Skip to content

C
charts
Unverified Commit 8f7fa34d by GC Committed by GitHub
Options

added v1.0 Istio chart and fix typo (#31)

* added v1.0 istio chart and fix typo of longhorn * update readme
parent b3c3e263
Showing with 7915 additions and 4 deletions
proposed/istio/latest/Chart.yaml 0 → 100644
apiVersion: v1
name: istio
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
home: https://istio.io/
keywords:
- istio
- security
- sidecarInjectorWebhook
- mixer
- pilot
- galley
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
maintainers:
- name: istio
proposed/istio/latest/LICENSE 0 → 100644
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2018 Istio Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
proposed/istio/latest/README.md 0 → 100644
## Prerequisites
- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
- If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order.
## Resources Required
The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
## Configuration
The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
| Parameter | Description | Values | Default |
| --- | --- | --- | --- |
| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` |
| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` |
| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` |
| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
## Custom Installation
1. If a service account has not already been installed for Tiller, install one:
```
$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
```
2. Install Tiller on your cluster with the service account:
```
$ helm init --service-account tiller
```
3. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver:
```
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
```
**Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver:
```
$ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
```
4. To install the chart with the release name `istio` in namespace `istio-system`:
- With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
```
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
```
- Without the sidecar injection webhook:
```
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false
```
## Uninstalling the Chart
To uninstall/delete the `istio` release:
```
$ helm delete istio
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
To uninstall/delete the `istio` release completely and make its name free for later use:
```
$ helm delete istio --purge
```
proposed/istio/latest/app-readme.md 0 → 100644
# Istio
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details
This chart can install multiple istio components as subcharts:
- ingress
- ingressgateway
- egressgateway
- sidecarInjectorWebhook
- galley
- mixer
- pilot
- security(citadel)
- grafana
- prometheus
- servicegraph
- tracing(jaeger)
- kiali
To enable or disable each component, change the corresponding `enabled` flag.
proposed/istio/latest/charts/certmanager/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: certmanager
version: 1.0.1
appVersion: 0.3.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/certmanager/templates/NOTES.txt 0 → 100644
certmanager has been deployed successfully!
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.readthedocs.io/en/latest/reference/issuers.html
\ No newline at end of file
proposed/istio/latest/charts/certmanager/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "certmanager.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "certmanager.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- $fullname := printf "%s-%s" $name .Release.Name -}}
{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "certmanager.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/certmanager/templates/crds.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
proposed/istio/latest/charts/certmanager/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: certmanager
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "certmanager.name" . }}
spec:
replicas: 1
selector:
matchLabels:
app: certmanager
template:
metadata:
labels:
app: certmanager
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: certmanager
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: certmanager
image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 10 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.podDnsPolicy }}
dnsPolicy: {{ .Values.podDnsPolicy }}
{{- end }}
{{- if .Values.podDnsConfig }}
dnsConfig:
{{ toYaml .Values.podDnsConfig | indent 8 }}
{{- end }}
proposed/istio/latest/charts/certmanager/templates/issuer.yaml 0 → 100644
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: {{ .Release.Namespace }}
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ .Values.email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: {{ .Release.Namespace }}
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.email }}
privateKeySecretRef:
name: letsencrypt
http01: {}
proposed/istio/latest/charts/certmanager/templates/rbac.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: certmanager
labels:
app: certmanager
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "issuers", "clusterissuers"]
verbs: ["*"]
- apiGroups: [""]
# TODO: remove endpoints once 0.4 is released. We include it here in case
# users use the 'master' version of the Helm chart with a 0.2.x release of
# certManager that still performs leader election with Endpoint resources.
# We advise users don't do this, but some will anyway and this will reduce
# friction.
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: certmanager
labels:
app: certmanager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: certmanager
subjects:
- name: certmanager
namespace: {{ .Release.Namespace }}
kind: ServiceAccount
proposed/istio/latest/charts/certmanager/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: certmanager
namespace: {{ .Release.Namespace }}
labels:
app: certmanager
proposed/istio/latest/charts/galley/Chart.yaml 0 → 100644
apiVersion: v1
name: galley
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for galley deployment
keywords:
- istio
- galley
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/galley/OWNERS 0 → 100644
approvers:
- cmluciano
- geeknoid
- ozevren
- ayj
proposed/istio/latest/charts/galley/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "galley.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "galley.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/galley/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-galley-{{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["deployments"]
resourceNames: ["istio-galley"]
verbs: ["get"]
- apiGroups: ["*"]
resources: ["endpoints"]
resourceNames: ["istio-galley"]
verbs: ["get"]
proposed/istio/latest/charts/galley/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-galley-admin-role-binding-{{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-galley-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-galley-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/galley/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-galley-configuration
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
data:
validatingwebhookconfiguration.yaml: |-
{{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}}
proposed/istio/latest/charts/galley/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "galley.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: galley
spec:
replicas: {{ .Values.replicaCount }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
istio: galley
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-galley-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: validator
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 443
- containerPort: 9093
command:
- /usr/local/bin/galley
- validator
- --deployment-namespace={{ .Release.Namespace }}
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --healthCheckInterval=1s
- --healthCheckFile=/health
- --webhook-config-file
- /etc/istio/config/validatingwebhookconfiguration.yaml
volumeMounts:
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: config
mountPath: /etc/istio/config
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/health
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/health
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumes:
- name: certs
secret:
secretName: istio.istio-galley-service-account
- name: config
configMap:
name: istio-galley-configuration
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/galley/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
istio: galley
spec:
ports:
- port: 443
name: https-validation
- port: 9093
name: http-monitoring
selector:
istio: galley
proposed/istio/latest/charts/galley/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-galley-service-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/galley/templates/validatingwehookconfiguration.yaml.tpl 0 → 100644
{{ define "validatingwebhookconfiguration.yaml.tpl" }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
webhooks:
{{- if .Values.global.configValidation }}
- name: pilot.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: {{ .Release.Namespace }}
path: "/admitpilot"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- httpapispecs
- httpapispecbindings
- quotaspecs
- quotaspecbindings
- operations:
- CREATE
- UPDATE
apiGroups:
- rbac.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- authentication.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- networking.istio.io
apiVersions:
- "*"
resources:
- destinationrules
- envoyfilters
- gateways
# disabled per @costinm's request
# - serviceentries
- virtualservices
failurePolicy: Fail
- name: mixer.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: {{ .Release.Namespace }}
path: "/admitmixer"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- rules
- attributemanifests
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- noops
- opas
- prometheuses
- rbacs
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
- apikeys
- authorizations
- checknothings
# - kuberneteses
- listentries
- logentries
- metrics
- quotas
- reportnothings
- servicecontrolreports
- tracespans
failurePolicy: Fail
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/Chart.yaml 0 → 100644
apiVersion: v1
name: gateways
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- egressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/gateways/templates/autoscale.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if and $spec.enabled $spec.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: {{ $key }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/templates/clusterrole.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "istio.name" $ }}
chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
name: {{ $key }}-{{ $.Release.Namespace }}
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/templates/clusterrolebindings.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $key }}-{{ $.Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ $key }}-service-account
namespace: {{ $.Release.Namespace }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/templates/deployment.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
heritage: {{ $.Release.Service }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
replicas: {{ $spec.replicaCount }}
template:
metadata:
labels:
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: {{ $key }}-service-account
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
{{- range $key, $val := $spec.ports }}
- containerPort: {{ $val.port }}
{{- end }}
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- {{ $key }}
- --zipkinAddress
{{- if $.Values.global.istioNamespace }}
- zipkin.{{ $.Values.global.istioNamespace }}:9411
{{- else }}
- zipkin:9411
{{- end }}
{{- if $.Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }}
{{- end }}
- --proxyAdminPort
- "15000"
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
{{- if $.Values.global.istioNamespace }}
- istio-pilot.{{ $.Values.global.istioNamespace }}:15005
{{- else }}
- istio-pilot:15005
{{- end }}
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
{{- if $.Values.global.istioNamespace }}
- istio-pilot.{{ $.Values.global.istioNamespace }}:8080
{{- else }}
- istio-pilot:8080
{{- end }}
{{- end }}
resources:
{{- if $spec.resources }}
{{ toYaml $spec.resources | indent 12 }}
{{- else }}
{{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- range $spec.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- if $spec.additionalContainers }}
{{ toYaml $spec.additionalContainers | indent 8 }}
{{- end }}
volumes:
- name: istio-certs
secret:
secretName: istio.{{ $key }}-service-account
optional: true
{{- range $spec.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $spec.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" $ | indent 6 }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/templates/service.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
annotations:
{{- range $key, $val := $spec.serviceAnnotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
heritage: {{ $.Release.Service }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
{{- if $spec.loadBalancerIP }}
loadBalancerIP: "{{ $spec.loadBalancerIP }}"
{{- end }}
type: {{ .type }}
selector:
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
ports:
{{- range $key, $val := $spec.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/gateways/templates/serviceaccount.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: v1
kind: ServiceAccount
{{- if $.Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range $.Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $key }}-service-account
namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/grafana/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: grafana
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/grafana/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "grafana.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "grafana.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/grafana/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-grafana-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: grafana
data:
custom-resources.yaml: |-
{{- include "grafana-default.yaml.tpl" . | indent 4}}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
proposed/istio/latest/charts/grafana/templates/create-custom-resources-job.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-grafana-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-grafana-post-install-{{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-grafana-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-grafana-post-install-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-grafana-post-install
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
name: istio-grafana-post-install
labels:
app: istio-grafana
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-grafana-post-install-account
containers:
- name: hyperkube
image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}"
command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/grafana"
name: tmp-configmap-grafana
volumes:
- name: tmp-configmap-grafana
configMap:
name: istio-grafana-custom-resources
restartPolicy: OnFailure
proposed/istio/latest/charts/grafana/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: grafana
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
path: /login
port: {{ .Values.service.internalPort }}
env:
- name: GRAFANA_PORT
value: {{ .Values.service.internalPort | quote }}
{{- if .Values.security.enabled }}
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
name: grafana
key: username
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: grafana
key: password
- name: GF_AUTH_BASIC_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "false"
- name: GF_AUTH_DISABLE_LOGIN_FORM
value: "false"
{{- else }}
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
{{- end }}
- name: GF_PATHS_DATA
value: /data/grafana
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /data/grafana
affinity:
{{- include "nodeaffinity" . | indent 6 }}
volumes:
- name: data
emptyDir: {}
proposed/istio/latest/charts/grafana/templates/grafana-ports-mtls.yaml 0 → 100644
{{ define "grafana-default.yaml.tpl" }}
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: grafana-ports-mtls-disabled
namespace: {{ .Release.Namespace }}
spec:
targets:
- name: grafana
ports:
- number: {{ .Values.service.externalPort }}
{{- end }}
proposed/istio/latest/charts/grafana/templates/secret.yaml 0 → 100644
{{- if .Values.security.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: grafana
labels:
app: grafana
type: Opaque
data:
username: {{ .Values.security.adminUser | b64enc | quote }}
password: {{ .Values.security.adminPassword | b64enc | quote }}
{{- end -}}
proposed/istio/latest/charts/grafana/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: grafana
proposed/istio/latest/charts/ingress/Chart.yaml 0 → 100644
apiVersion: v1
name: ingress
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for ingress deployment
keywords:
- istio
- ingress
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/ingress/templates/autoscale.yaml 0 → 100644
{{- if .Values.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-ingress
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
{{ end }}
proposed/istio/latest/charts/ingress/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-ingress-{{ .Release.Namespace }}
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "ingresses"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["configmaps", "pods", "endpoints", "services"]
verbs: ["get", "watch", "list"]
proposed/istio/latest/charts/ingress/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-ingress-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-ingress-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/ingress/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: ingress
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingress-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: {{ template "istio.name" . }}
image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- ingress
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingress
- --zipkinAddress
- zipkin:9411
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }}
{{- end }}
- --proxyAdminPort
- "15000"
{{- if .Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
- istio-pilot:15005
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingress-certs
mountPath: /etc/istio/ingress-certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingress-service-account
optional: true
- name: ingress-certs
secret:
secretName: istio-ingress-certs
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/ingress/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
{{- end }}
type: {{ .Values.service.type }}
selector:
istio: ingress
ports:
{{- range $key, $val := .Values.service.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
---
proposed/istio/latest/charts/ingress/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-ingress-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/kiali/Chart.yaml 0 → 100644
apiVersion: v1
description: Kiali is an open source project for service mesh observability, refer to https://github.com/kiali/kiali for detail.
name: kiali
version: 1.0.1
appVersion: 0.6.0
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/kiali/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kiali
labels:
app: kiali
version: master
rules:
- apiGroups: ["","apps", "autoscaling"]
resources:
- configmaps
- namespaces
- nodes
- pods
- projects
- services
- endpoints
- deployments
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups: ["config.istio.io"]
resources:
- rules
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- opas
- prometheuses
- rbacs
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
- apikeys
- authorizations
- checknothings
- kuberneteses
- listentries
- logentries
- metrics
- quotas
- reportnothings
- servicecontrolreports
- quotaspecs
- quotaspecbindings
verbs:
- get
- list
- watch
- apiGroups: ["networking.istio.io"]
resources:
- virtualservices
- destinationrules
- serviceentries
- gateways
verbs:
- get
- list
- watch
proposed/istio/latest/charts/kiali/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-kiali-admin-role-binding-{{ .Release.Namespace }}
labels:
app: kiali
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kiali
subjects:
- kind: ServiceAccount
name: kiali-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/kiali/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: kiali
data:
config.yaml: |
server:
port: 20001
static_content_root_directory: /opt/kiali/console
proposed/istio/latest/charts/kiali/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: kiali
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: kiali
template:
metadata:
name: kiali
labels:
app: kiali
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: kiali-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}"
name: kiali
command:
- "/opt/kiali/kiali"
- "-config"
- "/kiali-configuration/config.yaml"
- "-v"
- "4"
env:
- name: ACTIVE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SERVER_CREDENTIALS_USERNAME
valueFrom:
secretKeyRef:
name: kiali
key: username
- name: SERVER_CREDENTIALS_PASSWORD
valueFrom:
secretKeyRef:
name: kiali
key: passphrase
- name: PROMETHEUS_SERVICE_URL
value: http://prometheus:9090
{{- if .Values.dashboard.grafanaURL }}
- name: GRAFANA_URL
value: {{ .Values.dashboard.grafanaURL }}
{{- end }}
- name: GRAFANA_DASHBOARD
value: istio-service-dashboard
- name: GRAFANA_VAR_SERVICE_SOURCE
value: var-service
- name: GRAFANA_VAR_SERVICE_DEST
value: var-service
{{- if .Values.dashboard.jaegerURL }}
- name: JAEGER_URL
value: {{ .Values.dashboard.jaegerURL }}
{{- end }}
volumeMounts:
- name: kiali-configuration
mountPath: "/kiali-configuration"
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumes:
- name: kiali-configuration
configMap:
name: kiali
proposed/istio/latest/charts/kiali/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: kiali
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: /
backend:
serviceName: kiali
servicePort: 20001
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/latest/charts/kiali/templates/secrets.yaml 0 → 100644
apiVersion: v1
kind: Secret
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: kiali
type: Opaque
data:
username: {{ .Values.dashboard.username | b64enc | quote }}
passphrase: {{ .Values.dashboard.passphrase | b64enc | quote }}
proposed/istio/latest/charts/kiali/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: kiali
namespace: {{ .Release.Namespace }}
labels:
app: kiali
spec:
type: {{ .Values.service.type }}
ports:
- name: tcp
protocol: TCP
port: 20001
name: http-kiali
selector:
app: kiali
proposed/istio/latest/charts/kiali/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: kiali-service-account
namespace: {{ .Release.Namespace }}
labels:
app: kiali
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/mixer/Chart.yaml 0 → 100644
apiVersion: v1
name: mixer
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for mixer deployment
keywords:
- istio
- mixer
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/mixer/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "mixer.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "mixer.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/mixer/templates/autoscale.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if or (eq $key "istio-policy") (eq $key "istio-telemetry") }}
{{- if and $spec.autoscaleEnabled $spec.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $key }}
namespace: {{ $.Release.Namespace }}
spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: {{ $key }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/latest/charts/mixer/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-mixer-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["rbac.istio.io"] # istio RBAC watcher
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
proposed/istio/latest/charts/mixer/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-admin-role-binding-{{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/mixer/templates/config.yaml 0 → 100644
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: istioproxy
namespace: {{ .Release.Namespace }}
spec:
attributes:
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.id:
valueType: STRING
request.host:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.total_size:
valueType: INT64
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.headers:
valueType: STRING_MAP
response.total_size:
valueType: INT64
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
source.uid:
valueType: STRING
source.user: # DEPRECATED
valueType: STRING
source.principal:
valueType: STRING
destination.uid:
valueType: STRING
destination.principal:
valueType: STRING
destination.port:
valueType: INT64
connection.event:
valueType: STRING
connection.id:
valueType: STRING
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
connection.duration:
valueType: DURATION
connection.mtls:
valueType: BOOL
connection.requested_server_name:
valueType: STRING
context.protocol:
valueType: STRING
context.timestamp:
valueType: TIMESTAMP
context.time:
valueType: TIMESTAMP
# Deprecated, kept for compatibility
context.reporter.local:
valueType: BOOL
context.reporter.kind:
valueType: STRING
context.reporter.uid:
valueType: STRING
api.service:
valueType: STRING
api.version:
valueType: STRING
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.presenter:
valueType: STRING
request.auth.claims:
valueType: STRING_MAP
request.auth.raw_claims:
valueType: STRING
request.api_key:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: kubernetes
namespace: {{ .Release.Namespace }}
spec:
attributes:
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.metadata:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.owner:
valueType: STRING
source.service: # DEPRECATED
valueType: STRING
source.serviceAccount:
valueType: STRING
source.services:
valueType: STRING
source.workload.uid:
valueType: STRING
source.workload.name:
valueType: STRING
source.workload.namespace:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.metadata:
valueType: STRING_MAP
destination.owner:
valueType: STRING
destination.name:
valueType: STRING
destination.container.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.service: # DEPRECATED
valueType: STRING
destination.service.uid:
valueType: STRING
destination.service.name:
valueType: STRING
destination.service.namespace:
valueType: STRING
destination.service.host:
valueType: STRING
destination.serviceAccount:
valueType: STRING
destination.workload.uid:
valueType: STRING
destination.workload.name:
valueType: STRING
destination.workload.namespace:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: stdio
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
outputAsJson: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
name: accesslog
namespace: {{ .Release.Namespace }}
spec:
severity: '"Info"'
timestamp: request.time
variables:
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
apiClaims: request.auth.raw_claims | ""
apiKey: request.api_key | request.headers["x-api-key"] | ""
protocol: request.scheme | context.protocol | "http"
method: request.method | ""
url: request.path | ""
responseCode: response.code | 0
responseSize: response.size | 0
requestSize: request.size | 0
requestId: request.headers["x-request-id"] | ""
clientTraceId: request.headers["x-client-trace-id"] | ""
latency: response.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
userAgent: request.useragent | ""
responseTimestamp: response.time
receivedBytes: request.total_size | 0
sentBytes: response.total_size | 0
referer: request.referer | ""
httpAuthority: request.headers[":authority"] | request.host | ""
xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0"
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: logentry
metadata:
name: tcpaccesslog
namespace: {{ .Release.Namespace }}
spec:
severity: '"Info"'
timestamp: context.time | timestamp("2017-01-01T00:00:00Z")
variables:
connectionEvent: connection.event | ""
sourceIp: source.ip | ip("0.0.0.0")
sourceApp: source.labels["app"] | ""
sourcePrincipal: source.principal | ""
sourceName: source.name | ""
sourceWorkload: source.workload.name | ""
sourceNamespace: source.namespace | ""
sourceOwner: source.owner | ""
destinationApp: destination.labels["app"] | ""
destinationIp: destination.ip | ip("0.0.0.0")
destinationServiceHost: destination.service.host | ""
destinationWorkload: destination.workload.name | ""
destinationName: destination.name | ""
destinationNamespace: destination.namespace | ""
destinationOwner: destination.owner | ""
destinationPrincipal: destination.principal | ""
protocol: context.protocol | "tcp"
connectionDuration: connection.duration | "0ms"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
requestedServerName: connection.requested_server_name | ""
receivedBytes: connection.received.bytes | 0
sentBytes: connection.sent.bytes | 0
totalReceivedBytes: connection.received.bytes_total | 0
totalSentBytes: connection.sent.bytes_total | 0
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
monitored_resource_type: '"global"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdio
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "http" || context.protocol == "grpc"
actions:
- handler: handler.stdio
instances:
- accesslog.logentry
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: stdiotcp
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "tcp"
actions:
- handler: handler.stdio
instances:
- tcpaccesslog.logentry
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestcount
namespace: {{ .Release.Namespace }}
spec:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestduration
namespace: {{ .Release.Namespace }}
spec:
value: response.duration | "0ms"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: requestsize
namespace: {{ .Release.Namespace }}
spec:
value: request.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: responsesize
namespace: {{ .Release.Namespace }}
spec:
value: response.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytesent
namespace: {{ .Release.Namespace }}
spec:
value: connection.sent.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: metric
metadata:
name: tcpbytereceived
namespace: {{ .Release.Namespace }}
spec:
value: connection.received.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.name | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: prometheus
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
metrics:
- name: requests_total
instance_name: requestcount.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- connection_security_policy
- name: request_duration_seconds
instance_name: requestduration.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- connection_security_policy
buckets:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_bytes
instance_name: requestsize.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: response_bytes
instance_name: responsesize.metric.{{ .Release.Namespace }}
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: tcp_sent_bytes_total
instance_name: tcpbytesent.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- name: tcp_received_bytes_total
instance_name: tcpbytereceived.metric.{{ .Release.Namespace }}
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promhttp
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "http" || context.protocol == "grpc"
actions:
- handler: handler.prometheus
instances:
- requestcount.metric
- requestduration.metric
- requestsize.metric
- responsesize.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcp
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "tcp"
actions:
- handler: handler.prometheus
instances:
- tcpbytesent.metric
- tcpbytereceived.metric
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetesenv
metadata:
name: handler
namespace: {{ .Release.Namespace }}
spec:
# when running from mixer root, use the following config after adding a
# symbolic link to a kubernetes config file via:
#
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
#
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: kubeattrgenrulerule
namespace: {{ .Release.Namespace }}
spec:
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: tcpkubeattrgenrulerule
namespace: {{ .Release.Namespace }}
spec:
match: context.protocol == "tcp"
actions:
- handler: handler.kubernetesenv
instances:
- attributes.kubernetes
---
apiVersion: "config.istio.io/v1alpha2"
kind: kubernetes
metadata:
name: attributes
namespace: {{ .Release.Namespace }}
spec:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
destination_port: destination.port | 0
attribute_bindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.uid: $out.source_pod_uid | "unknown"
source.labels: $out.source_labels | emptyStringMap()
source.name: $out.source_pod_name | "unknown"
source.namespace: $out.source_namespace | "default"
source.owner: $out.source_owner | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
source.workload.uid: $out.source_workload_uid | "unknown"
source.workload.name: $out.source_workload_name | "unknown"
source.workload.namespace: $out.source_workload_namespace | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.uid: $out.destination_pod_uid | "unknown"
destination.labels: $out.destination_labels | emptyStringMap()
destination.name: $out.destination_pod_name | "unknown"
destination.container.name: $out.destination_container_name | "unknown"
destination.namespace: $out.destination_namespace | "default"
destination.owner: $out.destination_owner | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
destination.workload.uid: $out.destination_workload_uid | "unknown"
destination.workload.name: $out.destination_workload_name | "unknown"
destination.workload.namespace: $out.destination_workload_namespace | "unknown"
---
# Configuration needed by Mixer.
# Mixer cluster is delivered via CDS
# Specify mixer cluster settings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-policy
namespace: {{ .Release.Namespace }}
spec:
host: istio-policy.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
{{- if .Values.global.controlPlaneSecurityEnabled }}
portLevelSettings:
- port:
number: 15004
tls:
mode: ISTIO_MUTUAL
{{- end}}
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-telemetry
namespace: {{ .Release.Namespace }}
spec:
host: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
{{- if .Values.global.controlPlaneSecurityEnabled }}
portLevelSettings:
- port:
number: 15004
tls:
mode: ISTIO_MUTUAL
{{- end}}
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
proposed/istio/latest/charts/mixer/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-statsd-prom-bridge
namespace: {{ .Release.Namespace }}
labels:
app: istio-statsd-prom-bridge
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
data:
mapping.conf: |-
proposed/istio/latest/charts/mixer/templates/deployment.yaml 0 → 100644
{{- define "policy_container" }}
spec:
serviceAccountName: istio-mixer-service-account
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
- name: uds-socket
emptyDir: {}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
containers:
- name: mixer
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9093
- containerPort: 42422
args:
- --address
- unix:///sock/mixer.socket
- --configStoreURL=k8s://
- --configDefaultNamespace={{ $.Release.Namespace }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: uds-socket
mountPath: /sock
livenessProbe:
httpGet:
path: /version
port: 9093
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
- containerPort: 15004
args:
- proxy
- --serviceCluster
- istio-policy
- --templateFile
- /etc/istio/proxy/envoy_policy.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: uds-socket
mountPath: /sock
{{- end }}
{{- define "telemetry_container" }}
spec:
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
secretName: istio.istio-mixer-service-account
optional: true
- name: uds-socket
emptyDir: {}
{{- if $.Values.nodeSelector }}
nodeSelector:
{{ toYaml $.Values.nodeSelector | indent 8 }}
{{- end }}
containers:
- name: mixer
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9093
- containerPort: 42422
args:
- --address
- unix:///sock/mixer.socket
- --configStoreURL=k8s://
- --configDefaultNamespace={{ $.Release.Namespace }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: uds-socket
mountPath: /sock
livenessProbe:
httpGet:
path: /version
port: 9093
initialDelaySeconds: 5
periodSeconds: 5
- name: istio-proxy
image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
- containerPort: 9091
- containerPort: 15004
args:
- proxy
- --serviceCluster
- istio-telemetry
- --templateFile
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
{{- if $.Values.global.proxy.resources }}
{{ toYaml $.Values.global.proxy.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: uds-socket
mountPath: /sock
{{- end }}
{{- $mixers := list "policy" "telemetry" }}
{{- range $idx, $mname := $mixers }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-{{ $mname }}
namespace: {{ $.Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
istio: mixer
spec:
replicas: {{ $.Values.replicaCount }}
template:
metadata:
labels:
app: {{ $mname }}
istio: mixer
istio-mixer-type: {{ $mname }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
{{- if eq $mname "policy"}}
{{- template "policy_container" $ }}
{{- else }}
{{- template "telemetry_container" $ }}
{{- end }}
---
{{- end }} {{/* range */}}
proposed/istio/latest/charts/mixer/templates/service.yaml 0 → 100644
{{ $mixers := list "policy" "telemetry" }}
{{- range $idx, $mname := $mixers }}
apiVersion: v1
kind: Service
metadata:
name: istio-{{ $mname }}
namespace: {{ $.Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
istio: mixer
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 9093
{{- if eq $mname "telemetry" }}
- name: prometheus
port: 42422
{{- end }}
selector:
istio: mixer
istio-mixer-type: {{ $mname }}
---
{{- end }}
proposed/istio/latest/charts/mixer/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-mixer-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "mixer.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/mixer/templates/statsdtoprom.yaml 0 → 100644
{{- $statsdname := "statsd-prom-bridge" }}
---
apiVersion: v1
kind: Service
metadata:
name: istio-{{ $statsdname }}
namespace: {{ .Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
istio: {{ $statsdname }}
spec:
ports:
- name: statsd-prom
port: 9102
- name: statsd-udp
port: 9125
protocol: UDP
selector:
istio: {{ $statsdname }}
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-{{ $statsdname }}
namespace: {{ .Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
istio: mixer
spec:
template:
metadata:
labels:
istio: {{ $statsdname }}
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-mixer-service-account
volumes:
- name: config-volume
configMap:
name: istio-statsd-prom-bridge
{{- if $.Values.nodeSelector }}
nodeSelector:
{{ toYaml $.Values.nodeSelector | indent 8 }}
{{- end }}
containers:
- name: {{ $statsdname }}
image: "{{ $.Values.prometheusStatsdExporter.hub }}/statsd-exporter:{{ $.Values.prometheusStatsdExporter.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 9102
- containerPort: 9125
protocol: UDP
args:
- '-statsd.mapping-config=/etc/statsd/mapping.conf'
resources:
{{- if .Values.prometheusStatsdExporter.resources }}
{{ toYaml .Values.prometheusStatsdExporter.resources | indent 10 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 10 }}
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/statsd
proposed/istio/latest/charts/pilot/Chart.yaml 0 → 100644
apiVersion: v1
name: pilot
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for pilot deployment
keywords:
- istio
- pilot
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/pilot/templates/autoscale.yaml 0 → 100644
{{- if .Values.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-pilot
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-pilot
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }}
---
{{- end }}
proposed/istio/latest/charts/pilot/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-pilot-{{ .Release.Namespace }}
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "secrets"]
verbs: ["get", "list", "watch"]
proposed/istio/latest/charts/pilot/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-pilot-{{ .Release.Namespace }}
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/pilot/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
# TODO: default template doesn't have this, which one is right ?
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: pilot
annotations:
checksum/config-volume: {{ template "istio.configmap.checksum" . }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: pilot
app: pilot
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-pilot-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: discovery
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- "discovery"
{{- if .Values.global.oneNamespace }}
- "-a"
- {{ .Release.Namespace }}
{{- end }}
{{- if not .Values.sidecar }}
- --secureGrpcAddr
- ":15011"
{{- end }}
ports:
- containerPort: 8080
- containerPort: 15010
{{- if not .Values.sidecar }}
- containerPort: 15011
{{- end }}
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: PILOT_CACHE_SQUASH
value: "5"
{{- if .Values.env }}
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
{{- if .Values.traceSampling }}
- name: PILOT_TRACE_SAMPLING
value: "{{ .Values.traceSampling }}"
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- if .Values.sidecar }}
- name: istio-proxy
image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 15003
- containerPort: 15005
- containerPort: 15007
- containerPort: 15011
args:
- proxy
- --serviceCluster
- istio-pilot
- --templateFile
- /etc/istio/proxy/envoy_pilot.yaml.tmpl
{{- if $.Values.global.controlPlaneSecurityEnabled}}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
resources:
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- end }}
volumes:
- name: config-volume
configMap:
name: istio
- name: istio-certs
secret:
secretName: istio.istio-pilot-service-account
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/pilot/templates/gateway.yaml 0 → 100644
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-autogenerated-k8s-ingress
namespace: istio-system
spec:
selector:
istio: {{ .Values.global.k8sIngressSelector }}
servers:
- port:
number: 80
protocol: HTTP2
name: http
hosts:
- "*"
{{ if .Values.global.k8sIngressHttps }}
- port:
number: 443
protocol: HTTPS
name: https-default
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingress-certs/tls.crt
privateKey: /etc/istio/ingress-certs/tls.key
hosts:
- "*"
{{ end }}
---
{{- if .Values.global.meshExpansion }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 15011
protocol: TCP
name: tcp-pilot
hosts:
- "*"
- port:
number: 8060
protocol: TCP
name: tcp-citadel
hosts:
- "*"
---
{{- end }}
{{- if .Values.global.meshExpansionILB }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: meshexpansion-ilb-gateway
spec:
selector:
istio: ilbgateway
servers:
- port:
number: 15011
protocol: TCP
name: tcp-pilot
hosts:
- "*"
- port:
number: 8060
protocol: TCP
name: tcp-citadel
hosts:
- "*"
{{- end }}
proposed/istio/latest/charts/pilot/templates/meshexpansion.yaml 0 → 100644
{{- if .Values.global.meshExpansion }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-pilot
spec:
hosts:
- "pilot.istio-system"
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 15011
route:
- destination:
host: istio-pilot.istio-system.svc.cluster.local
port:
number: 15011
{{- end }}
{{- if .Values.global.meshExpansionILB }}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ilb-meshexpansion-pilot
spec:
hosts:
- "meshexpansionilb.istio-system"
gateways:
- meshexpansion-ilb-gateway
tcp:
- match:
- port: 15011
route:
- destination:
host: istio-pilot.istio-system.svc.cluster.local
port:
number: 15011
- match:
- port: 15010
route:
- destination:
host: istio-pilot.istio-system.svc.cluster.local
port:
number: 15010
- match:
- port: 5353
route:
- destination:
host: kube-dns.kube-system.svc.cluster.local
port:
number: 53
{{- end }}
proposed/istio/latest/charts/pilot/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
namespace: {{ .Release.Namespace }}
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS
- port: 8080
name: http-legacy-discovery # direct
- port: 9093
name: http-monitoring
selector:
istio: pilot
proposed/istio/latest/charts/pilot/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-pilot-service-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-pilot
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/prometheus/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: prometheus
version: 1.0.1
appVersion: 2.3.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/prometheus/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "prometheus.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "prometheus.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/prometheus/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus-{{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
proposed/istio/latest/charts/prometheus/templates/clusterrolebindings.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: prometheus
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/prometheus/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
prometheus.yml: |-
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'istio-mesh'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;prometheus
- job_name: 'envoy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-statsd-prom-bridge;statsd-prom
- job_name: 'istio-policy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-policy;http-monitoring
- job_name: 'istio-telemetry'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;http-monitoring
- job_name: 'pilot'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-pilot;http-monitoring
- job_name: 'galley'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-galley;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
# Example scrape config for pods
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
proposed/istio/latest/charts/prometheus/templates/deployment.yaml 0 → 100644
# TODO: the original template has service account, roles, etc
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
labels:
app: prometheus
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: prometheus
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: prometheus
image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- '--storage.tsdb.retention=6h'
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- containerPort: 9090
name: http
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
volumes:
- name: config-volume
configMap:
name: prometheus
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/prometheus/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
annotations:
prometheus.io/scrape: 'true'
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
name: prometheus
spec:
selector:
app: prometheus
ports:
- name: http-prometheus
protocol: TCP
port: 9090
{{- if .Values.service.nodePort.enabled }}
# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs.
---
apiVersion: v1
kind: Service
metadata:
name: prometheus-nodeport
namespace: {{ .Release.Namespace }}
labels:
name: prometheus
spec:
type: NodePort
ports:
- port: 9090
nodePort: {{ .Values.service.nodePort.port }}
name: http-prometheus
selector:
app: prometheus
{{- end }}
proposed/istio/latest/charts/prometheus/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/security/Chart.yaml 0 → 100644
apiVersion: v1
name: security
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for istio authentication
keywords:
- istio
- security
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/security/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "security.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "security.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/security/templates/cleanup-secrets.yaml 0 → 100644
# The reason for creating a ServiceAccount and ClusterRole specifically for this
# post-delete hooked job is because the citadel ServiceAccount is being deleted
# before this hook is launched. On the other hand, running this hook before the
# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they
# will be re-created immediately by the to-be-deleted citadel.
#
# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding
# will be ready before running the hooked Job therefore the hook weights.
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-cleanup-secrets-service-account
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-cleanup-secrets-{{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-cleanup-secrets-{{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded
"helm.sh/hook-weight": "2"
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-cleanup-secrets-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-cleanup-secrets-service-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-cleanup-secrets
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded
"helm.sh/hook-weight": "3"
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
name: istio-cleanup-secrets
labels:
app: {{ template "security.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-cleanup-secrets-service-account
containers:
- name: hyperkube
image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}"
command:
- /bin/bash
- -c
- >
kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do
ns=$(echo $entry | awk '{print $1}');
name=$(echo $entry | awk '{print $2}');
kubectl delete secret $name -n $ns;
done
restartPolicy: OnFailure
proposed/istio/latest/charts/security/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-citadel-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
proposed/istio/latest/charts/security/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-citadel-{{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-citadel-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-citadel-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/security/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-security-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: security
data:
custom-resources.yaml: |-
{{- if .Values.global.mtls.enabled }}
{{- include "security-default.yaml.tpl" . | indent 4}}
{{- end }}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
proposed/istio/latest/charts/security/templates/create-custom-resources-job.yaml 0 → 100644
{{- if .Values.global.mtls.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-security-post-install-{{ .Release.Namespace }}
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.istio.io"] # needed to create security destination rules
resources: ["*"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get"]
- apiGroups: ["extensions"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-security-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-security-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-security-post-install-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-security-post-install
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
name: istio-security-post-install
labels:
app: istio-security
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-security-post-install-account
containers:
- name: hyperkube
image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}"
command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/security"
name: tmp-configmap-security
volumes:
- name: tmp-configmap-security
configMap:
name: istio-security-custom-resources
restartPolicy: OnFailure
{{- end }}
proposed/istio/latest/charts/security/templates/deployment.yaml 0 → 100644
# istio CA watching all namespaces
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-citadel
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: citadel
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: citadel
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-citadel-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: citadel
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --append-dns-names=true
- --grpc-port=8060
- --grpc-hostname=citadel
- --citadel-storage-namespace={{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingress.{{ .Release.Namespace }}
{{- if .Values.selfSigned }}
- --self-signed-ca=true
{{- else }}
- --self-signed-ca=false
- --signing-cert=/etc/cacerts/ca-cert.pem
- --signing-key=/etc/cacerts/ca-key.pem
- --root-cert=/etc/cacerts/root-cert.pem
- --cert-chain=/etc/cacerts/cert-chain.pem
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
{{- if not .Values.selfSigned }}
volumeMounts:
- name: cacerts
mountPath: /etc/cacerts
readOnly: true
volumes:
- name: cacerts
secret:
secretName: cacerts
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/security/templates/enable-mesh-mtls.yaml 0 → 100644
{{ define "security-default.yaml.tpl" }}
# These policy and destination rules effectively enable mTLS for all services in the mesh. For now,
# they are added to Istio installation yaml for backward compatible. In future, they should be in
# a separated yaml file so that customer can enable mTLS independent from installation.
# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
peers:
- mtls: {}
---
# Corresponding destination rule to configure client side to use mutual TLS when talking to
# any service (host) in the mesh.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "default"
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
---
# Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar.
# Customer should add similar destination rules for other services that dont' have sidecar.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "api-server"
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
host: "kubernetes.default.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
{{- end }}
proposed/istio/latest/charts/security/templates/meshexpansion.yaml 0 → 100644
{{- if .Values.global.meshExpansion }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-citadel
spec:
hosts:
- "istio-citadel.istio-system"
gateways:
- meshexpansion-gateway
tcp:
- match:
- port: 8060
route:
- destination:
host: istio-citadel.istio-system.svc.cluster.local
port:
number: 8060
{{- end }}
---
{{- if .Values.global.meshExpansionILB }}
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: meshexpansion-ilb-citadel
spec:
hosts:
- "istio-citadel.istio-system"
gateways:
- meshexpansion-ilb-gateway
tcp:
- match:
- port: 8060
route:
- destination:
host: istio-citadel.istio-system.svc.cluster.local
port:
number: 8060
{{- end }}
proposed/istio/latest/charts/security/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
# we use the normal name here (e.g. 'prometheus')
# as grafana is configured to use this as a data source
name: istio-citadel
namespace: {{ .Release.Namespace }}
labels:
app: istio-citadel
spec:
ports:
- name: grpc-citadel
port: 8060
targetPort: 8060
protocol: TCP
- name: http-monitoring
port: 9093
selector:
istio: citadel
proposed/istio/latest/charts/security/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-citadel-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "security.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/servicegraph/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
proposed/istio/latest/charts/servicegraph/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: servicegraph
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/servicegraph/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "servicegraph.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get svc -w {{ template "servicegraph.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "servicegraph.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "servicegraph.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
{{- end }}
proposed/istio/latest/charts/servicegraph/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "servicegraph.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "servicegraph.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/servicegraph/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: servicegraph
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "servicegraph.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: servicegraph
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: servicegraph
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
args:
- --prometheusAddr=http://prometheus:9090
livenessProbe:
httpGet:
path: /graph
port: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
path: /graph
port: {{ .Values.service.internalPort }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/servicegraph/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "servicegraph.fullname" . -}}
{{- $servicePort := .Values.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "servicegraph.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "servicegraph.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: /
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/latest/charts/servicegraph/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: servicegraph
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: servicegraph
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: servicegraph
proposed/istio/latest/charts/sidecarInjectorWebhook/Chart.yaml 0 → 100644
apiVersion: v1
name: sidecarInjectorWebhook
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for sidecar injector webhook deployment
keywords:
- istio
- sidecarInjectorWebhook
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "sidecar-injector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "sidecar-injector.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-sidecar-injector-{{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "patch"]
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-sidecar-injector-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "sidecar-injector.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: sidecar-injector
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-sidecar-injector-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: sidecar-injector-webhook
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --healthCheckInterval=2s
- --healthCheckFile=/health
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
readOnly: true
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: inject-config
mountPath: /etc/istio/inject
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumes:
- name: config-volume
configMap:
name: istio
- name: certs
secret:
secretName: istio.istio-sidecar-injector-service-account
- name: inject-config
configMap:
name: istio-sidecar-injector
items:
- key: config
path: config
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml 0 → 100644
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
{{- if .Values.enableNamespacesByDefault }}
matchExpressions:
- key: istio-injection
operator: NotIn
values:
- disabled
{{- else }}
matchLabels:
istio-injection: enabled
{{- end }}
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
istio: sidecar-injector
spec:
ports:
- port: 443
selector:
istio: sidecar-injector
proposed/istio/latest/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-sidecar-injector-service-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-sidecar-injector
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/latest/charts/telemetry-gateway/Chart.yaml 0 → 100644
apiVersion: v1
name: telemetry-gateway
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for configuring a gateway for Istio telemetry addons
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/telemetry-gateway/templates/gateway.yaml 0 → 100644
{{- if (.Values.prometheusEnabled) or (.Values.grafanaEnabled) }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-telemetry-gateway
namespace: {{ .Release.Namespace }}
spec:
selector:
istio: {{ .Values.gatewayName }}
servers:
{{- if .Values.prometheusEnabled }}
- port:
number: 15030
name: http2-prometheus
protocol: HTTP2
hosts:
- "*"
{{- end }}
{{- if .Values.grafanaEnabled }}
- port:
number: 15031
name: http2-grafana
protocol: HTTP2
hosts:
- "*"
{{- end }}
{{- if .Values.grafanaEnabled }}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
spec:
host: grafana.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
{{- end }}
{{- if .Values.prometheusEnabled }}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: prometheus
namespace: {{ .Release.Namespace }}
spec:
host: prometheus.{{ .Release.Namespace }}.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
{{- end }}
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: telemetry-virtual-service
namespace: {{ .Release.Namespace }}
spec:
hosts:
- "*"
gateways:
- istio-telemetry-gateway
http:
{{- if .Values.prometheusEnabled }}
- match:
- port: 15030
route:
- destination:
host: prometheus.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 9090
{{- end }}
{{- if .Values.grafanaEnabled }}
- match:
- port: 15031
route:
- destination:
host: grafana.{{ .Release.Namespace }}.svc.cluster.local
port:
number: 3000
{{- end }}
---
{{- end }}
proposed/istio/latest/charts/tracing/.helmignore 0 → 100644
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
proposed/istio/latest/charts/tracing/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: tracing
version: 1.0.1
appVersion: 1.5.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/tracing/templates/NOTES.txt 0 → 100644
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.hosts }}
http://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services zipkin)
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get services -w zipkin'
export SERVICE_IP=$(kubectl get services --namespace {{ .Release.Namespace }} zipkin -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "zipkin.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }}
{{- end }}
proposed/istio/latest/charts/tracing/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "zipkin.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "zipkin.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/latest/charts/tracing/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-tracing
namespace: {{ .Release.Namespace }}
labels:
app: istio-tracing
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: jaeger
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: jaeger
image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.jaeger.ui.port }}
- containerPort: 5775
protocol: UDP
- containerPort: 6831
protocol: UDP
- containerPort: 6832
protocol: UDP
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: COLLECTOR_ZIPKIN_HTTP_PORT
value: "{{ .Values.service.internalPort }}"
- name: MEMORY_MAX_TRACES
value: "{{ .Values.jaeger.memory.max_traces }}"
livenessProbe:
httpGet:
path: /
port: {{ .Values.jaeger.ui.port }}
readinessProbe:
httpGet:
path: /
port: {{ .Values.jaeger.ui.port }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/tracing/templates/ingress-jaeger.yaml 0 → 100644
{{ if (.Values.jaeger.ingress.enabled) and eq .Values.provider "jaeger" }}
{{- $servicePort := .Values.jaeger.ui.port -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: jaeger-query
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.jaeger.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.jaeger.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: /
backend:
serviceName: jaeger-query
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.jaeger.ingress.tls }}
tls:
{{ toYaml .Values.jaeger.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/latest/charts/tracing/templates/ingress.yaml 0 → 100644
{{- if .Values.ingress.enabled -}}
{{- $serviceName := "zipkin" -}}
{{- $servicePort := .Values.service.externalPort -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "zipkin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "zipkin.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
- path: /
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/latest/charts/tracing/templates/service-jaeger.yaml 0 → 100644
{{ if eq .Values.provider "jaeger" }}
apiVersion: v1
kind: List
items:
- apiVersion: v1
kind: Service
metadata:
name: jaeger-query
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: jaeger
jaeger-infra: jaeger-service
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- name: query-http
port: {{ .Values.jaeger.ui.port }}
protocol: TCP
targetPort: {{ .Values.jaeger.ui.port }}
selector:
app: jaeger
- apiVersion: v1
kind: Service
metadata:
name: jaeger-collector
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
jaeger-infra: collector-service
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- name: jaeger-collector-tchannel
port: 14267
protocol: TCP
targetPort: 14267
- name: jaeger-collector-http
port: 14268
targetPort: 14268
protocol: TCP
selector:
app: jaeger
type: ClusterIP
- apiVersion: v1
kind: Service
metadata:
name: jaeger-agent
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
jaeger-infra: agent-service
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- name: agent-zipkin-thrift
port: 5775
protocol: UDP
targetPort: 5775
- name: agent-compact
port: 6831
protocol: UDP
targetPort: 6831
- name: agent-binary
port: 6832
protocol: UDP
targetPort: 6832
clusterIP: None
selector:
app: jaeger
{{ end }}
proposed/istio/latest/charts/tracing/templates/service.yaml 0 → 100644
apiVersion: v1
kind: List
items:
- apiVersion: v1
kind: Service
metadata:
name: zipkin
namespace: {{ .Release.Namespace }}
labels:
app: jaeger
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: jaeger
- apiVersion: v1
kind: Service
metadata:
name: tracing
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: jaeger
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- name: http-query
port: 80
protocol: TCP
targetPort: {{ .Values.jaeger.ui.port }}
selector:
app: jaeger
proposed/istio/latest/questions.yml 0 → 100644
categories:
- Microservice
- Service mesh
namespace: istio-system
questions:
- variable: defaultImage
default: "true"
description: "Use default Docker image"
label: Use Default Image
type: boolean
show_subquestion_if: false
group: "Container Images"
subquestions:
- variable: global.hub
default: "gcr.io/istio-release"
description: "Default hub for Istio images"
type: string
label: Global Hub For Istio Images
- variable: global.tag
default: "release-1.0-latest-daily"
description: "The image tag of istio image"
type: string
label: Global Tag For Istio Images
- variable: global.proxy.image
default: "proxyv2"
description: "The image name of istio proxy"
type: string
label: Image Name of Istio Proxy
- variable: global.proxy_init.image
default: "proxy_init"
description: "The image name of istio proxy_init"
type: string
label: Image Name of Istio Proxy_init
- variable: sidecarInjectorWebhook.image
default: "sidecar_injector"
description: "Image name of the sidecar-injector webhook"
type: string
label: Sidecar-Injector Webhook Image Name
- variable: galley.image
default: "galley"
description: "Image name of the galley"
type: string
label: Galley Image Name
- variable: mixer.image
default: "mixer"
description: "Image name of the mixer"
type: string
label: Mixer Image Name
- variable: pilot.image
default: "pilot"
description: "Image name of the pilot"
type: string
label: Pilot Image Name
- variable: security.image
default: "citadel"
description: "Image name of the isito security"
type: string
label: Istio Security Image Name
- variable: grafana.image
default: "grafana"
description: "Image name of the grafana"
type: string
label: Grafana Image Name
- variable: servicegraph.image
default: "servicegraph"
description: "Image name of the servicegraph"
type: string
label: Servicegraph Image Name
- variable: mixer.prometheusStatsdExporter.hub
default: "docker.io/prom"
description: "PrometheusStats Exporter image repository"
type: string
label: PrometheusStats Exporter Image Repository
- variable: mixer.prometheusStatsdExporter.tag
default: "v0.6.0"
description: "PrometheusStats Exporter image tag"
type: string
label: PrometheusStats Exporter Image Tag
- variable: tracing.jaeger.hub
default: "docker.io/jaegertracing"
description: "The jaeger image repository"
type: string
label: Jaeger Image Repository
- variable: tracing.jaeger.tag
default: "1.5"
description: "The jaeger image tag"
type: string
label: Jaeger Image Tag
- variable: prometheus.hub
default: "docker.io/prom"
description: "The prometheuscomponent image repository"
type: string
label: Prometheus Image Repository
- variable: prometheus.tag
default: "v2.3.1"
description: "The prometheus image tag"
type: string
label: Prometheus Image Tag
- variable: global.hyperkube.hub
default: "quay.io/coreos"
description: "The hyperkube image of istio"
type: string
label: Initial Image Repository of Istio Proxy
- variable: global.hyperkube.tag
default: "v1.7.6_coreos.0"
description: "The hyperkube image tag"
type: string
label: Istio Hyperkube Image Tag
- variable: kiali.hub
default: "docker.io/kiali"
description: "The kiali image repository"
type: string
label: Kiali Image Repository
- variable: kiali.tag
default: "istio-release-1.0"
description: "The kiali image tag"
type: string
label: Kiali Image Tag
- variable: certmanager.hub
default: "quay.io/jetstack"
description: "The jetstack image repository"
type: string
label: Jetstack Image Repository
- variable: certmanager.tag
default: "v0.3.1"
description: "The jetstack image tag"
type: string
label: Jetstack Image Tag
# ingress settings
- variable: ingress.enabled
default: false
description: "Enabled istio ingress"
group: "Istio Ingress Settings"
type: boolean
label: Enabled Istio Ingress
show_subquestion_if: "true"
subquestions:
- variable: ingress.service.type
default: "NodePort"
description: "Ingress service type"
type: enum
label: Ingress service type
options:
- "ClusterIP"
- "NodePort"
- "LoadBalancer"
# grafana and prometheus settings
- variable: grafana.enabled
default: false
description: "Enabled the grafana component of istio"
type: boolean
required: true
label: Enabled the Grafana Component
show_subquestion_if: true
group: "Grafana Settings"
subquestions:
- variable: grafana.service.type
default: "NodePort"
description: "Grafana service type"
show_if: "grafana.ingress.enabled=false"
type: enum
label: Grafana Service Type
group: "Grafana Settings"
options:
- "ClusterIP"
- "NodePort"
- variable: prometheus.enabled
default: true
description: "Enabled prometheus server"
type: boolean
required: true
label: Enable the prometheus Server
show_subquestion_if: true
group: "Prometheus Settings"
- variable: sidecarInjectorWebhook.enabled
default: true
description: "Specifies whether automatic sidecar-injector should be installed"
type: boolean
required: true
label: Enabled Auto Sidecar Injector
show_subquestion_if: true
group: "Sidecar Injector Settings"
subquestions:
# tracing settings
- variable: tracing.enabled
default: true
description: "Enabled the jaeger component of istio"
type: boolean
required: true
label: Enabled the Jaeger Component
group: "Tracing Component Settings"
- variable: tracing.service.type
default: "NodePort"
description: "Jaeger service type"
type: enum
label: Tracing Service Type
show_if: "tracing.enabled=true"
group: "Tracing Component Settings"
options:
- "ClusterIP"
- "NodePort"
- variable: tracing.ingress.enabled
default: false
description: "Expose tracing using Layer 7 Load Balancer - ingress"
type: boolean
label: Expose Tracing using Layer 7 Load Balancer
group: "Tracing Component Settings"
show_if: "tracing.enabled=true"
show_subquestion_if: "true"
subquestions:
- variable: tracing.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access tracing"
type: hostname
label: Hostname to Access Tracing
# servicegraph settings
- variable: servicegraph.enabled
default: false
description: "Enabled the servicegraph component of istio"
type: boolean
required: true
label: Enabled the Servicegraph Component
show_subquestion_if: true
group: "Servicegraph Settings"
- variable: servicegraph.ingress.enabled
default: false
description: "Expose servicegraph using layer 7 Load Balancer - ingress"
type: boolean
label: Expose servicegraph using Layer 7 Load Balancer
show_if: "servicegraph.enabled=true"
group: "Servicegraph Settings"
show_subquestion_if: "true"
subquestions:
- variable: servicegraph.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access servicegraph, it is a json array"
type: hostname
label: Hostname to Access Servicegraph
- variable: servicegraph.service.typ
default: "NodePort"
description: "Servicegraph service type"
type: enum
label: Servicegraph Service Type
show_if: "servicegraph.enabled=true"
group: "Servicegraph Settings"
options:
- "ClusterIP"
- "NodePort"
# kiali settings
- variable: kiali.enabled
default: false
description: "Enabled Kiali server"
type: boolean
required: true
label: Enable the Kiali Server
show_subquestion_if: true
group: "Kiali Settings"
- variable: kiali.service.type
default: "NodePort"
description: "Kiali service type"
type: enum
label: Kiali Service Type
group: "Kiali Settings"
show_if: "kiali.enabled=true"
options:
- "ClusterIP"
- "NodePort"
- variable: kiali.ingress.enabled
default: false
description: "Expose kiali using Layer 7 Load Balancer - ingress"
type: boolean
label: Expose Kiali using Layer 7 Load Balancer
show_if: "kiali.enabled=true"
show_subquestion_if: true
group: "Kiali Settings"
subquestions:
- variable: kiali.ingress.hosts[0]
default: "xip.io"
description: "The hostname to access kiali server"
type: hostname
label: Hostname to Access Kiali Server
show_if: "kiali.enabled=true&&kiali.ingress.enabled=true"
proposed/istio/latest/requirements.yaml 0 → 100644
dependencies:
- name: sidecarInjectorWebhook
version: 1.0.1
condition: sidecarInjectorWebhook.enabled
repository: "file://../charts/sidecarInjectorWebhook"
- name: security
version: 1.0.1
condition: security.enabled
repository: "file://../charts/security"
- name: ingress
version: 1.0.1
condition: ingress.enabled
repository: "file://../charts/ingress"
- name: gateways
version: 1.0.1
condition: gateways.enabled
repository: "file://../charts/gateways"
- name: mixer
version: 1.0.1
condition: mixer.enabled
repository: "file://../charts/mixer"
- name: pilot
version: 1.0.1
condition: pilot.enabled
repository: "file://../charts/pilot"
- name: grafana
version: 1.0.1
condition: grafana.enabled
repository: "file://../charts/grafana"
- name: prometheus
version: 1.0.1
condition: prometheus.enabled
repository: "file://../charts/prometheus"
- name: servicegraph
version: 1.0.1
condition: servicegraph.enabled
repository: "file://../charts/servicegraph"
- name: tracing
version: 1.0.1
condition: tracing.enabled
repository: "file://../charts/tracing"
- name: galley
version: 1.0.1
condition: galley.enabled
repository: "file://../charts/galley"
- name: kiali
version: 1.0.1
condition: kiali.enabled
repository: "file://../charts/kiali"
- name: certmanager
version: 1.0.1
condition: certmanager.enabled
repository: "file://../charts/certmanager"
proposed/istio/latest/templates/NOTES.txt 0 → 100644
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.
To get started running application with Istio, execute the following steps:
{{- if index .Values "sidecarInjectorWebhook" "enabled" }}
1. Label namespace that application object will be deployed to by the following command (take default namespace as an example)
$ kubectl label namespace default istio-injection=enabled
$ kubectl get namespace -L istio-injection
2. Deploy your applications
$ kubectl apply -f <your-application>.yaml
{{- else }}
1. Download the latest release package to get sidecar injection tool
$ curl -L https://git.io/getLatestIstio | sh -
$ mv istio-* istio-latest
$ export PATH="$PATH:$PWD/istio-latest/bin"
2. Deploy your application by manually injecting envoy sidecar with `istioctl kube-inject`
$ kubectl apply -f <(istioctl kube-inject -f <your-application>.yaml)
{{- end }}
For more information on running Istio, visit:
https://istio.io/
\ No newline at end of file
proposed/istio/latest/templates/_affinity.tpl 0 → 100644
{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}}
{{- define "nodeaffinity" }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityRequiredDuringScheduling" . }}
preferredDuringSchedulingIgnoredDuringExecution:
{{- include "nodeAffinityPreferredDuringScheduling" . }}
{{- end }}
{{- define "nodeAffinityRequiredDuringScheduling" }}
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
{{- range $key, $val := .Values.global.arch }}
{{- if gt ($val | int) 0 }}
- {{ $key }}
{{- end }}
{{- end }}
{{- end }}
{{- define "nodeAffinityPreferredDuringScheduling" }}
{{- range $key, $val := .Values.global.arch }}
{{- if gt ($val | int) 0 }}
- weight: {{ $val | int }}
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- {{ $key }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
proposed/istio/latest/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "istio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "istio.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a fully qualified configmap name.
*/}}
{{- define "istio.configmap.fullname" -}}
{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Configmap checksum.
*/}}
{{- define "istio.configmap.checksum" -}}
{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}}
{{- end -}}
proposed/istio/latest/templates/configmap.yaml 0 → 100644
{{- if .Values.pilot.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
mesh: |-
# Set the following variable to true to disable policy checks by the Mixer.
# Note that metrics will still be reported to the Mixer.
disablePolicyChecks: {{ .Values.global.disablePolicyChecks }}
# Set enableTracing to false to disable request tracing.
enableTracing: {{ .Values.global.enableTracing }}
# Set accessLogFile to empty string to disable access log.
accessLogFile: "{{ .Values.global.proxy.accessLogFile }}"
#
# Deprecated: mixer is using EDS
{{- if .Values.mixer.enabled }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004
{{- else }}
mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091
{{- end }}
{{- end }}
{{- if .Values.ingress.enabled }}
# This is the k8s ingress service name, update if you used a different name
ingressService: istio-{{ .Values.global.k8sIngressSelector }}
{{- end }}
# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
sdsUdsPath: ""
# How frequently should Envoy fetch key/cert from NodeAgent.
sdsRefreshDelay: 15s
#
defaultConfig:
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
binaryPath: "/usr/local/bin/envoy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# The mode used to redirect inbound connections to Envoy. This setting
# has no effect on outbound traffic: iptables REDIRECT is always used for
# outbound connections.
# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy.
# The "REDIRECT" mode loses source addresses during redirection.
# If "TPROXY", use iptables TPROXY to redirect to Envoy.
# The "TPROXY" mode preserves both the source and destination IP
# addresses and ports, so that they can be used for advanced filtering
# and manipulation.
# The "TPROXY" mode also configures the sidecar to run with the
# CAP_NET_ADMIN capability, which is required to use TPROXY.
#interceptionMode: REDIRECT
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Zipkin trace collector
zipkinAddress: zipkin.{{ .Release.Namespace }}:9411
{{- if .Values.global.proxy.envoyStatsd.enabled }}
#
# Statsd metrics collector converts statsd metrics into Prometheus metrics.
statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }}
{{- end }}
{{- if .Values.global.controlPlaneSecurityEnabled }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: MUTUAL_TLS
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005
{{- else }}
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: NONE
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007
{{- end }}
{{- end }}
proposed/istio/latest/templates/crds.yaml 0 → 100644
# {{ if or .Values.global.crds (semverCompare ">=2.10.0-0" .Capabilities.TillerVersion.SemVer) }}
# these CRDs only make sense when pilot is enabled
# {{- if .Values.pilot.enabled }}
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: virtualservices.networking.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
singular: virtualservice
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: destinationrules.networking.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
singular: destinationrule
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serviceentries.networking.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
singular: serviceentry
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: gateways.networking.istio.io
annotations:
"helm.sh/hook": crd-install
"helm.sh/hook-weight": "-5"
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: Gateway
plural: gateways
singular: gateway
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: envoyfilters.networking.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: istio-pilot
spec:
group: networking.istio.io
names:
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
categories:
- istio-io
- networking-istio-io
scope: Namespaced
version: v1alpha3
---
# {{- end }}
# these CRDs only make sense when security is enabled
# {{- if .Values.security.enabled }}
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: policies.authentication.istio.io
spec:
group: authentication.istio.io
names:
kind: Policy
plural: policies
singular: policy
categories:
- istio-io
- authentication-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: meshpolicies.authentication.istio.io
spec:
group: authentication.istio.io
names:
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
categories:
- istio-io
- authentication-istio-io
scope: Cluster
version: v1alpha1
---
# {{- end }}
# {{- if .Values.mixer.enabled }}
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: httpapispecbindings.config.istio.io
spec:
group: config.istio.io
names:
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: httpapispecs.config.istio.io
spec:
group: config.istio.io
names:
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: quotaspecbindings.config.istio.io
spec:
group: config.istio.io
names:
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
annotations:
"helm.sh/hook": crd-install
name: quotaspecs.config.istio.io
spec:
group: config.istio.io
names:
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
categories:
- istio-io
- apim-istio-io
scope: Namespaced
version: v1alpha2
---
# Mixer CRDs
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rules.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: rule
plural: rules
singular: rule
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: attributemanifests.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: core
spec:
group: config.istio.io
names:
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: bypasses.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: bypass
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: bypass
plural: bypasses
singular: bypass
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: circonuses.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: circonus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: circonus
plural: circonuses
singular: circonus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: deniers.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: denier
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: denier
plural: deniers
singular: denier
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: fluentds.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: fluentd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: fluentd
plural: fluentds
singular: fluentd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kubernetesenvs.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: kubernetesenv
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: kubernetesenv
plural: kubernetesenvs
singular: kubernetesenv
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listcheckers.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: listchecker
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: listchecker
plural: listcheckers
singular: listchecker
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: memquotas.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: memquota
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: memquota
plural: memquotas
singular: memquota
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: noops.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: noop
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: noop
plural: noops
singular: noop
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: opas.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: opa
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: opa
plural: opas
singular: opa
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: prometheuses.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: prometheus
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: prometheus
plural: prometheuses
singular: prometheus
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacs.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: rbac
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: rbac
plural: rbacs
singular: rbac
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: redisquotas.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
package: redisquota
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: redisquota
plural: redisquotas
singular: redisquota
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrols.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: servicecontrol
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: servicecontrol
plural: servicecontrols
singular: servicecontrol
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: signalfxs.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: signalfx
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: signalfx
plural: signalfxs
singular: signalfx
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: solarwindses.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: solarwinds
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: solarwinds
plural: solarwindses
singular: solarwinds
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stackdrivers.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: stackdriver
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stackdriver
plural: stackdrivers
singular: stackdriver
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: statsds.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: statsd
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: statsd
plural: statsds
singular: statsd
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: stdios.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: stdio
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: stdio
plural: stdios
singular: stdio
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: apikeys.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: apikey
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: apikey
plural: apikeys
singular: apikey
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: authorizations.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: authorization
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: authorization
plural: authorizations
singular: authorization
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: checknothings.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: checknothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: checknothing
plural: checknothings
singular: checknothing
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: kuberneteses.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: adapter.template.kubernetes
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: kubernetes
plural: kuberneteses
singular: kubernetes
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: listentries.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: listentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: listentry
plural: listentries
singular: listentry
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: logentries.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: logentry
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: logentry
plural: logentries
singular: logentry
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: edges.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: edge
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: edge
plural: edges
singular: edge
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: metrics.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: metric
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: metric
plural: metrics
singular: metric
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: quotas.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: quota
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: quota
plural: quotas
singular: quota
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: reportnothings.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: reportnothing
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: reportnothing
plural: reportnothings
singular: reportnothing
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicecontrolreports.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: servicecontrolreport
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: servicecontrolreport
plural: servicecontrolreports
singular: servicecontrolreport
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: tracespans.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: tracespan
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: tracespan
plural: tracespans
singular: tracespan
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: rbacconfigs.rbac.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
group: rbac.istio.io
names:
kind: RbacConfig
plural: rbacconfigs
singular: rbacconfig
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: serviceroles.rbac.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
group: rbac.istio.io
names:
kind: ServiceRole
plural: serviceroles
singular: servicerole
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: servicerolebindings.rbac.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: istio.io.mixer
istio: rbac
spec:
group: rbac.istio.io
names:
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
categories:
- istio-io
- rbac-istio-io
scope: Namespaced
version: v1alpha1
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: adapters.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: adapter
istio: mixer-adapter
spec:
group: config.istio.io
names:
kind: adapter
plural: adapters
singular: adapter
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: instances.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: instance
istio: mixer-instance
spec:
group: config.istio.io
names:
kind: instance
plural: instances
singular: instance
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: templates.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: template
istio: mixer-template
spec:
group: config.istio.io
names:
kind: template
plural: templates
singular: template
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: handlers.config.istio.io
annotations:
"helm.sh/hook": crd-install
labels:
app: mixer
package: handler
istio: mixer-handler
spec:
group: config.istio.io
names:
kind: handler
plural: handlers
singular: handler
categories:
- istio-io
- policy-istio-io
scope: Namespaced
version: v1alpha2
---
# {{- end }}
# {{ end }}
\ No newline at end of file
proposed/istio/latest/templates/install-custom-resources.sh.tpl 0 → 100644
{{ define "install-custom-resources.sh.tpl" }}
#!/bin/sh
set -x
if [ "$#" -ne "1" ]; then
echo "first argument should be path to custom resource yaml"
exit 1
fi
pathToResourceYAML=${1}
/kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready"
while true; do
/kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null
if [ "$?" -eq 0 ]; then
break
fi
sleep 1
done
/kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley
if [ "$?" -ne 0 ]; then
echo "istio-galley deployment rollout status check failed"
exit 1
fi
echo "istio-galley deployment ready for configuration validation"
fi
sleep 5
/kubectl apply -f ${pathToResourceYAML}
{{ end }}
proposed/istio/latest/templates/sidecar-injector-configmap.yaml 0 → 100644
{{- if not .Values.global.omitSidecarInjectorConfigMap }}
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: sidecar-injector
data:
config: |-
policy: {{ .Values.global.proxy.autoInject }}
template: |-
initContainers:
- name: istio-init
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
args:
- "-p"
- {{ "[[ .MeshConfig.ProxyListenPort ]]" }}
- "-u"
- 1337
- "-m"
- {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
- "-i"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.includeIPRanges }}"
{{ "[[ end -]]" }}
- "-x"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.excludeIPRanges }}"
{{ "[[ end -]]" }}
- "-b"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }}
{{ "[[ else -]]" }}
- {{ "[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]" }}
- "-d"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.excludeInboundPorts }}"
{{ "[[ end -]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
securityContext:
capabilities:
add:
- NET_ADMIN
{{ if .Values.global.proxy.privileged }}
privileged: true
{{ end -}}
restartPolicy: Always
{{ if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/etc/istio/proxy/core.%e.%p.%t && ulimit -c unlimited
command:
- /bin/sh
image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }}
imagePullPolicy: IfNotPresent
resources: {}
securityContext:
privileged: true
{{ end }}
containers:
- name: istio-proxy
image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }}
{{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"" }}
{{ "[[ else -]]" }}
{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
{{ "[[ end -]]" }}
args:
- proxy
- sidecar
- --configPath
- {{ "[[ .ProxyConfig.ConfigPath ]]" }}
- --binaryPath
- {{ "[[ .ProxyConfig.BinaryPath ]]" }}
- --serviceCluster
{{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }}
- {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }}
{{ "[[ else -]]" }}
- "istio-proxy"
{{ "[[ end -]]" }}
- --drainDuration
- {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }}
- --parentShutdownDuration
- {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }}
- --discoveryAddress
- {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }}
- --discoveryRefreshDelay
- {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }}
- --zipkinAddress
- {{ "[[ .ProxyConfig.ZipkinAddress ]]" }}
- --connectTimeout
- {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }}
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }}
{{- end }}
- --proxyAdminPort
- {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }}
- --controlPlaneAuthPolicy
- {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
securityContext:
{{ if .Values.global.proxy.privileged }}
privileged: true
{{ end -}}
readOnlyRootFilesystem: true
{{ "[[ if eq (or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\" -]]" }}
capabilities:
add:
- NET_ADMIN
runAsGroup: 1337
{{ "[[ else -]]" }}
runAsUser: 1337
{{ "[[ end -]]" }}
restartPolicy: Always
resources:
{{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\") -]]" }}
requests:
cpu: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\" ]]\"" }}
memory: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\" ]]\"" }}
{{ "[[ else -]]" }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 10 }}
{{- end }}
{{ "[[ end -]]" }}
volumeMounts:
- mountPath: /etc/istio/proxy
name: istio-envoy
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
volumes:
- emptyDir:
medium: Memory
name: istio-envoy
- name: istio-certs
secret:
optional: true
{{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }}
secretName: istio.default
{{ "[[ else -]]" }}
secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }}
{{ "[[ end -]]" }}
{{- end }}
proposed/istio/latest/values-istio-auth-galley.yaml 0 → 100644
# This is used to generate istio.yaml
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
istiotesting:
oneNameSpace: false
prometheus:
enabled: true
galley:
enabled: true
proposed/istio/latest/values-istio-auth-multicluster.yaml 0 → 100644
# This is used to generate istio-auth-multicluster.yaml, used for CI/CD.
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
proposed/istio/latest/values-istio-auth.yaml 0 → 100644
# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
proposed/istio/latest/values-istio-demo-auth.yaml 0 → 100644
# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
global:
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
ingress:
# Ingress is used for migration, for alpha3 we expect ingressgateway
enabled: false
prometheus:
enabled: true
sidecarInjectorWebhook:
enabled: true
enableNamespacesByDefault: false
grafana:
enabled: true
tracing:
enabled: true
servicegraph:
enabled: true
galley:
enabled: true
proposed/istio/latest/values-istio-demo.yaml 0 → 100644
# This is used to generate istio.yaml for minimal, demo mode.
# It is shipped with the release, used for bookinfo or quick installation of istio.
# Includes components used in the demo, defaults to alpha3 rules.
# If running in minikube you may add:
# --set global.nodePort=true
# --set ingressgateway.service.type=NodePort
global:
nodePort: false
ingress:
# Ingress is used for migration, for alpha3 we expect ingressgateway
enabled: false
prometheus:
enabled: true
sidecarInjectorWebhook:
enabled: true
enableNamespacesByDefault: false
grafana:
enabled: true
tracing:
enabled: true
servicegraph:
enabled: true
galley:
enabled: true
proposed/istio/latest/values-istio-galley.yaml 0 → 100644
# This is used to generate istio.yaml
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
istiotesting:
oneNameSpace: false
prometheus:
enabled: true
galley:
enabled: true
proposed/istio/latest/values-istio-gateways.yaml 0 → 100644
# Common settings.
global:
# Include the crd definition when generating the template.
# For 'helm template' and helm install > 2.10 it should be true.
# For helm < 2.9, crds must be installed ahead of time with
# 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
# and this options must be set off.
crds: false
# Omit the istio-sidecar-injector configmap when generate a
# standalone gateway. Gateways may be created in namespaces other
# than `istio-system` and we don't want to re-create the injector
# configmap in those.
omitSidecarInjectorConfigMap: true
# Istio control plane namespace: This specifies where the Istio control
# plane was installed earlier. Modify this if you installed the control
# plane in a different namespace than istio-system.
istioNamespace: istio-system
proxy:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Can also be disabled (e.g. when Mixer is not installed).
envoyStatsd:
enabled: true
host: istio-statsd-prom-bridge.istio-system
port: 9125
#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
gateways:
enabled: true
custom-gateway:
enabled: true
labels:
app: custom-gateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
#requests:
# cpu: 1800m
# memory: 256Mi
loadBalancerIP: ""
serviceAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
- port: 31400
name: tcp
# nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Telemetry-related ports are enabled in gateway - but will only redirect if
# the gateway configration for the various components are enabled.
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
secretVolumes:
- name: customgateway-certs
secretName: istio-customgateway-certs
mountPath: /etc/istio/customgateway-certs
- name: customgateway-ca-certs
secretName: istio-customgateway-ca-certs
mountPath: /etc/istio/customgateway-ca-certs
# all other components are disabled except the gateways
ingress:
enabled: false
security:
enabled: false
sidecarInjectorWebhook:
enabled: false
galley:
enabled: false
mixer:
enabled: false
pilot:
enabled: false
grafana:
enabled: false
prometheus:
enabled: false
servicegraph:
enabled: false
tracing:
enabled: false
kiali:
enabled: false
certmanager:
enabled: false
proposed/istio/latest/values-istio-multicluster.yaml 0 → 100644
# This is used to generate istio-multicluster.yaml, used for CI/CD.
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
prometheus:
enabled: true
# In a multiple cluster environment, citadel uses the same root certificate in all the clusters
security:
selfSigned: false
proposed/istio/latest/values-istio-one-namespace-auth.yaml 0 → 100644
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: true
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
istiotesting:
oneNameSpace: true
proposed/istio/latest/values-istio-one-namespace.yaml 0 → 100644
# This is used to generate istio.yaml used for deprecated CI/CD testing.
global:
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
istiotesting:
oneNameSpace: true
proposed/istio/latest/values-istio.yaml 0 → 100644
# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1
# or v2/alpha3 with 'gradual migration' (using env variable at inject time).
global:
## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry.
# imagePullSecrets:
# - name: "private-registry-key"
# Default is 10s second
refreshInterval: 1s
proposed/istio/latest/values.yaml 0 → 100644
# Common settings.
global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: gcr.io/istio-release
# Default tag for Istio images.
tag: release-1.0-latest-daily
# Gateway used for legacy k8s Ingress resources. By default it is
# using 'istio:ingress', to match 0.8 config. It requires that
# ingress.enabled is set to true. You can also set it
# to ingressgateway, or any other gateway you define in the 'gateway'
# section.
k8sIngressSelector: ingress
# k8sIngressHttps will add port 443 on the ingress and ingressgateway.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
k8sIngressHttps: false
proxy:
image: proxyv2
# Resources for the sidecar.
resources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Configures the access log for each sidecar. Setting it to an empty string will
# disable access log for sidecar.
accessLogFile: "/dev/stdout"
# If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Can also be disabled (e.g. when Mixer is not installed).
envoyStatsd:
enabled: true
host: istio-statsd-prom-bridge
port: 9125
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxy_init
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
# disablePolicyChecks disables mixer policy checks.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: false
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# Must be set for any clustser configured with privte docker registry.
imagePullSecrets:
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Whether to perform server-side validation of configuration.
configValidation: true
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
meshExpansionILB: false
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Not recommended for user to configure this. Hyperkube image to use when creating custom resources
hyperkube:
hub: quay.io/coreos
tag: v1.7.6_coreos.0
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low prioroty class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Include the crd definition when generating the template.
# For 'helm template' and helm install > 2.10 it should be true.
# For helm < 2.9, crds must be installed ahead of time with
# 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
# and this options must be set off.
crds: true
#
# ingress configuration
#
ingress:
enabled: false
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
service:
annotations: {}
loadBalancerIP: ""
type: NodePort # change to NodePort, ClusterIP or LoadBalancer if need be
ports:
- port: 80
name: http
nodePort: 32000
- port: 443
name: https
selector:
istio: ingress
#
# Gateways Configuration
# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh.
# You can add more gateways in addition to the defaults but make sure those are uniquely named
# and that NodePorts are not conflicting.
# Disable specifc gateway by setting the `enabled` to false.
#
gateways:
enabled: true
istio-ingressgateway:
enabled: true
labels:
app: istio-ingressgateway
istio: ingressgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 1800m
# memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
serviceAnnotations: {}
type: NodePort # change to NodePort, ClusterIP or LoadBalancer if need be
ports:
## You can add custom gateway ports
- port: 80
targetPort: 80
name: http2
nodePort: 31380
- port: 443
name: https
nodePort: 31390
- port: 31400
name: tcp
nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
- port: 853
targetPort: 853
name: tcp-dns-tls
- port: 15030
targetPort: 15030
name: http2-prometheus
- port: 15031
targetPort: 15031
name: http2-grafana
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
istio-egressgateway:
enabled: true
labels:
app: istio-egressgateway
istio: egressgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
serviceAnnotations: {}
type: ClusterIP # change to NodePort or LoadBalancer if need be
ports:
- port: 80
name: http2
- port: 443
name: https
secretVolumes:
- name: egressgateway-certs
secretName: istio-egressgateway-certs
mountPath: /etc/istio/egressgateway-certs
- name: egressgateway-ca-certs
secretName: istio-egressgateway-ca-certs
mountPath: /etc/istio/egressgateway-ca-certs
# Mesh ILB gateway creates a gateway of type InternalLoadBalancer,
# for mesh expansion. It exposes the mtls ports for Pilot,CA as well
# as non-mtls ports to support upgrades and gradual transition.
istio-ilbgateway:
enabled: false
labels:
app: istio-ilbgateway
istio: ilbgateway
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
resources:
requests:
cpu: 800m
memory: 512Mi
# limits:
# cpu: 1800m
# memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
serviceAnnotations:
cloud.google.com/load-balancer-type: "internal"
type: LoadBalancer
ports:
## You can add custom gateway ports - google ILB default quota is 5 ports,
- port: 15011
name: grpc-pilot-mtls
# Insecure port - only for migration from 0.8. Will be removed in 1.1
- port: 15010
name: grpc-pilot
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
# Port 853 is reserved for the kube-dns gateway
- port: 853
name: tcp-dns
secretVolumes:
- name: ilbgateway-certs
secretName: istio-ilbgateway-certs
mountPath: /etc/istio/ilbgateway-certs
- name: ilbgateway-ca-certs
secretName: istio-ilbgateway-ca-certs
mountPath: /etc/istio/ilbgateway-ca-certs
#
# sidecar-injector webhook configuration
#
sidecarInjectorWebhook:
enabled: true
replicaCount: 1
image: sidecar_injector
enableNamespacesByDefault: false
#
# galley configuration
#
galley:
enabled: true
replicaCount: 1
image: galley
#
# mixer configuration
#
mixer:
enabled: true
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
image: mixer
istio-policy:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
istio-telemetry:
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
cpu:
targetAverageUtilization: 80
prometheusStatsdExporter:
hub: docker.io/prom
tag: v0.6.0
#
# pilot configuration
#
pilot:
enabled: true
replicaCount: 1
autoscaleMin: 1
autoscaleMax: 5
image: pilot
sidecar: true
traceSampling: 100.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
env:
PILOT_PUSH_THROTTLE_COUNT: 100
GODEBUG: gctrace=2
cpu:
targetAverageUtilization: 80
#
# security configuration
#
security:
replicaCount: 1
image: citadel
selfSigned: true # indicate if self-signed CA is used.
#
# addons configuration
#
telemetry-gateway:
gatewayName: ingressgateway
grafanaEnabled: false
prometheusEnabled: false
grafana:
enabled: false
replicaCount: 1
image: grafana
security:
enabled: false
adminUser: admin
adminPassword: admin
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 3000
internalPort: 3000
prometheus:
enabled: true
replicaCount: 1
hub: docker.io/prom
tag: v2.3.1
service:
annotations: {}
nodePort:
enabled: false
port: 32090
servicegraph:
enabled: false
replicaCount: 1
image: servicegraph
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 8088
internalPort: 8088
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- servicegraph.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: servicegraph-tls
# hosts:
# - servicegraph.local
# prometheus addres
prometheusAddr: http://prometheus:9090
tracing:
enabled: false
provider: jaeger
jaeger:
hub: docker.io/jaegertracing
tag: 1.5
memory:
max_traces: 50000
ui:
port: 16686
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- jaeger.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: jaeger-tls
# hosts:
# - jaeger.local
replicaCount: 1
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 9411
internalPort: 9411
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- tracing.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: tracing-tls
# hosts:
# - tracing.local
kiali:
enabled: false
replicaCount: 1
hub: docker.io/kiali
tag: istio-release-1.0
service:
type: NodePort
ingress:
enabled: false
## Used to create an Ingress record.
# hosts:
# - kiali.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: kiali-tls
# hosts:
# - kiali.local
dashboard:
username: admin
# Default admin passphrase for kiali. Must be set during setup, and
# changed by overriding the secret
passphrase: admin
# Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs
# grafanaURL:
# Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs
# jaegerURL:
# Certmanager uses ACME to sign certificates. Since Istio gateways are
# mounting the TLS secrets the Certificate CRDs must be created in the
# istio-system namespace. Once the certificate has been created, the
# gateway must be updated by adding 'secretVolumes'. After the gateway
# restart, DestinationRules can be created using the ACME-signed certificates.
certmanager:
enabled: false
hub: quay.io/jetstack
tag: v0.3.1
resources: {}
proposed/istio/v1.0.0/app-readme.md
#Istio
# Istio
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes, Mesos, etc.
......
proposed/longhorn/latest/Chart.yaml
apiVersion: v1
name: longhorn
version: 0.3.0
appVersion: v0.3.0
kubeVersion: ^1.8.x
description: Longhorn is a distributed block storage system for Kubernetes powered by Rancher Labs.
keywords:
......@@ -18,6 +19,6 @@ sources:
- https://github.com/rancher/longhorn-ui
- https://github.com/rancher/longhorn-tests
maintainers:
- name: Rancher Labs
- name: rancher
email: charts@rancher.com
icon: https://s3.us-east-2.amazonaws.com/longhorn-assets/longhorn-logo.svg
proposed/longhorn/latest/values.yaml
......@@ -80,4 +80,3 @@ ingress:
# - name: longhorn.local-tls
# key:
# certificate:
proposed/longhorn/v0.1.0/Chart.yaml
......@@ -3,3 +3,8 @@ description: Longhorn is a distributed block storage system for Kubernetes power
name: longhorn
version: 0.1.0
icon: https://s3.us-east-2.amazonaws.com/longhorn-assets/longhorn-logo.svg
appVersion: v0.1.0
maintainers:
- name: rancher
email: charts@rancher.com
home: https://github.com/rancher/longhorn
proposed/longhorn/v0.1.0/values.yaml
......@@ -77,4 +77,3 @@ ingress:
# - name: longhorn.local-tls
# key:
# certificate:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment