Skip to content

C
charts
Commit 510b197f by Fyery Committed by GC
Options

[Istio]Commit the istio catalog (#6)

* commit the istio catalog * update istio chart questions and fix templates * move istio to the proposed folder and fixed gke ingress setting
parent 9f00495c
Showing with 3819 additions and 0 deletions
proposed/istio/v1.0.0/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
proposed/istio/v1.0.0/Chart.yaml 0 → 100644
name: istio
version: 1.0.0
appVersion: 0.7.1
description: Helm chart for all istio components
keywords:
- istio
- security
- sidecar-injector
- mixer
- pilot
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/OWNERS 0 → 100644
approvers:
- prydonius
- tompizmor
- sameersbn
- carrodher
reviewers:
- prydonius
- tompizmor
- sameersbn
- carrodher
proposed/istio/v1.0.0/README.md 0 → 100644
## Primary Components
The address below is the link of some primary components of Istio, if you have any questions about them, you can visit,
[Mixer](https://istio.io/docs/concepts/policy-and-control/mixer.html)
[Pilot](https://istio.io/docs/concepts/traffic-management/pilot.html)
[Istio-ingress](https://istio.io/docs/tasks/traffic-management/ingress.html)
[Security](https://istio.io/docs/concepts/security/)
## Manage your own applications using Istio
Once you have deployed the Istio catalog, then you can deploy your own applications or one of the sample applications provided with the installation like [Bookinfo](https://istio.io/docs/guides/bookinfo.html). Note: the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because HTTP/1.0 is not supported.
Because the deployment does not have the Istio-sidecar-injector installed, so you must use [istioctr kube-inject](https://istio.io/docs/reference/commands/istioctl.html#istioctl%20kube-inject) to manually inject Envoy containers in your application pods before deploying them:
```console
$ kubectl create -f <(istioctl kube-inject -f <your-app-spec>.yaml)
```
[Here](https://istio.io/docs/setup/kubernetes/sidecar-injection.html#manual-sidecar-injection) is the detailed description about how to install the Istio Sidecar.
## Configuration
The following tables lists the configurable parameters of the Istio chart and their default values.
Parameter | Description | Default
--------- | ----------- | -------
global.proxy.image | The image of Istio proxy| `istio/proxy` |
global.proxy.initImage | The initial image of Istio proxy| `istio/proxy_init` |
global.tag | The image tag of Istio proxy| `0.7.1` |
mixer.enabled | Enabled the mixer component of Istio| `true` |
mixer.replicaCount | The number of mixer pods| `1` |
mixer.image.repository | The mixer image repository| `istio/mixer` |
mixer.image.tag | The mixer image tag| `0.7.1` |
mixer.prometheusStatsdExporter.repository | The promutheus stas exporter image repository | `prom/statsd-exporter`
mixer.prometheusStatsdExporter.tag | The prometheus stas exporter image tag | `latest`
pilot.enabled | Enabled the pilot component of istio | `true`
pilot.replicaCount | The number of pilot pods | `1`
pilot.image.repository | The pilot image repository | `istio/pilot`
pilot.image.tag| The pilot image tag | `0.7.1`
grafana.enabled | Enabled the grafana component of istio | `false`
grafana.replicaCount | The number of grafana pods | `1`
grafana.image.repository | The grafana image repository | `istio/grafana`
grafana.image.tag | The grafana image tag| `0.7.1`
grafana.ingress.enabled | Expose grafana using layer 7 load balancer | `false`
grafana.ingress.hosts | The hostname to access the grafana | `grafana.local`
grafana.service.type | Grafana service type | `NodePort`
servicegraph.enabled | Enabled the servicegraph component of istio | `false`
servicegraph.replicaCount | The number of servicegraph pods | `1`
servicegraph.image.repository | The servicegraph image repository | `istio/servicegraph`
servicegraph.image.tag | The servicegraph image tag | `0.7.1`
servicegraph.ingress.enabled | Expose servicegraph using layer 7 load balancer | `false`
servicegraph.ingress.hosts | The hostname to access the servicegraph | `servicegraph.local`
servicegraph.service.type | Servicegraph service type | `NodePort`
zipkin.enabled | Enabled the zipkin component of istio | `false`
zipkin.replicaCount | The number of zipkin pods | `1`
zipkin.image.repository | The zipkin image repository | `openzipkin/zipkin`
zipkin.image.tag | The zipkin image tag | `latest`
zipkin.ingress.enabled | Expose zipkin using layer 7 load balancer | `false`
zipkin.ingress.hosts | The hostname to access the zipkin | `zipkin.local`
zipkin.service.type | zipkin service type | `NodePort`
prometheus.enabled | Enabled the prometheus component of istio | `false`
prometheus.replicaCount | The number of prometheus pods | `1`
prometheus.image.repository | The prometheus image repository | `prom/prometheus`
prometheus.image.tag | The prometheus image tag | `latest`
prometheus.ingress.enabled | Expose prometheus using layer 7 load balancer | `false`
prometheus.ingress.hosts | The hostname to access the prometheus | `prometheus.local`
prometheus.service.nodePort.enabled | Set the service type to `NodePort` | `true`
prometheus.service.nodePort.port | Specify the node port | `32090`
security.replicaCount | The number of security pods | `1`
security.image.repository | The security image repository | `istio/istio-ca`
security.image.tag | The security image tag | `0.7.1`
ingress.enabled | Expose istio using layer 7 load balancer | `true`
ingress.autoscaleMin | The autoscale minimum number of istio ingress | `2`
ingress.autoscaleMax | The autoscale maximum number of istio ingress | `8`
ingress.service.nodePort.enabled | Set the service type to `NodePort`, default `LoadBalancer` | `false`
ingress.service.nodePort.port | Specify the node port | `32000`
proposed/istio/v1.0.0/app-readme.md 0 → 100644
#Istio
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes, Mesos, etc.
This chart bootstraps a [Istio](https://github.com/istio/istio/tree/master/install/kubernetes/helm/istio) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. The chart has the following components,
- grafana
- ingress
- mixer
- pilot
- prometheus
- security
- servicegraph
- zipkin
proposed/istio/v1.0.0/charts/grafana/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: grafana
version: 0.1.0
proposed/istio/v1.0.0/charts/grafana/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "grafana.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "grafana.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
{{- end }}
proposed/istio/v1.0.0/charts/grafana/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "grafana.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "grafana.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.0/charts/grafana/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: grafana
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: grafana
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
path: /login
port: {{ .Values.service.internalPort }}
env:
- name: GRAFANA_PORT
value: {{ .Values.service.internalPort | quote }}
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
- name: GF_PATHS_DATA
value: /data/grafana
resources:
{{ toYaml .Values.resources | indent 12 }}
volumeMounts:
- name: data
mountPath: /data/grafana
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
volumes:
- name: data
emptyDir: {}
proposed/istio/v1.0.0/charts/grafana/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "grafana.name" . -}}
{{- $servicePort := .Values.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "grafana.fullname" . }}
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path:
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/grafana/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: grafana
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: grafana
proposed/istio/v1.0.0/charts/ingress/Chart.yaml 0 → 100644
apiVersion: v1
name: ingress
version: 0.5.0
description: Helm chart for ingress deployment
keywords:
- istio
- ingress
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/charts/ingress/templates/autoscale.yaml 0 → 100644
{{- if .Values.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-ingress
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-ingress
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
{{ end }}
proposed/istio/v1.0.0/charts/ingress/templates/clusterrole.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-ingress-{{ .Release.Namespace }}
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "ingresses"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["configmaps", "pods", "endpoints", "services"]
verbs: ["get", "watch", "list"]
{{- end }}
proposed/istio/v1.0.0/charts/ingress/templates/clusterrolebinding.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-ingress-admin-role-binding-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-ingress-service-account
namespace: {{ .Release.Namespace }}
{{- end }}
proposed/istio/v1.0.0/charts/ingress/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-ingress
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: ingress
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-ingress-service-account
containers:
- name: {{ template "istio.name" . }}
image: "{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 80
containerPort: 443
args:
- proxy
- ingress
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingress
- --zipkinAddress
- istio-zipkin:9411
- --statsdUdpAddress
- istio-mixer:9125
- --proxyAdminPort
- "15000"
{{- if .Values.global.controlPlaneSecurityEnabled }}
- --discoveryAddress
- istio-pilot:15005
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
{{- end }}
resources:
{{ toYaml .Values.resources | indent 12 }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingress-certs
mountPath: /etc/istio/ingress-certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: "istio.default"
optional: true
- name: ingress-certs
secret:
secretName: istio-ingress-certs
optional: true
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/ingress/templates/service.yaml 0 → 100644
{{- if ne .Values.service.nodePort.enabled true }}
apiVersion: v1
kind: Service
metadata:
name: istio-ingress
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
spec:
type: LoadBalancer
ports:
- port: 80
name: http
- port: 443
name: https
selector:
istio: ingress
{{- end }}
---
{{- if .Values.service.nodePort.enabled }}
# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
apiVersion: v1
kind: Service
metadata:
name: istio-ingress-nodeport
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
spec:
type: NodePort
ports:
- port: 80
{{- if .Values.service.nodePort.port }}
nodePort: {{ .Values.service.nodePort.port }}
{{- end }}
name: http
- port: 443
name: https
selector:
istio: ingress
{{- end }}
proposed/istio/v1.0.0/charts/ingress/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-ingress-service-account
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
proposed/istio/v1.0.0/charts/mixer/Chart.yaml 0 → 100644
apiVersion: v1
name: mixer
version: 0.5.0
description: Helm chart for mixer deployment
keywords:
- istio
- mixer
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/charts/mixer/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "mixer.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "mixer.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Service account name.
*/}}
{{- define "mixer.serviceAccountName" -}}
{{- if .Values.global.rbacEnabled -}}
{{- template "mixer.fullname" . -}}-service-account
{{- else }}
{{- .Values.serviceAccountName | trunc 63 | trimSuffix "-" -}}-service-account
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/mixer/templates/clusterrole.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-mixer-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
{{- end }}
proposed/istio/v1.0.0/charts/mixer/templates/clusterrolebinding.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-admin-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: {{ .Release.Namespace }}
{{- end }}
proposed/istio/v1.0.0/charts/mixer/templates/config.yaml 0 → 100644
{{ define "config.yaml.tpl" }}
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: istioproxy
namespace: {{ .Release.Namespace }}
spec:
attributes:
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.id:
valueType: STRING
request.host:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.headers:
valueType: STRING_MAP
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
source.uid:
valueType: STRING
source.user:
valueType: STRING
destination.uid:
valueType: STRING
connection.id:
valueType: STRING
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
connection.duration:
valueType: DURATION
connection.mtls:
valueType: BOOL
context.protocol:
valueType: STRING
context.timestamp:
valueType: TIMESTAMP
context.time:
valueType: TIMESTAMP
api.service:
valueType: STRING
api.version:
valueType: STRING
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.presenter:
valueType: STRING
request.api_key:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: kubernetes
namespace: {{ .Release.Namespace }}
spec:
attributes:
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.service:
valueType: STRING
source.serviceAccount:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.service:
valueType: STRING
destination.serviceAccount:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: stdio
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
outputAsJson: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
name: accesslog
namespace: {{ .Release.Namespace }}
spec:
severity: '"Default"'
timestamp: request.time
variables:
sourceIp: source.ip | ip("0.0.0.0")
destinationIp: destination.ip | ip("0.0.0.0")
sourceUser: source.user | ""
method: request.method | ""
url: request.path | ""
protocol: request.scheme | "http"
responseCode: response.code | 0
responseSize: response.size | 0
requestSize: request.size | 0
latency: response.duration | "0ms"
connectionMtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdio
namespace: {{ .Release.Namespace }}
spec:
match: "true" # If omitted match is true.
actions:
- handler: handler.stdio
instances:
- accesslog.logentry
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestcount
namespace: {{ .Release.Namespace }}
spec:
value: "1"
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestduration
namespace: {{ .Release.Namespace }}
spec:
value: response.duration | "0ms"
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestsize
namespace: {{ .Release.Namespace }}
spec:
value: request.size | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: responsesize
namespace: {{ .Release.Namespace }}
spec:
value: response.size | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
response_code: response.code | 200
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytesent
namespace: {{ .Release.Namespace }}
labels:
istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
spec:
value: connection.sent.bytes | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytereceived
namespace: {{ .Release.Namespace }}
labels:
istio-protocol: tcp # needed so that mixer will only generate when context.protocol == tcp
spec:
value: connection.received.bytes | 0
dimensions:
source_service: source.service | "unknown"
source_version: source.labels["version"] | "unknown"
destination_service: destination.service | "unknown"
destination_version: destination.labels["version"] | "unknown"
connection_mtls: connection.mtls | false
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: prometheus
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
metrics:
- name: request_count
instance_name: requestcount.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
- name: request_duration
instance_name: requestduration.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_size
instance_name: requestsize.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: response_size
instance_name: responsesize.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- source_service
- source_version
- destination_service
- destination_version
- response_code
- connection_mtls
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: tcp_bytes_sent
instance_name: tcpbytesent.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- connection_mtls
- name: tcp_bytes_received
instance_name: tcpbytereceived.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
- connection_mtls
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promhttp
namespace: {{ .Release.Namespace }}
labels:
istio-protocol: http
spec:
actions:
- handler: handler.prometheus
instances:
- requestcount.metric
- requestduration.metric
- requestsize.metric
- responsesize.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcp
namespace: {{ .Release.Namespace }}
labels:
istio-protocol: tcp # needed so that mixer will only execute when context.protocol == TCP
spec:
actions:
- handler: handler.prometheus
instances:
- tcpbytesent.metric
- tcpbytereceived.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetesenv
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
# when running from mixer root, use the following config after adding a
# symbolic link to a kubernetes config file via:
#
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
#
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: kubeattrgenrulerule
namespace: {{ .Release.Namespace }}
spec:
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: tcpkubeattrgenrulerule
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "tcp"
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetes
metadata:
name: attributes
namespace: {{ .Release.Namespace }}
spec:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
origin_uid: '""'
origin_ip: ip("0.0.0.0") # default to unspecified ip addr
attribute_bindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.labels: $out.source_labels | emptyStringMap()
source.namespace: $out.source_namespace | "default"
source.service: $out.source_service | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.labels: $out.destination_labels | emptyStringMap()
destination.namespace: $out.destination_namespace | "default"
destination.service: $out.destination_service | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
---
{{ end }}
proposed/istio/v1.0.0/charts/mixer/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-mixer
labels:
app: istio-mixer
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
data:
mapping.conf: |-
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-mixer-custom-resources
labels:
app: istio-mixer
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
data:
custom-resources.yaml: |-
{{- include "config.yaml.tpl" . | indent 4}}
proposed/istio/v1.0.0/charts/mixer/templates/crds.yaml 0 → 100644
# Mixer CRDs
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: circonus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: circonus
plural: circonuses
singular: circonus
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: denier
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: denier
plural: deniers
singular: denier
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: fluentd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: fluentd
plural: fluentds
singular: fluentd
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: kubernetesenv
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: listchecker
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: listchecker
plural: listcheckers
singular: listchecker
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: memquota
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: memquota
plural: memquotas
singular: memquota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: noop
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: noop
plural: noops
singular: noop
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: opa
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: opa
plural: opas
singular: opa
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: prometheus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: prometheus
plural: prometheuses
singular: prometheus
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: rbac
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: rbac
plural: rbacs
singular: rbac
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrols.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: servicecontrol
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: servicecontrol
plural: servicecontrols
singular: servicecontrol
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: solarwinds
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: solarwinds
plural: solarwindses
singular: solarwinds
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: stackdriver
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: statsd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: statsd
plural: statsds
singular: statsd
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: stdio
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stdio
plural: stdios
singular: stdio
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: apikey
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: apikey
plural: apikeys
singular: apikey
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizations.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: authorization
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: authorization
plural: authorizations
singular: authorization
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: checknothings.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: checknothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: checknothing
plural: checknothings
singular: checknothing
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kuberneteses.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: adapter.template.kubernetes
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: kubernetes
plural: kuberneteses
singular: kubernetes
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listentries.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: listentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: listentry
plural: listentries
singular: listentry
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: logentries.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: logentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: logentry
plural: logentries
singular: logentry
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: metrics.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: metric
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: metric
plural: metrics
singular: metric
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotas.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: quota
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: quota
plural: quotas
singular: quota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: reportnothings.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: reportnothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: reportnothing
plural: reportnothings
singular: reportnothing
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrolreports.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: servicecontrolreport
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: servicecontrolreport
plural: servicecontrolreports
singular: servicecontrolreport
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: tracespans.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: tracespan
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: tracespan
plural: tracespans
singular: tracespan
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: serviceroles.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: istio.io.mixer
istio: rbac
spec:
group: config.istio.io
names:
kind: ServiceRole
plural: serviceroles
singular: servicerole
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicerolebindings.config.istio.io
labels:
app: {{ template "mixer.name" . }}
package: istio.io.mixer
istio: rbac
spec:
group: config.istio.io
names:
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
scope: Namespaced
version: v1alpha2
proposed/istio/v1.0.0/charts/mixer/templates/create-custom-resources-job.yaml 0 → 100644
apiVersion: batch/v1
kind: Job
metadata:
name: istio-mixer-create-cr
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
name: istio-mixer-create-cr
labels:
app: {{ template "mixer.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-mixer-service-account
containers:
- name: hyperkube
image: "{{ .Values.global.hyperkube.repository }}:{{ .Values.global.hyperkube.tag }}"
command:
- ./kubectl
- apply
- -f
- /tmp/mixer/custom-resources.yaml
volumeMounts:
- mountPath: "/tmp/mixer"
name: tmp-configmap-mixer
volumes:
- name: tmp-configmap-mixer
configMap:
name: istio-mixer-custom-resources
restartPolicy: Never # CRD might take some time till they are available to comsume
proposed/istio/v1.0.0/charts/mixer/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-mixer
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
annotations:
checksum/config-volume: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: mixer
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-mixer-service-account
containers:
- name: statsd-to-prometheus
image: "{{ .Values.prometheusStatsdExporter.repository }}:{{ .Values.prometheusStatsdExporter.tag}}"
imagePullPolicy: {{ .Values.prometheusStatsdExporter.imagePullPolicy }}
ports:
- containerPort: 9102
- containerPort: 9125
protocol: UDP
args:
- '-statsd.mapping-config=/etc/statsd/mapping.conf'
resources:
{{ toYaml .Values.prometheusStatsdExporter.resources | indent 12 }}
volumeMounts:
- name: config-volume
mountPath: /etc/statsd
- name: {{ template "mixer.name" . }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: 9091
- containerPort: 9093
- containerPort: 9094
- containerPort: 42422
args:
- --configStoreURL=k8s://
- --configDefaultNamespace={{ .Release.Namespace }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
- --logtostderr
resources:
{{ toYaml .Values.resources | indent 12 }}
- name: {{ template "mixer.name" . }}-proxy
image: "{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 15004
args:
- proxy
- mixer
- --controlPlaneAuthPolicy
{{- if .Values.global.securityEnabled }}
- MUTUAL_TLS
- --customConfigFile
- /etc/istio/proxy/envoy_mixer_auth.json
{{- else }}
- NONE #--controlPlaneAuthPolicy
- --customConfigFile
- /etc/istio/proxy/envoy_mixer.json
{{- end }}
resources:
{{ toYaml .Values.global.proxy.resources | indent 12 }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
- name: config-volume
configMap:
name: istio-mixer
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/mixer/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-mixer
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
spec:
ports:
- name: tcp-plain
port: 9091
- name: tcp-mtls
port: 15004
- name: http-health
port: 9093
- name: configapi
port: 9094
- name: statsd-prom
port: 9102
- name: statsd-udp
port: 9125
protocol: UDP
- name: prometheus
port: 42422
selector:
istio: mixer
proposed/istio/v1.0.0/charts/mixer/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-mixer-service-account
{{- end }}
proposed/istio/v1.0.0/charts/pilot/Chart.yaml 0 → 100644
apiVersion: v1
name: pilot
version: 0.5.0
description: Helm chart for pilot deployment
keywords:
- istio
- pilot
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/charts/pilot/templates/clusterrole.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-pilot-{{ .Release.Namespace }}
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["externaladmissionhookconfigurations"]
verbs: ["create", "update", "delete"]
{{- end }}
proposed/istio/v1.0.0/charts/pilot/templates/clusterrolebinding.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-pilot
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
{{- end }}
proposed/istio/v1.0.0/charts/pilot/templates/crds.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationpolicies.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: DestinationPolicy
listKind: DestinationPolicyList
plural: destinationpolicies
singular: destinationpolicy
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: egressrules.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: EgressRule
listKind: EgressRuleList
plural: egressrules
singular: egressrule
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: routerules.config.istio.io
labels:
app: istio-pilot
spec:
group: config.istio.io
names:
kind: RouteRule
listKind: RouteRuleList
plural: routerules
singular: routerule
scope: Namespaced
version: v1alpha2
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: virtualservices.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
singular: virtualservice
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationrules.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
singular: destinationrule
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: externalservices.networking.istio.io
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: ExternalService
listKind: ExternalServiceList
plural: externalservices
singular: externalservice
scope: Namespaced
version: v1alpha3
proposed/istio/v1.0.0/charts/pilot/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-pilot
# TODO: default tempate doesn't have this, which one is right ?
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: pilot
annotations:
checksum/config-volume: {{ template "istio.configmap.checksum" . }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: pilot
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-pilot-service-account
containers:
- name: discovery
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- "discovery"
- "--admission-service"
- "istio-pilot"
ports:
- containerPort: 8080
- containerPort: 15010
- containerPort: 443
readinessProbe:
httpGet:
path: /v1/registration
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: PILOT_THROTTLE
value: "200"
resources:
{{ toYaml .Values.resources | indent 12 }}
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-proxy
image: "{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 15003
- containerPort: 15005
- containerPort: 15007
args:
- proxy
- pilot
{{- if .Values.global.controlPlaneSecurityEnabled }}
- --discoveryAddress
- istio-pilot:15005
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- localhost:8080
{{- end }}
- --customConfigFile
- /etc/istio/proxy/envoy_pilot.json
resources:
{{ toYaml .Values.global.proxy.resources | indent 12 }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
volumes:
- name: config-volume
configMap:
name: istio
- name: istio-certs
secret:
secretName: "istio.istio-pilot-service-account"
optional: true
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/pilot/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: 15005
name: https-discovery
- port: 15007
name: http-discovery
targetPort: 15007
- port: 15003
name: http-old-discovery
- port: 15010
name: grpc-xds
- port: 8080
name: http-legacy-discovery
- port: 9093
name: http-monitoring
- port: 443
name: admission-webhook
selector:
istio: pilot
proposed/istio/v1.0.0/charts/pilot/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-pilot-service-account
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
proposed/istio/v1.0.0/charts/prometheus/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: prometheus
version: 0.1.0
proposed/istio/v1.0.0/charts/prometheus/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if .Values.service.nodePort.enabled }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services prometheus)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app=prometheus" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:9090 to use your application"
kubectl port-forward $POD_NAME 9090:9090
{{- end }}
proposed/istio/v1.0.0/charts/prometheus/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "prometheus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "prometheus.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.0/charts/prometheus/templates/clusterrole.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: {{ .Release.Namespace }}
---
{{ end }}
\ No newline at end of file
proposed/istio/v1.0.0/charts/prometheus/templates/configmap.yaml 0 → 100644
{{- $namespace := .Release.Namespace }}
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus
labels:
app: prometheus
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
prometheus.yml: |-
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'istio-mesh'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: {{ .Release.Namespace }};istio-mixer;prometheus
- job_name: 'envoy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: {{ .Release.Namespace }};istio-mixer;statsd-prom
- job_name: 'mixer'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: {{ .Release.Namespace }};istio-mixer;http-monitoring
- job_name: 'pilot'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: {{ .Release.Namespace }};istio-pilot;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: default;kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
# Example scrape config for pods
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
proposed/istio/v1.0.0/charts/prometheus/templates/deployment.yaml 0 → 100644
# TODO: the original template has service account, roles, etc
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: prometheus
labels:
app: prometheus
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
annotations:
sidecar.istio.io/inject: "false"
spec:
{{- if .Values.global.rbacEnabled }}
serviceAccountName: prometheus
{{ end }}
containers:
- name: prometheus
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- '--storage.tsdb.retention=6h'
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- containerPort: 9090
name: http
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
{{ toYaml .Values.resources | indent 12 }}
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
volumes:
- name: config-volume
configMap:
name: prometheus
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/prometheus/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus
labels:
app: prometheus
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path:
backend:
serviceName: prometheus
servicePort: 9090
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/prometheus/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: 'true'
labels:
name: prometheus
name: prometheus
spec:
selector:
app: prometheus
ports:
- name: http-prometheus
protocol: TCP
port: 9090
{{- if .Values.service.nodePort.enabled }}
# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
---
apiVersion: v1
kind: Service
metadata:
name: prometheus-nodeport
labels:
name: prometheus
spec:
type: NodePort
ports:
- port: 9090
{{- if .Values.service.nodePort.port }}
nodePort: {{ .Values.service.nodePort.port }}
{{- end }}
name: http-prometheus
selector:
app: prometheus
{{- end }}
proposed/istio/v1.0.0/charts/prometheus/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
{{- end }}
proposed/istio/v1.0.0/charts/security/Chart.yaml 0 → 100644
apiVersion: v1
name: security
version: 0.5.0
description: Helm chart for istio authentication
keywords:
- istio
- security
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/charts/security/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "security.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "security.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Service account name.
*/}}
{{- define "security.serviceAccountName" -}}
{{- if .Values.global.rbacEnabled -}}
{{- template "security.fullname" . -}}-service-account
{{- else }}
{{- .Values.serviceAccountName | trunc 63 | trimSuffix "-" -}}-service-account
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/security/templates/clusterrole.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-ca-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
{{- end }}
proposed/istio/v1.0.0/charts/security/templates/clusterrolebinding.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-ca-role-binding-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-ca-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-ca-service-account
namespace: {{ .Release.Namespace }}
{{- end }}
proposed/istio/v1.0.0/charts/security/templates/deployment.yaml 0 → 100644
# istio CA watching all namespaces
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-ca
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: istio-ca
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: istio-ca
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-ca-service-account
containers:
- name: istio-ca
image: "{{ .Values.image.repository}}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --grpc-port=8060
- --grpc-hostname=istio-ca
- --self-signed-ca=true
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/security/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
# we use the normal name here (e.g. 'prometheus')
# as grafana is configured to use this as a data source
name: istio-ca
labels:
app: istio-ca
spec:
ports:
- port: 8060
targetPort: 8060
protocol: TCP
name: grpc-istioca
selector:
istio: istio-ca
proposed/istio/v1.0.0/charts/security/templates/serviceaccount.yaml 0 → 100644
{{- if .Values.global.rbacEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-ca-service-account
{{- end }}
proposed/istio/v1.0.0/charts/servicegraph/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
proposed/istio/v1.0.0/charts/servicegraph/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: servicegraph
version: 0.1.0
proposed/istio/v1.0.0/charts/servicegraph/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "servicegraph.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "servicegraph.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "servicegraph.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "servicegraph.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
{{- end }}
proposed/istio/v1.0.0/charts/servicegraph/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "servicegraph.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "servicegraph.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.0/charts/servicegraph/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: servicegraph
labels:
app: {{ template "servicegraph.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: servicegraph
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: servicegraph
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
args:
- --prometheusAddr=http://prometheus:9090
# livenessProbe:
# httpGet:
# path: /
# port: {{ .Values.service.internalPort }}
# readinessProbe:
# httpGet:
# path: /
# port: {{ .Values.service.internalPort }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/servicegraph/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "servicegraph.name" . -}}
{{- $servicePort := .Values.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "servicegraph.fullname" . }}
labels:
app: {{ template "servicegraph.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path:
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/servicegraph/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: servicegraph
labels:
app: servicegraph
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: servicegraph
proposed/istio/v1.0.0/charts/sidecar-injector/Chart.yaml 0 → 100644
name: sidecar-injector
version: 0.5.0
description: Helm chart for sidecar injector deployment
keywords:
- istio
- sidecar-injector
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.0/charts/sidecar-injector/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "sidecar-injector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "sidecar-injector.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.0/charts/sidecar-injector/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
data:
config: |-
policy: enabled
template: |-
initContainers:
- name: istio-init
image: {{ .Values.global.proxy.initImage }}:{{ .Values.global.tag }}
args:
- "-p"
- {{ "{{ .MeshConfig.ProxyListenPort }}" }}
- "-u"
- 1337
{{ if .Values.includeIPRanges -}}
- "-i"
- {{ .Values.includeIPRanges | quote }}
{{ end -}}
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
restartPolicy: Always
containers:
- name: istio-proxy
image: {{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
args:
- proxy
- sidecar
- --configPath
- {{ "{{ .ProxyConfig.ConfigPath }}" }}
- --binaryPath
- {{ "{{ .ProxyConfig.BinaryPath }}" }}
- --serviceCluster
{{ "{{ if ne \"\" (index .ObjectMeta.Labels \"app\") -}}" }}
- {{ "{{ index .ObjectMeta.Labels \"app\" }}" }}
{{ "{{ else -}}" }}
- "istio-proxy"
{{ "{{ end -}}" }}
- --drainDuration
- {{ "{{ formatDuration .ProxyConfig.DrainDuration }}" }}
- --parentShutdownDuration
- {{ "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" }}
- --discoveryAddress
- {{ "{{ .ProxyConfig.DiscoveryAddress }}" }}
- --discoveryRefreshDelay
- {{ "{{ formatDuration .ProxyConfig.DiscoveryRefreshDelay }}" }}
- --zipkinAddress
- {{ "{{ .ProxyConfig.ZipkinAddress }}" }}
- --connectTimeout
- {{ "{{ formatDuration .ProxyConfig.ConnectTimeout }}" }}
- --statsdUdpAddress
- {{ "{{ .ProxyConfig.StatsdUdpAddress }}" }}
- --proxyAdminPort
- {{ "{{ .ProxyConfig.ProxyAdminPort }}" }}
- --controlPlaneAuthPolicy
- {{ "{{ .ProxyConfig.ControlPlaneAuthPolicy }}" }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
imagePullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1337
restartPolicy: Always
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
{{ "{{ if eq .Spec.ServiceAccountName \"\" -}}" }}
secretName: istio.default
{{ "{{ else -}}" }}
secretName: {{ "{{ printf \"istio.%s\" .Spec.ServiceAccountName }}" }}
{{ "{{ end -}}" }}
proposed/istio/v1.0.0/charts/sidecar-injector/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-sidecar-injector
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
annotations:
checksum/config-volume: {{ template "istio.configmap.checksum" . }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: sidecar-injector
spec:
containers:
- name: sidecar-injector-webhook
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --tlsCertFile=/etc/istio/certs/cert.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=2s
initialDelaySeconds: 4
periodSeconds: 4
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=2s
initialDelaySeconds: 4
periodSeconds: 4
resources:
{{ toYaml .Values.resources | indent 12 }}
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
secret:
secretName: sidecar-injector-certs
- name: inject-config
configMap:
name: istio-sidecar-injector
items:
- key: config
path: config
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/sidecar-injector/templates/mutatingwebhook.yaml 0 → 100644
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1beta1" -}}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: {{ template "sidecar-injector.fullname" . }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: {{ .Release.Name }}-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ${CA_BUNDLE}
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
matchLabels:
istio-injection: enabled
{{- end -}}
proposed/istio/v1.0.0/charts/sidecar-injector/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-sidecar-injector
labels:
istio: sidecar-injector
spec:
ports:
- port: 443
selector:
istio: sidecar-injector
proposed/istio/v1.0.0/charts/zipkin/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
proposed/istio/v1.0.0/charts/zipkin/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: zipkin
version: 0.1.0
proposed/istio/v1.0.0/charts/zipkin/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "zipkin.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "zipkin.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "zipkin.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "zipkin.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
{{- end }}
proposed/istio/v1.0.0/charts/zipkin/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "zipkin.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "zipkin.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.0/charts/zipkin/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: zipkin
labels:
app: {{ template "zipkin.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: zipkin
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: zipkin
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
livenessProbe:
httpGet:
path: /
port: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
path: /
port: {{ .Values.service.internalPort }}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
proposed/istio/v1.0.0/charts/zipkin/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "zipkin.name" . -}}
{{- $servicePort := .Values.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "zipkin.fullname" . }}
labels:
app: {{ template "zipkin.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path:
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/v1.0.0/charts/zipkin/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: zipkin
labels:
app: {{ template "zipkin.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: zipkin
proposed/istio/v1.0.0/questions.yml 0 → 100644
categories:
- Microservice
- Service mesh
namespace: istio-system
questions:
- variable: defaultImage
default: "true"
description: "Use default Docker image"
label: Use Default Image
type: boolean
show_subquestion_if: false
group: "Container Images"
subquestions:
- variable: security.image.repository
default: "istio/istio-ca"
description: "The security image repository"
type: string
label: Security Image Repository
- variable: security.image.tag
default: "0.7.1"
description: "The security image tag"
type: string
label: Security Image Tag
- variable: global.proxy.image
default: "istio/proxy"
description: "The image of istio proxy"
type: string
required: true
label: Image Repository of Istio Proxy
- variable: global.proxy.initImage
default: "istio/proxy_init"
description: "The initial image of istio proxy"
type: string
required: true
label: Initial Image Repository of Istio Proxy
- variable: global.tag
default: "0.7.1"
description: "The image tag of istio proxy"
type: string
required: true
label: Image tag of Istio Proxy
- variable: mixer.image.repository
default: "istio/mixer"
description: "The mixer component image repository"
type: string
label: Mixer Image Repository
- variable: mixer.image.tag
default: "0.7.1"
description: "The mixer image tag"
type: string
label: Mixer Image Tag
- variable: mixer.prometheusStatsdExporter.repository
default: "prom/statsd-exporter"
description: "The prometheus stas exporter image repository"
type: string
label: Prometheus Exporter Image Repository
- variable: mixer.prometheusStatsdExporter.tag
default: "latest"
description: "The prometheus stas exporter image tag"
type: string
label: Prometheus Exporter Image Tag
- variable: pilot.image.repository
default: "istio/pilot"
description: "The pilot component image repository"
type: string
label: Pilot Image Repository
- variable: pilot.image.tag
default: "0.7.1"
description: "The pilot image tag"
type: string
label: Pilot Image Tag
- variable: servicegraph.image.repository
default: "istio/servicegraph"
description: "The servicegraph component image repository"
type: string
label: Servicegraph Image Repository
- variable: servicegraph.image.tag
default: "0.7.1"
description: "The servicegraph image tag"
type: string
label: Servicegraph Image Tag
- variable: zipkin.image.repository
default: "openzipkin/zipkin"
description: "The zipkin component image repository"
type: string
label: Zipkin Image Repository
- variable: zipkin.image.tag
default: "latest"
description: "The zipkin image tag"
type: string
label: Zipkin Image Tag
- variable: grafana.image.repository
default: "istio/grafana"
description: "The grafana component image repository"
type: string
label: Grafana Image Repository
- variable: grafana.image.tag
default: "0.7.1"
description: "The grafana image tag"
type: string
label: Grafana Image Tag
- variable: prometheus.image.repository
default: "prom/prometheus"
description: "The prometheuscomponent image repository"
type: string
label: Prometheus Image Repository
- variable: prometheus.image.tag
default: "latest"
description: "The prometheus image tag"
type: string
label: Prometheus Image Tag
- variable: servicegraph.enabled
default: "true"
description: "Enabled the servicegraph component of istio"
type: boolean
required: true
label: Enabled the Servicegraph Component
show_subquestion_if: true
group: "Servicegraph Component Settings"
subquestions:
- variable: servicegraph.ingress.enabled
default: "true"
description: "Expose servicegraph using layer 7 Load Balancer - ingress"
type: boolean
label: Expose servicegraph using Layer 7 Load Balancer
show_if: "servicegraph.enabled=true"
group: "Servicegraph Component Settings"
show_subquestion_if: "true"
subquestions:
- variable: servicegraph.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access servicegraph, it is a json array"
type: hostname
label: Hostname to Access Servicegraph
- variable: servicegraph.service.type
default: "NodePort"
description: "Servicegraph service type"
type: enum
label: Servicegraph Service Type
show_if: "servicegraph.ingress.enabled=false"
options:
- "ClusterIP"
- "NodePort"
- variable: zipkin.enabled
default: "true"
description: "Enabled the zipkin component of istio"
type: boolean
required: true
label: Enabled the zipkin Component
group: "Zipkin Component Settings"
- variable: zipkin.ingress.enabled
default: "true"
description: "Expose zipkin using Layer 7 Load Balancer - ingress"
type: boolean
label: Expose zipkin using Layer 7 Load Balancer
group: "Zipkin Component Settings"
show_if: "zipkin.enabled=true"
show_subquestion_if: "true"
subquestions:
- variable: zipkin.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access zipkin, it is a json array type"
type: hostname
label: Hostname to Access Zipkin
- variable: zipkin.service.type
default: "NodePort"
description: "Zipkin service type"
type: enum
label: Zipkin Service Type
show_if: "zipkin.ingress.enabled=false"
options:
- "ClusterIP"
- "NodePort"
- variable: ingress.service.nodePort.enabled
default: "true"
description: "Enabled nodePort service type"
group: "Istio Ingress Settings"
type: boolean
label: Enabled NodePort Service Type
show_subquestion_if: "true"
subquestions:
- variable: ingress.service.nodePort.port
default: ""
description: "NodePort http(to set explicitly, choose port between 30000-32767)"
type: int
min: 32000
max: 32767
label: Ingress Envoy NodePort Http Port
- variable: grafana.enabled
default: false
description: "Enabled the grafana component of istio"
type: boolean
required: true
label: Enabled the Grafana Component
show_subquestion_if: true
group: "Grafana Component Settings"
subquestions:
- variable: grafana.ingress.enabled
default: true
description: "Expose grafana using Layer 7 Load Balancer - ingress"
type: boolean
show_if: "grafana.enabled=true"
label: Expose grafana using Layer 7 Load Balancer
show_subquestion_if: "true"
group: "Grafana Component Settings"
subquestions:
- variable: grafana.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access the grafana, it is a json array type"
type: hostname
label: Hostname to Access Grafana
show_if: "grafana.enabled=true&&grafana.ingress.enabled=true"
- variable: grafana.service.type
default: "NodePort"
description: "Grafana service type"
show_if: "grafana.ingress.enabled=false"
type: enum
label: Grafana Service Type
group: "Grafana Component Settings"
options:
- "ClusterIP"
- "NodePort"
- variable: prometheus.enabled
default: true
description: "Enabled the prometheus component of istio"
type: boolean
required: true
label: Enabled the prometheus Component
show_subquestion_if: true
group: "Prometheus Component Settings"
- variable: prometheus.ingress.enabled
default: true
description: "Expose prometheus using Layer 7 Load Balancer - ingress"
type: boolean
label: Expose prometheus using Layer 7 Load Balancer
show_if: "prometheus.enabled=true"
show_subquestion_if: true
group: "Prometheus Component Settings"
subquestions:
- variable: prometheus.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access prometheus server"
type: hostname
label: Hostname to Access Prometheus Server
show_if: "prometheus.enabled=true"
proposed/istio/v1.0.0/requirements.yaml 0 → 100644
dependencies:
- name: sidecar-injector
version: 0.5.0
condition: sidecar-injector.enabled
- name: ingress
version: 0.5.0
condition: ingress.enabled
- name: mixer
version: 0.5.0
condition: mixer.enabled
- name: pilot
version: 0.5.0
condition: pilot.enabled
- name: security
version: 0.5.0
condition: global.securityEnabled
- name: grafana
version: 0.1.0
condition: grafana.enabled
- name: prometheus
version: 0.1.0
condition: prometheus.enabled
- name: servicegraph
version: 0.1.0
condition: servicegraph.enabled
- name: zipkin
version: 0.1.0
condition: zipkin.enabled
proposed/istio/v1.0.0/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "istio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "istio.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Service account name.
*/}}
{{- define "istio.serviceAccountName" -}}
{{- if .Values.global.rbacEnabled -}}
{{- template "istio.fullname" . -}}
{{- else }}
{{- .Values.serviceAccountName | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a fully qualified configmap name.
*/}}
{{- define "istio.configmap.fullname" -}}
{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Configmap checksum.
*/}}
{{- define "istio.configmap.checksum" -}}
{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}}
{{- end -}}
proposed/istio/v1.0.0/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
mesh: |-
{{- if .Values.global.mtls.enabed }}
# Mutual TLS between proxies
authPolicy: MUTUAL_TLS
mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
{{- end }}
#
# Edit this list to avoid using mTLS to connect to these services.
# Typically, these are control services (e.g kubernetes API server) that don't have istio sidecar
# to transparently terminate mTLS authentication.
# mtlsExcludedServices: ["kubernetes.default.svc.cluster.local"]
# Set the following variable to true to disable policy checks by the Mixer.
# Note that metrics will still be reported to the Mixer.
disablePolicyChecks: false
# Set enableTracing to false to disable request tracing.
enableTracing: true
#
# To disable the mixer completely (including metrics), comment out
# the following lines
mixerCheckServer: istio-mixer.{{ .Release.Namespace }}:15004
mixerReportServer: istio-mixer.{{ .Release.Namespace }}:15004
# This is the ingress service name, update if you used a different name
ingressService: istio-ingress
#
# Along with discoveryRefreshDelay, this setting determines how
# frequently should Envoy fetch and update its internal configuration
# from istio Pilot. Lower refresh delay results in higher CPU
# utilization and potential performance loss in exchange for faster
# convergence. Tweak this value according to your setup.
rdsRefreshDelay: {{ .Values.global.refreshInterval }}
#
defaultConfig:
# NOTE: If you change any values in this section, make sure to make
# the same changes in start up args in istio-ingress pods.
# See rdsRefreshDelay for explanation about this setting.
discoveryRefreshDelay: {{ .Values.global.refreshInterval }}
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Zipkin trace collector
zipkinAddress: istio-zipkin.{{ .Release.Namespace }}:9411
#
# Statsd metrics collector. istio mixer exposes a UDP endpoint
# to collect and convert statsd metrics into Prometheus metrics.
statsdUdpAddress: istio-mixer.{{ .Release.Namespace }}:9125
{{- if .Values.global.controlPlaneSecurityEnabled }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: MUTUAL_TLS
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005
{{- else }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: NONE
#
# Address where istio Pilot service is running
# Port 15007 is captured by envoy, but is not yet tuned (max connections, etc)
discoveryAddress: istio-pilot.{{ .Release.Namespace }}:8080
{{- end }}
proposed/istio/v1.0.0/values.yaml 0 → 100644
# Use --set or additional values.yaml file to configure settings.
# This file no longer uses sed, updateVersions.sh or istio.VERSIONS
# TODO: evaluate if we need individual overrides for each component version, istio
# is not typically tested with a mix of versions. Only supported case is version upgrade.
# Common settings.
global:
# Default tag for Istio images.
hub: docker.io/istio
# Default tag for Istio images.
# Should track latest released version.
# Currently using nightly build, for testing
tag: 0.7.1
proxy:
image: istio/proxy
initImage: istio/proxy_init
# imagePullPolicy is applied to istio control plane components.
imagePullPolicy: IfNotPresent
# Not recommended for user to configure this. Hyperkube image to use when creating custom resources
hyperkube:
repository: quay.io/coreos/hyperkube
tag: v1.7.6_coreos.0
# Install istio CA.
securityEnabled: true
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
# List of fully qualified services to exclude from mtls
# TODO: add the templating.
mtlsExcludedServices:
- "kubernetes.default.svc.cluster.local"
# create RBAC resources. Must be set for any cluster configured with rbac.
rbacEnabled: true
# Default is 1 second
refreshInterval: 10s
#
# ingress configuration
#
ingress:
enabled: true
serviceAccountName: default
imagePullPolicy: IfNotPresent
autoscaleMin: 2
autoscaleMax: 8
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
service:
nodePort:
enabled: true
# port: 32000
#
# sidecar-injector configuration
#
sidecar-injector:
enabled: false
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image:
repository: istio/sidecar_injector
tag: 0.7.1
pullPolicy: IfNotPresent
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: {}
#
# mixer configuration
#
mixer:
enabled: true
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image:
repository: istio/mixer
tag: 0.7.1
pullPolicy: IfNotPresent
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
prometheusStatsdExporter:
repository: prom/statsd-exporter
tag: latest
imagePullPolicy: IfNotPresent
resources: {}
#
# pilot configuration
#
pilot:
enabled: true
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image:
repository: istio/pilot
tag: 0.7.1
pullPolicy: IfNotPresent
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
#
# security configuration
#
security:
serviceAccountName: default # used only if RBAC is not enabled
replicaCount: 1
image:
repository: istio/istio-ca
tag: 0.7.1
pullPolicy: IfNotPresent
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
#
# addons configuration
#
grafana:
enabled: false
replicaCount: 1
image:
repository: istio/grafana
tag: 0.7.1
pullPolicy: IfNotPresent
service:
name: http
type: NodePort
externalPort: 3000
internalPort: 3000
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- grafana.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: grafana-tls
# hosts:
# - grafana.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
prometheus:
enabled: false
replicaCount: 1
image:
repository: prom/prometheus
tag: latest
pullPolicy: IfNotPresent
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- prometheus.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: prometheus-tls
# hosts:
# - prometheus.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
service:
nodePort:
enabled: true
# port: 32090
servicegraph:
enabled: true
replicaCount: 1
image:
repository: istio/servicegraph
tag: 0.7.1
pullPolicy: IfNotPresent
service:
name: http
type: NodePort
externalPort: 8088
internalPort: 8088
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- servicegraph.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: servicegraph-tls
# hosts:
# - servicegraph.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
# prometheus addres
prometheusAddr: http://prometheus:9090
zipkin:
enabled: true
replicaCount: 1
image:
repository: openzipkin/zipkin
tag: latest
pullPolicy: IfNotPresent
service:
name: http
type: NodePort
externalPort: 9411
internalPort: 9411
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- zipkin.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: zipkin-tls
# hosts:
# - zipkin.local
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment