iPc3pdOR2tLmZaKdbH0mWjKFbEoq2vEzibAQkIOAHATkICAHAbmlBOQc2STERncGNw8OnhbwKsiu+PUzIS+Pgv0T8bplYRmrd1ipsmu1IYXC0oN5OQG8q9ML1Ce9wxa6sqThUJUhUgc4G3D2OuPszMVZgHYXgDYAbQDaALQBaJcLtL2FdyYgm6q6Ini97A5tJ6g+1eh6BKA6ec/XaPeTYLB+xTq2Yst0ODoW0WHubhsl7J4g5uye0C5r94QPn07OP386Q8EX9/1t3zChPR2/drr13DGh0Dyu3SYJkL36XPZqc0nZq4eLBFnEwwXTV1vd2dJXl5CbysF+8+SernNyKZJs9IOm4kKS6TKTTGf6LNsnhX6ekmupzsPANDRVfiA2f+I6rqQNHM1ekRt6H82CyFmZbcnftefhOqmm29HHLzT7KXXDlBb2UeJTmlI+I0+D9sfHdP/Q09NB9mrUa1KOiGl6THaeXm1cu8pxWyF/FbE5ufrY3xPm+Yy9NVcK4ILitwvyt7j8LZtRLlE4p+acziiJdUwOTG/TYKOTB9Rnw4Pe6gq57I0DOqUrYMHMQe7Kv3Wpg1k/niOlOPsSswvT22ytOC9P4GRjQ3pheemFQPHK+kDxcKH43uIc77BKjreCzw/h+0KgfvPvS4AqZoL8TQyqw+JzbpxQ9TBWN15rTlIq5crLFbRdUNg1GkfQ2Pk0duMdCM9tMRM5FuADxGo/QMzbmXAZHFsg0FYUwFkAzoJZ9/TkH7+zbZ6EWfeGb7UW9SPUaqujclwN8Z2OwBUBrohqtzpalHMvuNPGchC8OFe8sNRtmLZ8nGtEl1I9ZWQpt/dPT+ii26zWwVHC/lNgBcrZGwuswNpagV5BK3BSjhXoghUozwp0wQpsuxXoFrMCp+VYgR5YgfKsQA+swLZbgV4xK3BWihUoyy+wC2agHMfALtiBunsGpij9u41yA4DSl+QHAKWvvSNgitK/3yjWD0pfEu0Hpa8975+i9L9uFMkHpS+J5YPS157mT1H63zbpQ8vwOAbIi9zKgxkgFxJyIW1Id4ylOx6vJN3xuObpjpDPCPmMK8xnLOxI9/afhCAapNUtP62usIMXhHFjhbH69K7CnkeQRsgyWlWWUWGPGAjjJpvGirNdSkWN4JSFnIuKMCKIHkT+KwKEIHoQf64I/oHoQRS0LlFQeoQKREDrEgFVsMwMCwRCIRAKgdCqAqHi4SoioYcQCYVIKERCZ/Fp+TtFgosVQqE1CIWCNEIstEaxUBBHCIbWJxgK0gjR0BpFQ5cgjuCdhXBoVTgRZA/ioVWBQpA9CIhWBQFB9iAiWlFENDxgEyKhEAmFSChEQuEszVgolHsExvGCkdDj5kqP0oTDMCFOuUCckn8QvSObBOrKWL3Dig91N/xUx3mA7iYcQV/14Y6rlb9dEMDpAliSjG3qcYQnVDTRpS+paEiehMKk06vTC3QaiiZQrGop1okJ7Gq57Cr7HkCugFzlkqvMxeWwqxawK2BX68eubDKuCWRbgERxQTAAWyBPc4nXLsgXEKdqiFOfSClyDKBMQJmAMpVGmXZSj4t/L3tDVxT0h2+JoukP5d8i77ETm4Gge4JsaJpk2hlF5LIHIYVSGWtodWIXUuEYjyzspCbfowC9sCHBlHSsJWU8QQvJKuh4YF94TXQeyZpk22T9o+TuxpAs5eUYSwR4IgffOy8p9sXWtfDmWn9N7LH+5vzz1cn5509nqP/u8suH03f916/YdVL+ijT3pp6Ebyp9a3PoW3wipsbGxE7uQ72PAHuzEJHAFo6dSYp/GKbjLzKpnpc5j+ke5r7yLHQoVLXUZUvSSQ98IprhdoHy0bcRwPexsO+jWYfAsni0oOvjaLWB5RV8P7vOnhEk2egHtgzwkJTgIfH3nQnIa5xLmpaqy6opaZQF2qY6HOKDF8/TxWczI+O0NCTA5AmsaprQkuG9U/2WFdLPO5ky0W7IRDl1aat+7qhMxKoqBsrpGWGhiFiNx2QHUT2dG7NIxu6WS8YKsgqKiM2m+izOXWdkxHYTsmn+7Fk0MOgtoU5hgu0pXTsKOjC4a+bWeTDSEuJhg8TVJTo5DHByQNYtkKO6BYYXZ0dileyIFv9J2QKElSGsvHTS9Awo5oLUAvHl5eHlBDSksLzrIfIFETM93XFtxmDhl10DHlApUVyuJOyCOqx2ELZAHzaeAfddWca2jS6JwKGGbugvu/f3oSPA3ksxYwjkVxvI9wGXq6vLJ4kCwWaiAGwX2O5sbJdYTNlSWWA3Gwfd8q14ud+fthclwq2a78S7Aq4MG/UCl56RSzcKnz6l+EepDybEIKgEORu6kt0KZjm887mM2VkzcPk4W5welqLbuBBqITabzT1kWGj+kdrwQVoDhl75FsSNwkdtgZ4VHinQs8r1rOq9lRuFzxUDPSs8UqBn1etZxbtGNwofogZ6VnikQM+q17OKt8Oulp/tAkHbiFFaD4ZW4k7f1dKxXeBjoFalEbISNzGvln3tAv0CtSqNf5W4P3u1ZGsX2BaoVWl0a1O3nk9/PoPOfLmDZKFaJQvB5zCQIASfw1SWA3S8khygNpzGDUk+cBr3zI5R/vFOEHbYmnSVwj4/kJgtT7wo7M4CidnyFILCnhqQmC0PhpeKY8Cht3ZR3VJRC8jH2oUnS8UoIB9rF2crFZGAfEDAqFDAKDizGIJFcHAxxIwgZgQxo2AHtcOVBI06EDSCoBEEjWZwtvjbOoF/DqJGs/pfQGQgbFTQJQMiA3Gjgl4aEJlaiMxaRY6WIDPg2tvk0BEICMSOVg1UQEA2OXgEAgLRoxVHj8KDeCBqBFEjiBpB1AgO3kmHjbjbDfcWjRodrvTcHTg5B2I6C8R0+IdKOrJJQKmM1Tus+KDUOzajgFeMC19LPTVjKiSt2XmjNTxZdA4h2AUpgGNSstTjhAoP6hNDjQwdhWlsV6cX6DSUJeAg1XKQEzj3c8n0I/sewD6AfRQ79nNx+nEM9APox/rRD5uMawJ1rtUBlkA99qsWgF2QAKAdhHZc+hQWDcmTgHwA+QDyURr52Ek9LvEt2w01/ajvmaFo+kP5t8h77ATNsCaoXaLWhJa2m94tgi2P8USKQFbr0LvsPHhPUiTr1qtJcFoklMIHutIIYdMOnpgasYx6RD4IMLSdmBRH4xMDxY9J3KURe8K1EOQB936sjzGZpGIzpYqX8ghcEAePmRhiUGTNVfBbjQObcySPrIrEunGq+9YgTtdipQY7ojJtjIVvLrYe2JmqPFrnFX8J3i5eEs2lmLg6wvfpqvatan62tP6DLnO6HchLrNs7qbGLzZykaUF3UsMSm9P4oM9AXumsqbrKOcJz7ikTPgVwRCgwczrvpucmjv2D5qCQxj0kxjkwOwtlsjCK7bYbNcADcTM1s1dATF4dvIjhuGuh8dd/roWvL/YOXryaXYKySze1FUxM7H8HwyQkSzPjSa/xK/vy6Q14rMC18ZXXUJzSrrPQ/uFPZhGZ/c65p5DI5srs43Q5S6P+p3zhTEl26jEz8wr/Can6e6z1xnTFWdm7cB+28BsVVOGQZy2mwOJ6K3BxJJGTwBVDE1ENLqKoyE5c+lSeZyeSrxuaiW+E/hcxEexZA4+sNALXwd5KAIgvfS1YPmYTi9QMh1LxQfcoQbCKoKkYKEdObEvW7aXDn8j5RA0glcW0FyhmwnI9RfPa00IQqzZdLbgGLAvFgRouWQ2LKd93bW2V7zkPMTMtuZinPpq52HtUA93aoLWLaW0smz/wqRVQXC9usULNnZL+Nf93KU/5AZYi2lh23wpqGC/WtJiydeqhbOz/NIjw5HlgVSaLvu916MWFBN34/lIMwiCCY/jXhMRtpirfsli4f7M/qIMgShaPRQjdSeRrFuM/2s14SRR6EVqxf4uKx6S+Bj2iUbqYsjz7lHjDh/GG409pdeI/oiVYOFLi/Q36khiMH4YeOVsjjzvzd0fY+kyyxzeGZHntCS5LFhE+39j9P6/OVN9jfhd61cWdp/8DEuNcxwaOAQA= {{- end }} diff --git a/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml b/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml index d38922b..0c22937 100644 --- a/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml +++ b/charts/kubezero-istio/templates/ratelimit/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if and (index .Values "istio-discovery" "telemetry" "enabled") .Values.rateLimiting.enabled }} +{{- if and .Values.istiod.telemetry.enabled .Values.rateLimiting.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-istio/templates/servicemonitor.yaml b/charts/kubezero-istio/templates/servicemonitor.yaml index 54a7ac2..ade8d15 100644 --- a/charts/kubezero-istio/templates/servicemonitor.yaml +++ b/charts/kubezero-istio/templates/servicemonitor.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "istio-discovery" "telemetry" "enabled" }} +{{- if .Values.istiod.telemetry.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 4647539..7461be9 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -1,41 +1,10 @@ #!/bin/bash set -ex -### TODO -# - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/ - export ISTIO_VERSION=$(yq eval '.dependencies[] | select(.name=="base") | .version' Chart.yaml) export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") | .version' Chart.yaml) -rm -rf istio -curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz -mv istio-${ISTIO_VERSION} istio - -# remove unused old telemetry filters -rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml -rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml - -# Patch -#exit 0 -#diff -tubr istio istio.zdt/ -patch -p0 -i zdt.patch --no-backup-if-mismatch - -### Create kubezero istio charts - -# remove previous charts -rm -rf charts/base charts/istio-* - -# create istio main chart -cp -r istio/manifests/charts/base charts/ -cp -r istio/manifests/charts/istio-control/istio-discovery charts/ - -# Create ingress charts -rm -rf ../kubezero-istio-ingress/charts/istio-* -cp -r istio/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/ -cp -r istio/manifests/charts/gateways/istio-ingress ../kubezero-istio-ingress/charts/istio-private-ingress - -# Rename private chart -sed -i -e 's/name: istio-ingress/name: istio-private-ingress/' ../kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +helm dep update # Get matching istioctl [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index 71f678b..54b0d91 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,6 +1,6 @@ global: # hub: docker.io/istio - tag: 1.11.5-distroless + tag: 1.13.3-distroless logAsJson: true @@ -9,15 +9,13 @@ global: priorityClassName: "system-cluster-critical" -istio-discovery: +istiod: pilot: autoscaleEnabled: false replicaCount: 1 nodeSelector: node-role.kubernetes.io/control-plane: "" - - # Not implemented, monkey patched in the chart itself tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master diff --git a/charts/kubezero-istio/zdt.patch b/charts/kubezero-istio/zdt.patch deleted file mode 100644 index 03169f1..0000000 --- a/charts/kubezero-istio/zdt.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl ---- istio/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-07-15 07:32:30.000000000 +0200 -+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl 2021-08-10 15:49:57.298616463 +0200 -@@ -21,11 +21,16 @@ - {{- end }} - {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} - {{- range $key, $val := $nodeSelector }} -+ {{- if eq $val "Exists" }} -+ - key: {{ $key }} -+ operator: Exists -+ {{- else }} - - key: {{ $key }} - operator: In - values: - - {{ $val | quote }} - {{- end }} -+ {{- end }} - {{- end }} - - {{- define "nodeAffinityPreferredDuringScheduling" }} -diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml ---- istio/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200 -+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200 -@@ -16,6 +16,8 @@ - {{- if $gateway.replicaCount }} - replicas: {{ $gateway.replicaCount }} - {{- end }} -+ # Give the LB 120s to detect and take into service, should only be 40s by we are on AWS so ?? -+ minReadySeconds: 120 - {{- end }} - selector: - matchLabels: -@@ -65,6 +67,7 @@ - {{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" - {{- end }} -+ terminationGracePeriodSeconds: 120 - {{- if .Values.global.proxy.enableCoreDump }} - initContainers: - - name: enable-core-dump -@@ -136,6 +139,11 @@ - privileged: false - readOnlyRootFilesystem: true - {{- end }} -+ #This needs kube-proxy support coming with 1.22 hopefully, cilium ? -+ #lifecycle: -+ # preStop: -+ # exec: -+ # command: ["/bin/sh","-c","sleep 30"] - readinessProbe: - failureThreshold: 30 - httpGet: -diff -tubr istio/manifests/charts/gateways/istio-ingress/templates/service.yaml istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml ---- istio/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-07-15 07:32:30.000000000 +0200 -+++ istio.zdt/manifests/charts/gateways/istio-ingress/templates/service.yaml 2021-08-10 19:58:01.037876557 +0200 -@@ -34,9 +34,11 @@ - {{- range $key, $val := $gateway.ports }} - - - {{- range $pkey, $pval := $val }} -+ {{- if has $pkey (list "name" "nodePort" "port" "targetPort") }} - {{ $pkey}}: {{ $pval }} - {{- end }} - {{- end }} -+ {{- end }} - - {{ range $app := $gateway.ingressPorts }} - - -diff -tubr istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml ---- istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-07-15 07:32:30.000000000 +0200 -+++ istio.zdt/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml 2021-08-10 15:46:23.216421660 +0200 -@@ -60,6 +60,9 @@ - {{- end }} - securityContext: - fsGroup: 1337 -+ tolerations: -+ - effect: NoSchedule -+ key: node-role.kubernetes.io/master - containers: - - name: discovery - {{- if contains "/" .Values.pilot.image }} diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index 85ebe89..4aae27f 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.7.19 +version: 0.7.20 appVersion: 1.6.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 452bcb4..92b7403 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.7.17](https://img.shields.io/badge/Version-0.7.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.7.20](https://img.shields.io/badge/Version-0.7.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -19,8 +19,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| | | eck-operator | 1.6.0 | -| | fluent-bit | 0.19.18 | -| | fluentd | 0.3.5 | +| | fluent-bit | 0.19.23 | +| | fluentd | 0.3.7 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.3 | ## Changes from upstream @@ -81,16 +81,10 @@ Kubernetes: `>= 1.18.0` | fluent-bit.config.service | string | `"[SERVICE]\n Flush {{ .Values.config.flushInterval }}\n Daemon Off\n Log_Level {{ .Values.config.logLevel }}\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port {{ .Values.service.port }}\n Health_Check On\n"` | | | fluent-bit.daemonSetVolumeMounts[0].mountPath | string | `"/var/log"` | | | fluent-bit.daemonSetVolumeMounts[0].name | string | `"varlog"` | | -| fluent-bit.daemonSetVolumeMounts[1].mountPath | string | `"/etc/machine-id"` | | -| fluent-bit.daemonSetVolumeMounts[1].name | string | `"etcmachineid"` | | -| fluent-bit.daemonSetVolumeMounts[1].readOnly | bool | `true` | | | fluent-bit.daemonSetVolumes[0].hostPath.path | string | `"/var/log"` | | | fluent-bit.daemonSetVolumes[0].name | string | `"varlog"` | | -| fluent-bit.daemonSetVolumes[1].hostPath.path | string | `"/etc/machine-id"` | | -| fluent-bit.daemonSetVolumes[1].hostPath.type | string | `"File"` | | -| fluent-bit.daemonSetVolumes[1].name | string | `"etcmachineid"` | | | fluent-bit.enabled | bool | `false` | | -| fluent-bit.image | string | `nil` | | +| fluent-bit.image.tag | string | `"1.9.2"` | | | fluent-bit.luaScripts."kubezero.lua" | string | `"function nest_k8s_ns(tag, timestamp, record)\n if not record['kubernetes']['namespace_name'] then\n return 0, 0, 0\n end\n new_record = {}\n for key, val in pairs(record) do\n if key == 'kube' then\n new_record[key] = {}\n new_record[key][record['kubernetes']['namespace_name']] = record[key]\n else\n new_record[key] = record[key]\n end\n end\n return 1, timestamp, new_record\nend\n"` | | | fluent-bit.resources.limits.memory | string | `"64Mi"` | | | fluent-bit.resources.requests.cpu | string | `"20m"` | | diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 5f49014..4ed060e 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -244,7 +244,7 @@ fluent-bit: image: #repository: public.ecr.aws/zero-downtime/fluent-bit - #tag: 1.8.9 + tag: 1.9.2 serviceMonitor: enabled: false diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index dd2551e..68e7f5d 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. @@ -10,7 +10,7 @@ KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,10 +18,10 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | kube-prometheus-stack | 30.2.0 | -| | prometheus-pushgateway | 1.14.0 | +| | kube-prometheus-stack | 34.9.0 | +| | prometheus-pushgateway | 1.16.1 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | -| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 3.0.1 | +| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 3.2.0 | ## Values @@ -76,11 +76,26 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.alertmanager.alertmanagerSpec.volumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | | | kube-prometheus-stack.alertmanager.alertmanagerSpec.volumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | | | kube-prometheus-stack.alertmanager.config.global.resolve_timeout | string | `"5m"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[0].equal[0] | string | `"namespace"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[0].equal[1] | string | `"alertname"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[0].source_matchers[0] | string | `"severity = critical"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[0].target_matchers[0] | string | `"severity =~ warning|info"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[1].equal[0] | string | `"namespace"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[1].equal[1] | string | `"alertname"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[1].source_matchers[0] | string | `"severity = warning"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[1].target_matchers[0] | string | `"severity = info"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[2].equal[0] | string | `"namespace"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[2].source_matchers[0] | string | `"alertname = InfoInhibitor"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[2].target_matchers[0] | string | `"severity = info"` | | | kube-prometheus-stack.alertmanager.config.route.group_by[0] | string | `"severity"` | | | kube-prometheus-stack.alertmanager.config.route.group_by[1] | string | `"clusterName"` | | | kube-prometheus-stack.alertmanager.config.route.group_interval | string | `"5m"` | | | kube-prometheus-stack.alertmanager.config.route.group_wait | string | `"30s"` | | | kube-prometheus-stack.alertmanager.config.route.repeat_interval | string | `"6h"` | | +| kube-prometheus-stack.alertmanager.config.route.routes[0].matchers[0] | string | `"alertname = Watchdog"` | | +| kube-prometheus-stack.alertmanager.config.route.routes[0].receiver | string | `"null"` | | +| kube-prometheus-stack.alertmanager.config.route.routes[1].matchers[0] | string | `"alertname = InfoInhibitor"` | | +| kube-prometheus-stack.alertmanager.config.route.routes[1].receiver | string | `"null"` | | | kube-prometheus-stack.alertmanager.enabled | bool | `false` | | | kube-prometheus-stack.coreDns.enabled | bool | `true` | | | kube-prometheus-stack.defaultRules.create | bool | `false` | | @@ -132,12 +147,13 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.kubelet.enabled | bool | `true` | | | kube-prometheus-stack.kubelet.serviceMonitor.cAdvisor | bool | `true` | | | kube-prometheus-stack.nodeExporter.enabled | bool | `true` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].action | string | `"replace"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].regex | string | `"^(.*)$"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].replacement | string | `"$1"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].separator | string | `";"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | -| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | +| kube-prometheus-stack.prometheus-node-exporter.hostRootFsMount.enabled | bool | `false` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].action | string | `"replace"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].regex | string | `"^(.*)$"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].replacement | string | `"$1"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].separator | string | `";"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | +| kube-prometheus-stack.prometheus-node-exporter.prometheus.monitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.cpu | string | `"20m"` | | | kube-prometheus-stack.prometheus-node-exporter.resources.requests.memory | string | `"16Mi"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | diff --git a/charts/kubezero-network/README.md b/charts/kubezero-network/README.md index 7d39260..5cd4afe 100644 --- a/charts/kubezero-network/README.md +++ b/charts/kubezero-network/README.md @@ -1,6 +1,6 @@ # kubezero-network -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things network @@ -10,7 +10,7 @@ KubeZero umbrella chart for all things network | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,19 +18,27 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| +| | calico | 0.2.2 | +| https://helm.cilium.io/ | cilium | 1.11.3 | | https://metallb.github.io/metallb | metallb | 0.10.2 | -# MetalLB - ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| +| calico.enabled | bool | `false` | | +| cilium.cni.exclusive | bool | `true` | | | cilium.enabled | bool | `false` | | +| cilium.hubble.enabled | bool | `false` | | +| cilium.operator.replicas | int | `1` | | +| cilium.prometheus.enabled | bool | `false` | | +| cilium.prometheus.port | int | `9091` | | +| cilium.tunnel | string | `"geneve"` | | | metallb.configInline | object | `{}` | | -| metallb.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | +| metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | | | metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | metallb.enabled | bool | `false` | | | metallb.psp.create | bool | `false` | | | multus.enabled | bool | `false` | | +| multus.tag | string | `"v3.8.1"` | | diff --git a/charts/kubezero-network/README.md.gotmpl b/charts/kubezero-network/README.md.gotmpl index bdfbcce..c5fe000 100644 --- a/charts/kubezero-network/README.md.gotmpl +++ b/charts/kubezero-network/README.md.gotmpl @@ -13,6 +13,4 @@ {{ template "chart.requirementsSection" . }} -# MetalLB - {{ template "chart.valuesSection" . }} diff --git a/charts/kubezero-storage/README.md b/charts/kubezero-storage/README.md index f029094..2436d20 100644 --- a/charts/kubezero-storage/README.md +++ b/charts/kubezero-storage/README.md @@ -1,6 +1,6 @@ # kubezero-storage -![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, gemini @@ -10,7 +10,7 @@ KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, g | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements @@ -18,10 +18,10 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | aws-ebs-csi-driver | 2.6.3 | +| | aws-ebs-csi-driver | 2.6.5 | | | aws-efs-csi-driver | 2.2.3 | -| | gemini | 0.0.8 | -| | lvm-localpv | 0.8.6 | +| | gemini | 1.0.0 | +| | lvm-localpv | 0.9.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | ## Values diff --git a/charts/kubezero/Chart.yaml b/charts/kubezero/Chart.yaml index 98e1238..351e2a3 100644 --- a/charts/kubezero/Chart.yaml +++ b/charts/kubezero/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero description: KubeZero - Root App of Apps chart type: application -version: 1.22.8-1 +version: 1.22.8-2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index ac2563d..6febbfd 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -1,6 +1,6 @@ # kubezero -![Version: 1.22.8-1](https://img.shields.io/badge/Version-1.22.8--1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.22.8-2](https://img.shields.io/badge/Version-1.22.8--2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero - Root App of Apps chart @@ -10,11 +10,11 @@ KubeZero - Root App of Apps chart | Name | Email | Url | | ---- | ------ | --- | -| Stefan Reimer | stefan@zero-downtime.net | | +| Stefan Reimer | | | ## Requirements -Kubernetes: `>= 1.22.0` +Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| @@ -26,39 +26,44 @@ Kubernetes: `>= 1.22.0` |-----|------|---------|-------------| | HighAvailableControlplane | bool | `false` | | | addons.enabled | bool | `false` | | -| addons.targetRevision | string | `"0.4.1"` | | +| addons.targetRevision | string | `"0.5.0"` | | | argocd.enabled | bool | `false` | | | argocd.istio.enabled | bool | `false` | | | argocd.namespace | string | `"argocd"` | | -| argocd.targetRevision | string | `"0.9.6"` | | +| argocd.targetRevision | string | `"0.10.1"` | | | cert-manager.enabled | bool | `false` | | | cert-manager.namespace | string | `"cert-manager"` | | -| cert-manager.targetRevision | string | `"0.8.2"` | | +| cert-manager.targetRevision | string | `"0.9.0"` | | +| istio-ingress.chart | string | `"kubezero-istio-gateway"` | | | istio-ingress.enabled | bool | `false` | | | istio-ingress.namespace | string | `"istio-ingress"` | | -| istio-ingress.targetRevision | string | `"0.7.6"` | | +| istio-ingress.targetRevision | string | `"0.8.0"` | | +| istio-private-ingress.chart | string | `"kubezero-istio-gateway"` | | +| istio-private-ingress.enabled | bool | `false` | | +| istio-private-ingress.namespace | string | `"istio-ingress"` | | +| istio-private-ingress.targetRevision | string | `"0.8.0"` | | | istio.enabled | bool | `false` | | | istio.namespace | string | `"istio-system"` | | -| istio.targetRevision | string | `"0.7.6"` | | +| istio.targetRevision | string | `"0.8.0"` | | | kubezero.defaultTargetRevision | string | `"*"` | | | kubezero.gitSync | object | `{}` | | | kubezero.repoURL | string | `"https://cdn.zero-downtime.net/charts"` | | | kubezero.server | string | `"https://kubernetes.default.svc"` | | | logging.enabled | bool | `false` | | | logging.namespace | string | `"logging"` | | -| logging.targetRevision | string | `"0.7.19"` | | +| logging.targetRevision | string | `"0.7.20"` | | | metrics.enabled | bool | `false` | | | metrics.istio.grafana | object | `{}` | | | metrics.istio.prometheus | object | `{}` | | | metrics.namespace | string | `"monitoring"` | | -| metrics.targetRevision | string | `"0.7.4"` | | +| metrics.targetRevision | string | `"0.8.0"` | | | network.enabled | bool | `false` | | | network.retain | bool | `true` | | -| network.targetRevision | string | `"0.1.7"` | | +| network.targetRevision | string | `"0.2.1"` | | | storage.aws-ebs-csi-driver.enabled | bool | `false` | | | storage.aws-efs-csi-driver.enabled | bool | `false` | | | storage.enabled | bool | `false` | | -| storage.targetRevision | string | `"0.5.7"` | | +| storage.targetRevision | string | `"0.6.0"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.8.1](https://github.com/norwoodj/helm-docs/releases/v1.8.1) diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index fb71fbf..87f4dfc 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -93,7 +93,7 @@ function _helm() { local action=$1 local module=$2 - local chart="kubezero-${module}" + local chart="$(yq eval '.spec.source.chart' $TMPDIR/kubezero/templates/${module}.yaml)" local namespace="$(yq eval '.spec.destination.namespace' $TMPDIR/kubezero/templates/${module}.yaml)" targetRevision="" @@ -123,7 +123,7 @@ function _helm() { apply # Delete dedicated namespace if not kube-system - delete_ns $namespace + [ -n "$DELETE_NS" ] && delete_ns $namespace fi return 0 diff --git a/charts/kubezero/templates/_app.tpl b/charts/kubezero/templates/_app.tpl index ba0a0be..8f43474 100644 --- a/charts/kubezero/templates/_app.tpl +++ b/charts/kubezero/templates/_app.tpl @@ -17,7 +17,11 @@ spec: project: kubezero source: + {{- if index .Values $name "chart" }} + chart: {{ index .Values $name "chart" }} + {{- else }} chart: kubezero-{{ $name }} + {{- end }} repoURL: {{ .Values.kubezero.repoURL }} targetRevision: {{ default .Values.kubezero.targetRevision ( index .Values $name "targetRevision" ) | quote }} helm: diff --git a/charts/kubezero/templates/argocd.yaml b/charts/kubezero/templates/argocd.yaml index c46356c..797f33d 100644 --- a/charts/kubezero/templates/argocd.yaml +++ b/charts/kubezero/templates/argocd.yaml @@ -61,11 +61,6 @@ istio: {{- end }} {{- end }} -{{- with index .Values "argocd" "argocd-applicationset" }} -argocd-applicationset: - {{ toYaml . | nindent 2 }} -{{- end }} - {{- end }} {{- define "argocd-argo" }} diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml index 691403c..d26f8ef 100644 --- a/charts/kubezero/templates/istio-ingress.yaml +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -1,46 +1,75 @@ -{{- define "_ingress" }} -enabled: {{ .enabled }} -{{- with .gateway }} -gateways: - istio-ingressgateway: - {{- toYaml . | nindent 6 }} -{{- end }} +{{- define "istio-ingress-values" }} + +gateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + + # Only nodes who are fronted with matching private NLB + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/ingress.public + operator: Exists + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - istio-ingressgateway + topologyKey: "kubernetes.io/hostname" + + service: + ports: + - name: status-port + port: 15021 + nodePort: 30021 + noGateway: true + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 30080 + gatewayProtocol: HTTP2 + tls: + httpsRedirect: true + - name: https + port: 443 + targetPort: 8443 + nodePort: 30443 + gatewayProtocol: HTTPS + tls: + mode: SIMPLE + + # custom hardened bootstrap config + env: + ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + volumes: + - name: custom-bootstrap-volume + configMap: + name: ingressgateway-bootstrap-config + volumeMounts: + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + readOnly: true + + {{- with index .Values "istio-ingress" "gateway" }} + {{- toYaml . | nindent 2 }} + {{- end }} + +telemetry: + enabled: {{ $.Values.metrics.enabled }} certificates: -{{- with .dnsNames }} -# Legacy to be removed with 1.21 !! -- name: ingress-cert - dnsNames: - {{- toYaml . | nindent 4 }} -{{- end }} -{{- range $cert := .certificates }} +{{- range $cert := index .Values "istio-ingress" "certificates" }} - name: {{ $cert.name }} dnsNames: {{- toYaml $cert.dnsNames | nindent 4 }} {{- end }} -proxyProtocol: {{ default true .proxyProtocol }} -{{- end }} - - -{{- define "istio-ingress-values" }} - -{{- with index .Values "istio-ingress" "global" }} -global: - {{- toYaml . | nindent 2 }} -{{- end }} - -{{- with index .Values "istio-ingress" "public" }} -istio-ingress: - telemetry: - enabled: {{ $.Values.metrics.enabled }} -{{- include "_ingress" . | nindent 2 }} -{{- end }} - -{{- with index .Values "istio-ingress" "private" }} -istio-private-ingress: - telemetry: - enabled: {{ $.Values.metrics.enabled }} -{{- include "_ingress" . | nindent 2 }} -{{- end }} +proxyProtocol: {{ default true (index .Values "istio-ingress" "proxyProtocol") }} {{- end }} diff --git a/charts/kubezero/templates/istio-private-ingress.yaml b/charts/kubezero/templates/istio-private-ingress.yaml new file mode 100644 index 0000000..bd6433e --- /dev/null +++ b/charts/kubezero/templates/istio-private-ingress.yaml @@ -0,0 +1,83 @@ +{{- define "istio-private-ingress-values" }} + +gateway: + name: istio-private-ingressgateway + labels: + app: istio-private-ingressgateway + istio: private-ingressgateway + + {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }} + replicaCount: {{ . }} + {{- end }} + + # Only nodes who are fronted with matching private NLB + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/ingress.private + operator: Exists + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - istio-private-ingressgateway + topologyKey: "kubernetes.io/hostname" + + service: + ports: + - name: status-port + port: 15021 + nodePort: 31021 + noGateway: true + - name: http2 + port: 80 + targetPort: 8080 + nodePort: 31080 + gatewayProtocol: HTTP2 + tls: + httpsRedirect: true + - name: https + port: 443 + targetPort: 8443 + nodePort: 31443 + gatewayProtocol: HTTPS + tls: + mode: SIMPLE + {{- with index .Values "istio-private-ingress" "gateway" "service" "ports" }} + {{- toYaml . | nindent 4 }} + {{- end }} + + # custom hardened bootstrap config + env: + ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + volumes: + - name: custom-bootstrap-volume + configMap: + name: private-ingressgateway-bootstrap-config + volumeMounts: + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + readOnly: true + +telemetry: + enabled: {{ $.Values.metrics.enabled }} +certificates: +{{- range $cert := index .Values "istio-private-ingress" "certificates" }} +- name: {{ $cert.name }} + dnsNames: + {{- toYaml $cert.dnsNames | nindent 4 }} +{{- end }} +proxyProtocol: {{ default true (index .Values "istio-private-ingress" "proxyProtocol") }} + +{{- end }} + + +{{- define "istio-private-ingress-argo" }} +{{- end }} + +{{ include "kubezero-app.app" . }} diff --git a/charts/kubezero/templates/istio.yaml b/charts/kubezero/templates/istio.yaml index f23d0f8..6f556c8 100644 --- a/charts/kubezero/templates/istio.yaml +++ b/charts/kubezero/templates/istio.yaml @@ -1,7 +1,7 @@ {{- define "istio-values" }} -istio-discovery: +istiod: telemetry: - enabled: {{ .Values.metrics.enabled }} + enabled: {{ $.Values.metrics.enabled }} {{- if .Values.HighAvailableControlplane }} pilot: replicaCount: 2 diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 5239819..d7e8695 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -31,12 +31,19 @@ storage: istio: enabled: false namespace: istio-system - targetRevision: 0.7.6 + targetRevision: 0.8.0 istio-ingress: enabled: false + chart: kubezero-istio-gateway namespace: istio-ingress - targetRevision: 0.7.6 + targetRevision: 0.8.0 + +istio-private-ingress: + enabled: false + chart: kubezero-istio-gateway + namespace: istio-ingress + targetRevision: 0.8.0 metrics: enabled: false @@ -49,11 +56,11 @@ metrics: logging: enabled: false namespace: logging - targetRevision: 0.7.19 + targetRevision: 0.7.20 argocd: enabled: false namespace: argocd - targetRevision: 0.9.6 + targetRevision: 0.10.1 istio: enabled: false diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index 5242c75..5b9f050 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -1,6 +1,6 @@ # uptime-kuma -![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.0](https://img.shields.io/badge/AppVersion-1.8.0-informational?style=flat-square) +![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square) Chart for deploying uptime-kuma @@ -18,7 +18,7 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.4 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | ## Values @@ -32,7 +32,6 @@ Kubernetes: `>= 1.18.0` | nameOverride | string | `""` | override the name of the uptime-kuma chart | | service.port | int | `3001` | The port to be used by the uptime-kuma service | | serviceMonitor.enabled | bool | `false` | | -| version | string | `"1.8.0-alpine"` | | ## Resources