Skip to content

C
charts
Unverified Commit c3454a55 by Guangbo Committed by GitHub
Options

bump istio to v1.0.5 (#120)

* bump istio chart to v1.0.5 * backup istio v1.0.1 chart
parent a20b5c2d
Showing with 2289 additions and 177 deletions
proposed/istio/latest/Chart.yaml
apiVersion: v1
name: istio
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
home: https://istio.io/
......
proposed/istio/latest/README.md
......@@ -20,6 +20,7 @@ Helm charts expose configuration options which are currently in alpha. The curr
| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` |
| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
......@@ -36,13 +37,16 @@ Helm charts expose configuration options which are currently in alpha. The curr
| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` |
| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` |
| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" |
| `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` |
| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
## Custom Installation
## Installing the Chart
1. If a service account has not already been installed for Tiller, install one:
```
......
proposed/istio/latest/app-readme.md
......@@ -9,18 +9,17 @@ This chart bootstraps all istio [components](https://istio.io/docs/concepts/what
## Chart Details
This chart can install multiple istio components as subcharts:
- ingress
- ingressgateway
- egressgateway
- gateways
- sidecarInjectorWebhook
- galley
- mixer
- pilot
- security(citadel)
- grafana
- prometheus
- servicegraph
- tracing(jaeger)
- kiali
- grafana
- prometheus
To enable or disable each component, change the corresponding `enabled` flag.
Notes: You will need to apply `kubectl label namespace $your-namesapce istio-injection=enabled` to enabled automatic sidecar injection of your desired kubernetes namespaces.
proposed/istio/latest/charts/certmanager/Chart.yaml
apiVersion: v1
description: A Helm chart for Kubernetes
name: certmanager
version: 1.0.1
version: 1.0.5
appVersion: 0.3.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/galley/Chart.yaml
apiVersion: v1
name: galley
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for galley deployment
keywords:
......
proposed/istio/latest/charts/galley/templates/validatingwehookconfiguration.yaml.tpl
......@@ -60,8 +60,7 @@ webhooks:
- destinationrules
- envoyfilters
- gateways
# disabled per @costinm's request
# - serviceentries
- serviceentries
- virtualservices
failurePolicy: Fail
- name: mixer.validation.istio.io
......
proposed/istio/latest/charts/gateways/Chart.yaml
apiVersion: v1
name: gateways
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
......
proposed/istio/latest/charts/gateways/templates/deployment.yaml
......@@ -29,14 +29,40 @@ spec:
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
{{- if $.Values.global.proxy.enableCoreDump }}
initContainers:
- name: enable-core-dump
{{- if contains "/" $.Values.global.proxy_init.image }}
image: "{{ $.Values.global.proxy_init.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}"
{{- end }}
imagePullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
securityContext:
privileged: true
{{- end }}
containers:
- name: istio-proxy
image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}"
{{- if contains "/" $.Values.global.proxy.image }}
image: "{{ $.Values.global.proxy.image }}"
{{- else }}
image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
{{- range $key, $val := $spec.ports }}
- containerPort: {{ $val.port }}
{{- end }}
{{ if ne $.Values.global.proxy.stats.prometheusPort 0. }}
- containerPort: {{ $.Values.global.proxy.stats.prometheusPort }}
protocol: TCP
name: http-envoy-prom
{{ end }}
args:
- proxy
- router
......
proposed/istio/latest/charts/gateways/templates/service.yaml
......@@ -22,6 +22,9 @@ spec:
loadBalancerIP: "{{ $spec.loadBalancerIP }}"
{{- end }}
type: {{ .type }}
{{- if $spec.externalTrafficPolicy }}
externalTrafficPolicy: {{ $spec.externalTrafficPolicy }}
{{- end }}
selector:
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
......@@ -33,6 +36,15 @@ spec:
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
# add expansion ports
{{ if $.Values.global.meshExpansion }}
{{- range $key, $val := $spec.expansionPorts }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
{{ end }}
---
{{- end }}
{{- end }}
......
proposed/istio/latest/charts/grafana/Chart.yaml
apiVersion: v1
description: A Helm chart for Kubernetes
name: grafana
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/grafana/dashboards/galley-dashboard.json 0 → 100644
{
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "Prometheus",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__requires": [
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "5.0.4"
},
{
"type": "panel",
"id": "graph",
"name": "Graph",
"version": "5.0.0"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "5.0.0"
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": "-- Grafana --",
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": false,
"gnetId": null,
"graphTooltip": 0,
"id": null,
"links": [],
"panels": [
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 6,
"w": 8,
"x": 0,
"y": 0
},
"id": 2,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "galley_validation_cert_key_updates{job=\"galley\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Key Updates",
"refId": "A"
},
{
"expr": "galley_validation_cert_key_update_errors{job=\"galley\"}",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Key Update Errors: {{ error }}",
"refId": "B"
}
],
"thresholds": [],
"timeFrom": null,
"timeShift": null,
"title": "Validation Webhook Certificate",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
]
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 6,
"w": 8,
"x": 8,
"y": 0
},
"id": 3,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}",
"refId": "A"
},
{
"expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})",
"refId": "B"
}
],
"thresholds": [],
"timeFrom": null,
"timeShift": null,
"title": "Resource Validation",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
]
},
{
"aliasColors": {},
"bars": false,
"dashLength": 10,
"dashes": false,
"datasource": "Prometheus",
"fill": 1,
"gridPos": {
"h": 6,
"w": 8,
"x": 16,
"y": 0
},
"id": 4,
"legend": {
"avg": false,
"current": false,
"max": false,
"min": false,
"show": true,
"total": false,
"values": false
},
"lines": true,
"linewidth": 1,
"links": [],
"nullPointMode": "null",
"percentage": false,
"pointradius": 5,
"points": false,
"renderer": "flot",
"seriesOverrides": [],
"spaceLength": 10,
"stack": false,
"steppedLine": false,
"targets": [
{
"expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{ status }}",
"refId": "A"
}
],
"thresholds": [],
"timeFrom": null,
"timeShift": null,
"title": "Validation HTTP Errors",
"tooltip": {
"shared": true,
"sort": 0,
"value_type": "individual"
},
"type": "graph",
"xaxis": {
"buckets": null,
"mode": "time",
"name": null,
"show": true,
"values": []
},
"yaxes": [
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
},
{
"format": "short",
"label": null,
"logBase": 1,
"max": null,
"min": null,
"show": true
}
]
}
],
"schemaVersion": 16,
"style": "dark",
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
},
"timezone": "",
"title": "Istio Galley Dashboard",
"uid": "DMXUJ6dmz",
"version": 1
}
proposed/istio/latest/charts/grafana/fix_datasources.sh 0 → 100644
#!/bin/bash
set -e
THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
UX=$(uname)
for db in ${THIS_DIR}/dashboards/*.json; do
if [[ ${UX} == "Darwin" ]]; then
sed -i '' 's/${DS_PROMETHEUS}/Prometheus/g' $db
else
sed -i 's/${DS_PROMETHEUS}/Prometheus/g' $db
fi
done
proposed/istio/latest/charts/grafana/templates/configmap-custom-resources.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-grafana-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: grafana
data:
custom-resources.yaml: |-
{{- include "grafana-default.yaml.tpl" . | indent 4}}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
proposed/istio/latest/charts/grafana/templates/configmap-dashboards.yaml 0 → 100644
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-grafana-configuration-dashboards
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: grafana
data:
{{- $files := .Files }}
{{ range $path, $bytes := .Files.Glob "dashboards/*.json" }}
{{ base $path }}: '{{ $files.Get $path }}'
{{ end }}
proposed/istio/latest/charts/grafana/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-grafana-custom-resources
name: istio-grafana
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
......@@ -10,7 +10,16 @@ metadata:
heritage: {{ .Release.Service }}
istio: grafana
data:
custom-resources.yaml: |-
{{- include "grafana-default.yaml.tpl" . | indent 4}}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
{{- if .Values.datasources }}
{{- range $key, $value := .Values.datasources }}
{{ $key }}: |
{{ toYaml $value | indent 4 }}
{{- end -}}
{{- end -}}
{{- if .Values.dashboardProviders }}
{{- range $key, $value := .Values.dashboardProviders }}
{{ $key }}: |
{{ toYaml $value | indent 4 }}
{{- end -}}
{{- end -}}
proposed/istio/latest/charts/grafana/templates/deployment.yaml
......@@ -4,7 +4,7 @@ metadata:
name: grafana
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "grafana.name" . }}
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
......@@ -18,16 +18,15 @@ spec:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
securityContext:
runAsUser: 472
fsGroup: 472
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
......@@ -74,8 +73,27 @@ spec:
volumeMounts:
- name: data
mountPath: /data/grafana
- name: dashboards-istio
mountPath: "/var/lib/grafana/dashboards/istio"
- name: config
mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml"
subPath: datasources.yaml
- name: config
mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml"
subPath: dashboardproviders.yaml
affinity:
{{- include "nodeaffinity" . | indent 6 }}
volumes:
- name: config
configMap:
name: istio-grafana
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: istio-grafana-pvc
{{- else }}
emptyDir: {}
{{- end }}
- name: dashboards-istio
configMap:
name: istio-grafana-configuration-dashboards
proposed/istio/latest/charts/grafana/templates/pvc.yaml 0 → 100644
{{- if .Values.persistence.enabled }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: istio-grafana-pvc
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
storageClassName: {{ .Values.persistence.storageClass }}
accessModes:
- {{ .Values.persistence.accessMode }}
resources:
requests:
storage: {{ .Values.persistence.size }}
{{- end }}
proposed/istio/latest/charts/grafana/templates/secret.yaml
......@@ -4,6 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
labels:
app: grafana
type: Opaque
......
proposed/istio/latest/charts/grafana/templates/service.yaml
......@@ -8,7 +8,7 @@ metadata:
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: {{ template "grafana.name" . }}
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
......
proposed/istio/latest/charts/grafana/values.yaml 0 → 100644
datasources:
datasources.yaml:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
orgId: 1
url: http://prometheus:9090
access: proxy
isDefault: true
jsonData:
timeInterval: 5s
editable: true
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'istio'
orgId: 1
folder: 'istio'
type: file
disableDeletion: false
options:
path: /var/lib/grafana/dashboards/istio
proposed/istio/latest/charts/ingress/Chart.yaml
apiVersion: v1
name: ingress
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for ingress deployment
keywords:
......
proposed/istio/latest/charts/ingress/templates/service.yaml
......@@ -17,6 +17,9 @@ spec:
loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
{{- end }}
type: {{ .Values.service.type }}
{{- if .Values.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
{{- end }}
selector:
istio: ingress
ports:
......
proposed/istio/latest/charts/kiali/Chart.yaml
apiVersion: v1
description: Kiali is an open source project for service mesh observability, refer to https://github.com/kiali/kiali for detail.
name: kiali
version: 1.0.1
appVersion: 0.6.0
version: 1.0.5
appVersion: 0.10
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/kiali/templates/clusterrole.yaml
......@@ -6,7 +6,7 @@ metadata:
app: kiali
version: master
rules:
- apiGroups: ["","apps", "autoscaling"]
- apiGroups: ["", "apps", "autoscaling", "batch"]
resources:
- configmaps
- namespaces
......@@ -17,6 +17,11 @@ rules:
- endpoints
- deployments
- horizontalpodautoscalers
- replicasets
- statefulsets
- replicationcontrollers
- jobs
- cronjobs
verbs:
- get
- list
......
proposed/istio/latest/charts/kiali/templates/configmap.yaml
......@@ -9,4 +9,8 @@ data:
config.yaml: |
server:
port: 20001
static_content_root_directory: /opt/kiali/console
external_services:
jaeger:
url: {{ .Values.dashboard.jaegerURL }}
grafana:
url: {{ .Values.dashboard.grafanaURL }}
proposed/istio/latest/charts/kiali/templates/deployment.yaml
......@@ -52,20 +52,6 @@ spec:
key: passphrase
- name: PROMETHEUS_SERVICE_URL
value: http://prometheus:9090
{{- if .Values.dashboard.grafanaURL }}
- name: GRAFANA_URL
value: {{ .Values.dashboard.grafanaURL }}
{{- end }}
- name: GRAFANA_DASHBOARD
value: istio-service-dashboard
- name: GRAFANA_VAR_SERVICE_SOURCE
value: var-service
- name: GRAFANA_VAR_SERVICE_DEST
value: var-service
{{- if .Values.dashboard.jaegerURL }}
- name: JAEGER_URL
value: {{ .Values.dashboard.jaegerURL }}
{{- end }}
volumeMounts:
- name: kiali-configuration
mountPath: "/kiali-configuration"
......
proposed/istio/latest/charts/mixer/Chart.yaml
apiVersion: v1
name: mixer
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for mixer deployment
keywords:
......
proposed/istio/latest/charts/mixer/templates/clusterrole.yaml
......@@ -18,7 +18,7 @@ rules:
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets"]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["replicasets"]
......
proposed/istio/latest/charts/mixer/templates/deployment.yaml
......@@ -30,6 +30,14 @@
- --configStoreURL=k8s://
- --configDefaultNamespace={{ $.Release.Namespace }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
- --numCheckCacheEntries=0
{{- if .Values.env }}
env:
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
......@@ -51,6 +59,12 @@
ports:
- containerPort: 9091
- containerPort: 15004
{{ if ne .Values.global.proxy.stats.prometheusPort 0. }}
ports:
- containerPort: {{ .Values.global.proxy.stats.prometheusPort }}
protocol: TCP
name: http-envoy-prom
{{ end }}
args:
- proxy
- --serviceCluster
......@@ -125,6 +139,13 @@
- --configStoreURL=k8s://
- --configDefaultNamespace={{ $.Release.Namespace }}
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
{{- if .Values.env }}
env:
{{- range $key, $val := .Values.env }}
- name: {{ $key }}
value: "{{ $val }}"
{{- end }}
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 10 }}
......@@ -146,6 +167,12 @@
ports:
- containerPort: 9091
- containerPort: 15004
{{ if ne .Values.global.proxy.stats.prometheusPort 0. }}
ports:
- containerPort: {{ .Values.global.proxy.stats.prometheusPort }}
protocol: TCP
name: http-envoy-prom
{{ end }}
args:
- proxy
- --serviceCluster
......
proposed/istio/latest/charts/pilot/Chart.yaml
apiVersion: v1
name: pilot
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for pilot deployment
keywords:
......
proposed/istio/latest/charts/pilot/templates/autoscale.yaml
......@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-pilot
namespace: {{ $.Release.Namespace }}
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
......
proposed/istio/latest/charts/prometheus/Chart.yaml
apiVersion: v1
description: A Helm chart for Kubernetes
name: prometheus
version: 1.0.1
version: 1.0.5
appVersion: 2.3.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/charts/prometheus/templates/configmap.yaml
......@@ -29,22 +29,63 @@ data:
action: keep
regex: istio-telemetry;prometheus
- job_name: 'envoy'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
{{ if ne .Values.global.proxy.stats.prometheusPort 0. }}
# Scrape config for envoy stats
- job_name: 'envoy-stats'
metrics_path: /stats/prometheus
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- {{ .Release.Namespace }}
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
- source_labels: [__meta_kubernetes_pod_container_port_name]
action: keep
regex: istio-statsd-prom-bridge;statsd-prom
regex: '.*-envoy-prom'
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:{{ .Values.global.proxy.stats.prometheusPort }}
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
metric_relabel_configs:
# Exclude some of the envoy metrics that have massive cardinality
# This list may need to be pruned further moving forward, as informed
# by performance and scalability testing.
- source_labels: [ cluster_name ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ tcp_prefix ]
regex: '(outbound|inbound|prometheus_stats).*'
action: drop
- source_labels: [ listener_address ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_listener_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ http_conn_manager_prefix ]
regex: '(.+)'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tls.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_tcp_downstream.*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_http_(stats|admin).*'
action: drop
- source_labels: [ __name__ ]
regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*'
action: drop
{{ end}}
- job_name: 'istio-policy'
# Override the global default and scrape targets from this job every 5 seconds.
......@@ -210,19 +251,62 @@ data:
action: replace
target_label: kubernetes_name
# Example scrape config for pods
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status]
action: drop
regex: (.+)
- source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
action: drop
regex: (true)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'kubernetes-pods-istio-secure'
scheme: https
tls_config:
ca_file: /etc/istio-certs/root-cert.pem
cert_file: /etc/istio-certs/cert-chain.pem
key_file: /etc/istio-certs/key.pem
insecure_skip_verify: true # prometheus does not support secure naming.
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# sidecar status annotation is added by sidecar injector and
# istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
action: keep
regex: (([^;]+);([^;]*))|(([^;]*);(true))
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__] # Only keep address that is host:port
action: keep # otherwise an extra target with ':443' is added for https scheme
regex: ([^:]+):(\d+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
......@@ -235,4 +319,4 @@ data:
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
target_label: pod_name
\ No newline at end of file
proposed/istio/latest/charts/prometheus/templates/deployment.yaml
......@@ -53,9 +53,16 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
- mountPath: /etc/istio-certs
name: istio-certs
volumes:
- name: config-volume
configMap:
name: prometheus
- name: istio-certs
secret:
defaultMode: 420
optional: true
secretName: istio.default
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/latest/charts/prometheus/templates/service.yaml
......@@ -32,7 +32,9 @@ spec:
type: NodePort
ports:
- port: 9090
{{- if .Values.service.nodePort.port }}
nodePort: {{ .Values.service.nodePort.port }}
{{- end }}
name: http-prometheus
selector:
app: prometheus
......
proposed/istio/latest/charts/security/Chart.yaml
apiVersion: v1
name: security
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for istio authentication
keywords:
......
proposed/istio/latest/charts/security/templates/configmap.yaml
......@@ -13,6 +13,8 @@ data:
custom-resources.yaml: |-
{{- if .Values.global.mtls.enabled }}
{{- include "security-default.yaml.tpl" . | indent 4}}
{{- else }}
{{- include "security-permissive.yaml.tpl" . | indent 4}}
{{- end }}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
proposed/istio/latest/charts/security/templates/create-custom-resources-job.yaml
{{- if .Values.global.mtls.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
......@@ -86,4 +85,3 @@ spec:
configMap:
name: istio-security-custom-resources
restartPolicy: OnFailure
{{- end }}
proposed/istio/latest/charts/security/templates/deployment.yaml
......@@ -33,7 +33,7 @@ spec:
- --grpc-port=8060
- --grpc-hostname=citadel
- --citadel-storage-namespace={{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingress.{{ .Release.Namespace }}
- --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingressgateway.{{ .Release.Namespace }}
{{- if .Values.selfSigned }}
- --self-signed-ca=true
{{- else }}
......
proposed/istio/latest/charts/security/templates/enable-mesh-permissive.yaml 0 → 100644
{{ define "security-permissive.yaml.tpl" }}
# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh.
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
app: istio-security
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
peers:
- mtls:
mode: PERMISSIVE
{{- end }}
proposed/istio/latest/charts/sidecarInjectorWebhook/Chart.yaml
apiVersion: v1
name: sidecarInjectorWebhook
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for sidecar injector webhook deployment
keywords:
......
proposed/istio/latest/charts/telemetry-gateway/Chart.yaml
apiVersion: v1
name: telemetry-gateway
version: 1.0.1
appVersion: 1.0.1
version: 1.0.5
appVersion: 1.0.5
tillerVersion: ">=2.7.2"
description: Helm chart for configuring a gateway for Istio telemetry addons
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/latest/charts/telemetry-gateway/templates/gateway.yaml
{{- if (.Values.prometheusEnabled) or (.Values.grafanaEnabled) }}
{{- if or (.Values.prometheusEnabled) (.Values.grafanaEnabled) }}
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
......
proposed/istio/latest/charts/tracing/Chart.yaml
apiVersion: v1
description: A Helm chart for Kubernetes
name: tracing
version: 1.0.1
version: 1.0.5
appVersion: 1.5.1
tillerVersion: ">=2.7.2"
proposed/istio/latest/requirements.yaml
dependencies:
- name: sidecarInjectorWebhook
version: 1.0.1
version: 1.0.5
condition: sidecarInjectorWebhook.enabled
repository: "file://../charts/sidecarInjectorWebhook"
- name: security
version: 1.0.1
version: 1.0.5
condition: security.enabled
repository: "file://../charts/security"
- name: ingress
version: 1.0.1
version: 1.0.5
condition: ingress.enabled
repository: "file://../charts/ingress"
- name: gateways
version: 1.0.1
version: 1.0.5
condition: gateways.enabled
repository: "file://../charts/gateways"
- name: mixer
version: 1.0.1
version: 1.0.5
condition: mixer.enabled
repository: "file://../charts/mixer"
- name: pilot
version: 1.0.1
version: 1.0.5
condition: pilot.enabled
repository: "file://../charts/pilot"
- name: grafana
version: 1.0.1
version: 1.0.5
condition: grafana.enabled
repository: "file://../charts/grafana"
- name: prometheus
version: 1.0.1
version: 1.0.5
condition: prometheus.enabled
repository: "file://../charts/prometheus"
- name: servicegraph
version: 1.0.1
condition: servicegraph.enabled
repository: "file://../charts/servicegraph"
- name: tracing
version: 1.0.1
version: 1.0.5
condition: tracing.enabled
repository: "file://../charts/tracing"
- name: galley
version: 1.0.1
version: 1.0.5
condition: galley.enabled
repository: "file://../charts/galley"
- name: kiali
version: 1.0.1
version: 1.0.5
condition: kiali.enabled
repository: "file://../charts/kiali"
- name: certmanager
version: 1.0.1
version: 1.0.5
condition: certmanager.enabled
repository: "file://../charts/certmanager"
proposed/istio/latest/templates/configmap.yaml
......@@ -30,6 +30,10 @@ data:
mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091
mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091
{{- end }}
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }}
{{- end }}
{{- if .Values.ingress.enabled }}
......@@ -82,6 +86,10 @@ data:
# for more details
proxyAdminPort: 15000
#
# Set concurrency to a specific number to control the number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: {{ .Values.global.proxy.concurrency }}
#
# Zipkin trace collector
zipkinAddress: zipkin.{{ .Release.Namespace }}:9411
......
proposed/istio/latest/templates/sidecar-injector-configmap.yaml
......@@ -27,59 +27,48 @@ data:
- "-u"
- 1337
- "-m"
- {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }}
- "-i"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.includeIPRanges }}"
{{ "[[ end -]]" }}
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }}
- "-x"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.excludeIPRanges }}"
{{ "[[ end -]]" }}
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }}
- "-b"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }}
{{ "[[ else -]]" }}
- {{ "[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]" }}
- {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }}
- "-d"
{{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]" }}
{{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"" }}
{{ "[[ else -]]" }}
- "{{ .Values.global.proxy.excludeInboundPorts }}"
{{ "[[ end -]]" }}
- {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
securityContext:
capabilities:
add:
- NET_ADMIN
{{ if .Values.global.proxy.privileged }}
privileged: true
{{ end -}}
restartPolicy: Always
{{ if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
{{- if .Values.global.proxy.enableCoreDump }}
- args:
- -c
- sysctl -w kernel.core_pattern=/etc/istio/proxy/core.%e.%p.%t && ulimit -c unlimited
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }}
imagePullPolicy: IfNotPresent
name: enable-core-dump
resources: {}
securityContext:
privileged: true
{{ end }}
containers:
- name: istio-proxy
image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }}
{{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"" }}
{{ "[[ else -]]" }}
{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}
{{ "[[ end -]]" }}
{{- if contains "/" .Values.global.proxy.image }}
image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }}
{{- else }}
image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }}
{{- end }}
{{ if ne .Values.global.proxy.stats.prometheusPort 0. }}
ports:
- containerPort: {{ .Values.global.proxy.stats.prometheusPort }}
protocol: TCP
name: http-envoy-prom
{{ end }}
args:
- proxy
- sidecar
......@@ -98,7 +87,7 @@ data:
- --parentShutdownDuration
- {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }}
- --discoveryAddress
- {{ "[[ .ProxyConfig.DiscoveryAddress ]]" }}
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }}
- --discoveryRefreshDelay
- {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }}
- --zipkinAddress
......@@ -111,8 +100,18 @@ data:
{{- end }}
- --proxyAdminPort
- {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }}
{{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }}
- --concurrency
- {{ "[[ .ProxyConfig.Concurrency ]]" }}
{{ "[[ end -]]" }}
- --controlPlaneAuthPolicy
- {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
- {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }}
{{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
- --statusPort
- {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
- --applicationPorts
- {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }}
{{ "[[- end ]]" }}
env:
- name: POD_NAME
valueFrom:
......@@ -132,13 +131,34 @@ data:
fieldPath: metadata.name
- name: ISTIO_META_INTERCEPTION_MODE
value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }}
{{ "[[ if .ObjectMeta.Annotations ]]" }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ "[[ toJson .ObjectMeta.Annotations ]]" }}
{{ "[[ end ]]" }}
{{ "[[ if .ObjectMeta.Labels ]]" }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ "[[ toJson .ObjectMeta.Labels ]]" }}
{{ "[[ end ]]" }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
{{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }}
initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }}
periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }}
failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }}
{{ "[[ end -]]" -}}
securityContext:
{{ if .Values.global.proxy.privileged }}
privileged: true
{{ end -}}
{{- if ne .Values.global.proxy.enableCoreDump true }}
readOnlyRootFilesystem: true
{{ "[[ if eq (or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\" -]]" }}
{{- end }}
{{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }}
capabilities:
add:
- NET_ADMIN
......@@ -148,10 +168,10 @@ data:
{{ "[[ end -]]" }}
restartPolicy: Always
resources:
{{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\") -]]" }}
{{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }}
requests:
cpu: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\" ]]\"" }}
memory: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\" ]]\"" }}
cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }}
memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }}
{{ "[[ else -]]" }}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 10 }}
......
proposed/istio/latest/values.yaml
......@@ -3,10 +3,12 @@ global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: gcr.io/istio-release
# hub: gcr.io/istio-release
hub: docker.io/istio
# Default tag for Istio images.
tag: release-1.0-latest-daily
# tag: release-1.0-latest-daily
tag: 1.0.5
# Gateway used for legacy k8s Ingress resources. By default it is
# using 'istio:ingress', to match 0.8 config. It requires that
......@@ -33,16 +35,35 @@ global:
# cpu: 100m
# memory: 128Mi
# Controls number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: 0
# Configures the access log for each sidecar. Setting it to an empty string will
# disable access log for sidecar.
accessLogFile: "/dev/stdout"
# If set to true, istio-proxy container will have privileged securityContext
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
# If set, newly injected sidecars will have core dumps enabled. Core dumps will always be written to the same
# file to prevent storage filling up indefinitely. Add a timestamp option to core_pattern to keep all cores:
# e.g. sysctl -w kernel.core_pattern=/var/lib/istio/core.%e.%p.%t
enableCoreDump: false
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
# statusPort: 15020
statusPort: 0
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
......@@ -64,11 +85,18 @@ global:
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Can also be disabled (e.g. when Mixer is not installed).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
enabled: true
host: istio-statsd-prom-bridge
port: 9125
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc
port: # example: 9125
# This controls the stats collection for proxies. To disable stats
# collection, set the prometheusPort to 0.
stats:
prometheusPort: 15090
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
......@@ -87,6 +115,10 @@ global:
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: false
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
......@@ -170,6 +202,8 @@ ingress:
annotations: {}
loadBalancerIP: ""
type: NodePort # change to NodePort, ClusterIP or LoadBalancer if need be
# Uncomment the following line to preserve client source ip.
# externalTrafficPolicy: Local
ports:
- port: 80
name: http
......@@ -209,6 +243,8 @@ gateways:
loadBalancerIP: ""
serviceAnnotations: {}
type: NodePort # change to NodePort, ClusterIP or LoadBalancer if need be
# Uncomment the following line to preserve client source ip.
# externalTrafficPolicy: Local
ports:
## You can add custom gateway ports
......@@ -224,6 +260,7 @@ gateways:
nodePort: 31400
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
expansionPorts:
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
......@@ -344,6 +381,9 @@ mixer:
autoscaleMax: 5
image: mixer
env:
GODEBUG: gctrace=2
istio-policy:
autoscaleEnabled: true
autoscaleMin: 1
......@@ -372,7 +412,7 @@ pilot:
autoscaleMax: 5
image: pilot
sidecar: true
traceSampling: 100.0
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
......@@ -390,7 +430,7 @@ pilot:
security:
replicaCount: 1
image: citadel
selfSigned: true # indicate if self-signed CA is used.
selfSigned: true # indicate if self-signed CA is used.
#
# addons configuration
......@@ -403,11 +443,18 @@ telemetry-gateway:
grafana:
enabled: false
replicaCount: 1
image: grafana
security:
image:
repository: grafana/grafana
tag: 5.2.3
persistence:
enabled: false
storageClass: ""
accessMode: ReadWriteMany
size: 5Gi
security:
enabled: true
adminUser: admin
adminPassword: admin
adminPassword: changeme
service:
annotations: {}
name: http
......@@ -425,33 +472,7 @@ prometheus:
annotations: {}
nodePort:
enabled: false
port: 32090
servicegraph:
enabled: false
replicaCount: 1
image: servicegraph
service:
annotations: {}
name: http
type: ClusterIP
externalPort: 8088
internalPort: 8088
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- servicegraph.local
annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
tls:
# Secrets must be manually created in the namespace.
# - secretName: servicegraph-tls
# hosts:
# - servicegraph.local
# prometheus addres
prometheusAddr: http://prometheus:9090
# port: 32090
tracing:
enabled: false
......@@ -501,7 +522,7 @@ kiali:
enabled: false
replicaCount: 1
hub: docker.io/kiali
tag: istio-release-1.0
tag: v0.10
service:
type: NodePort
ingress:
......
proposed/istio/v1.0.1/Chart.yaml 0 → 100644
apiVersion: v1
name: istio
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2-0"
description: Helm chart for all istio components
home: https://istio.io/
keywords:
- istio
- security
- sidecarInjectorWebhook
- mixer
- pilot
- galley
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
maintainers:
- name: istio
proposed/istio/v1.0.1/README.md 0 → 100644
## Prerequisites
- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required
- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required
- If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order.
## Resources Required
The chart deploys pods that consume minimum resources as specified in the resources configuration parameter.
## Configuration
The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation.
Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
| Parameter | Description | Values | Default |
| --- | --- | --- | --- |
| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` |
| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` |
| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` |
| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` |
| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` |
| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` |
| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` |
| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` |
| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` |
| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` |
| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` |
| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` |
| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` |
| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` |
| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` |
| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` |
## Custom Installation
1. If a service account has not already been installed for Tiller, install one:
```
$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
```
2. Install Tiller on your cluster with the service account:
```
$ helm init --service-account tiller
```
3. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver:
```
$ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
```
**Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver:
```
$ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
```
4. To install the chart with the release name `istio` in namespace `istio-system`:
- With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
```
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
```
- Without the sidecar injection webhook:
```
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false
```
## Uninstalling the Chart
To uninstall/delete the `istio` release:
```
$ helm delete istio
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
To uninstall/delete the `istio` release completely and make its name free for later use:
```
$ helm delete istio --purge
```
proposed/istio/v1.0.1/app-readme.md 0 → 100644
# Istio
[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
## Introduction
This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Chart Details
This chart can install multiple istio components as subcharts:
- ingress
- ingressgateway
- egressgateway
- sidecarInjectorWebhook
- galley
- mixer
- pilot
- security(citadel)
- grafana
- prometheus
- servicegraph
- tracing(jaeger)
- kiali
To enable or disable each component, change the corresponding `enabled` flag.
proposed/istio/v1.0.1/charts/certmanager/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: certmanager
version: 1.0.1
appVersion: 0.3.1
tillerVersion: ">=2.7.2"
proposed/istio/v1.0.1/charts/certmanager/templates/NOTES.txt 0 → 100644
certmanager has been deployed successfully!
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.readthedocs.io/en/latest/reference/issuers.html
\ No newline at end of file
proposed/istio/v1.0.1/charts/certmanager/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "certmanager.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "certmanager.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- $fullname := printf "%s-%s" $name .Release.Name -}}
{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "certmanager.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.1/charts/certmanager/templates/crds.yaml 0 → 100644
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
annotations:
"helm.sh/hook": crd-install
labels:
app: certmanager
spec:
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs
proposed/istio/v1.0.1/charts/certmanager/templates/deployment.yaml 0 → 100644
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: certmanager
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "certmanager.name" . }}
spec:
replicas: 1
selector:
matchLabels:
app: certmanager
template:
metadata:
labels:
app: certmanager
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: certmanager
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: certmanager
image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=$(POD_NAMESPACE)
{{- if .Values.extraArgs }}
{{ toYaml .Values.extraArgs | indent 10 }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
{{- if .Values.podDnsPolicy }}
dnsPolicy: {{ .Values.podDnsPolicy }}
{{- end }}
{{- if .Values.podDnsConfig }}
dnsConfig:
{{ toYaml .Values.podDnsConfig | indent 8 }}
{{- end }}
proposed/istio/v1.0.1/charts/certmanager/templates/issuer.yaml 0 → 100644
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: {{ .Release.Namespace }}
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: {{ .Values.email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
http01: {}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: {{ .Release.Namespace }}
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: {{ .Values.email }}
privateKeySecretRef:
name: letsencrypt
http01: {}
proposed/istio/v1.0.1/charts/certmanager/templates/rbac.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: certmanager
labels:
app: certmanager
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "issuers", "clusterissuers"]
verbs: ["*"]
- apiGroups: [""]
# TODO: remove endpoints once 0.4 is released. We include it here in case
# users use the 'master' version of the Helm chart with a 0.2.x release of
# certManager that still performs leader election with Endpoint resources.
# We advise users don't do this, but some will anyway and this will reduce
# friction.
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: certmanager
labels:
app: certmanager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: certmanager
subjects:
- name: certmanager
namespace: {{ .Release.Namespace }}
kind: ServiceAccount
proposed/istio/v1.0.1/charts/certmanager/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: certmanager
namespace: {{ .Release.Namespace }}
labels:
app: certmanager
proposed/istio/v1.0.1/charts/galley/Chart.yaml 0 → 100644
apiVersion: v1
name: galley
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for galley deployment
keywords:
- istio
- galley
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.1/charts/galley/OWNERS 0 → 100644
approvers:
- cmluciano
- geeknoid
- ozevren
- ayj
proposed/istio/v1.0.1/charts/galley/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "galley.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "galley.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.1/charts/galley/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-galley-{{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["deployments"]
resourceNames: ["istio-galley"]
verbs: ["get"]
- apiGroups: ["*"]
resources: ["endpoints"]
resourceNames: ["istio-galley"]
verbs: ["get"]
proposed/istio/v1.0.1/charts/galley/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-galley-admin-role-binding-{{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-galley-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-galley-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/v1.0.1/charts/galley/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-galley-configuration
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: mixer
data:
validatingwebhookconfiguration.yaml: |-
{{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}}
proposed/istio/v1.0.1/charts/galley/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "galley.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: galley
spec:
replicas: {{ .Values.replicaCount }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
istio: galley
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-galley-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: validator
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 443
- containerPort: 9093
command:
- /usr/local/bin/galley
- validator
- --deployment-namespace={{ .Release.Namespace }}
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --healthCheckInterval=1s
- --healthCheckFile=/health
- --webhook-config-file
- /etc/istio/config/validatingwebhookconfiguration.yaml
volumeMounts:
- name: certs
mountPath: /etc/istio/certs
readOnly: true
- name: config
mountPath: /etc/istio/config
readOnly: true
livenessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/health
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/health
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumes:
- name: certs
secret:
secretName: istio.istio-galley-service-account
- name: config
configMap:
name: istio-galley-configuration
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/v1.0.1/charts/galley/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
istio: galley
spec:
ports:
- port: 443
name: https-validation
- port: 9093
name: http-monitoring
selector:
istio: galley
proposed/istio/v1.0.1/charts/galley/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-galley-service-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
proposed/istio/v1.0.1/charts/galley/templates/validatingwehookconfiguration.yaml.tpl 0 → 100644
{{ define "validatingwebhookconfiguration.yaml.tpl" }}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley
namespace: {{ .Release.Namespace }}
labels:
app: istio-galley
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
webhooks:
{{- if .Values.global.configValidation }}
- name: pilot.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: {{ .Release.Namespace }}
path: "/admitpilot"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- httpapispecs
- httpapispecbindings
- quotaspecs
- quotaspecbindings
- operations:
- CREATE
- UPDATE
apiGroups:
- rbac.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- authentication.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- networking.istio.io
apiVersions:
- "*"
resources:
- destinationrules
- envoyfilters
- gateways
# disabled per @costinm's request
# - serviceentries
- virtualservices
failurePolicy: Fail
- name: mixer.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: {{ .Release.Namespace }}
path: "/admitmixer"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- rules
- attributemanifests
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- noops
- opas
- prometheuses
- rbacs
- servicecontrols
- solarwindses
- stackdrivers
- statsds
- stdios
- apikeys
- authorizations
- checknothings
# - kuberneteses
- listentries
- logentries
- metrics
- quotas
- reportnothings
- servicecontrolreports
- tracespans
failurePolicy: Fail
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/Chart.yaml 0 → 100644
apiVersion: v1
name: gateways
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways
keywords:
- istio
- ingressgateway
- egressgateway
- gateways
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.1/charts/gateways/templates/autoscale.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if and $spec.enabled $spec.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
spec:
maxReplicas: {{ $spec.autoscaleMax }}
minReplicas: {{ $spec.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: {{ $key }}
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/templates/clusterrole.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "istio.name" $ }}
chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
name: {{ $key }}-{{ $.Release.Namespace }}
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
verbs: ["get", "watch", "list", "update"]
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/templates/clusterrolebindings.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $key }}-{{ $.Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $key }}-{{ $.Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{ $key }}-service-account
namespace: {{ $.Release.Namespace }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/templates/deployment.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
heritage: {{ $.Release.Service }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
replicas: {{ $spec.replicaCount }}
template:
metadata:
labels:
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: {{ $key }}-service-account
{{- if $.Values.global.priorityClassName }}
priorityClassName: "{{ $.Values.global.priorityClassName }}"
{{- end }}
containers:
- name: istio-proxy
image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}"
imagePullPolicy: {{ $.Values.global.imagePullPolicy }}
ports:
{{- range $key, $val := $spec.ports }}
- containerPort: {{ $val.port }}
{{- end }}
args:
- proxy
- router
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- {{ $key }}
- --zipkinAddress
{{- if $.Values.global.istioNamespace }}
- zipkin.{{ $.Values.global.istioNamespace }}:9411
{{- else }}
- zipkin:9411
{{- end }}
{{- if $.Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }}
{{- end }}
- --proxyAdminPort
- "15000"
{{- if $.Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
{{- if $.Values.global.istioNamespace }}
- istio-pilot.{{ $.Values.global.istioNamespace }}:15005
{{- else }}
- istio-pilot:15005
{{- end }}
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
{{- if $.Values.global.istioNamespace }}
- istio-pilot.{{ $.Values.global.istioNamespace }}:8080
{{- else }}
- istio-pilot:8080
{{- end }}
{{- end }}
resources:
{{- if $spec.resources }}
{{ toYaml $spec.resources | indent 12 }}
{{- else }}
{{ toYaml $.Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
{{- range $spec.secretVolumes }}
- name: {{ .name }}
mountPath: {{ .mountPath | quote }}
readOnly: true
{{- end }}
{{- if $spec.additionalContainers }}
{{ toYaml $spec.additionalContainers | indent 8 }}
{{- end }}
volumes:
- name: istio-certs
secret:
secretName: istio.{{ $key }}-service-account
optional: true
{{- range $spec.secretVolumes }}
- name: {{ .name }}
secret:
secretName: {{ .secretName | quote }}
optional: true
{{- end }}
{{- range $spec.configVolumes }}
- name: {{ .name }}
configMap:
name: {{ .configMapName | quote }}
optional: true
{{- end }}
affinity:
{{- include "nodeaffinity" $ | indent 6 }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/templates/service.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ $key }}
namespace: {{ $spec.namespace | default $.Release.Namespace }}
annotations:
{{- range $key, $val := $spec.serviceAnnotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }}
release: {{ $.Release.Name }}
heritage: {{ $.Release.Service }}
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
{{- if $spec.loadBalancerIP }}
loadBalancerIP: "{{ $spec.loadBalancerIP }}"
{{- end }}
type: {{ .type }}
selector:
{{- range $key, $val := $spec.labels }}
{{ $key }}: {{ $val }}
{{- end }}
ports:
{{- range $key, $val := $spec.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/gateways/templates/serviceaccount.yaml 0 → 100644
{{- range $key, $spec := .Values }}
{{- if and (ne $key "global") (ne $key "enabled") }}
{{- if $spec.enabled }}
apiVersion: v1
kind: ServiceAccount
{{- if $.Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range $.Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: {{ $key }}-service-account
namespace: {{ $spec.namespace | default $.Release.Namespace }}
labels:
app: {{ $spec.labels.istio }}
chart: {{ $.Chart.Name }}-{{ $.Chart.Version }}
heritage: {{ $.Release.Service }}
release: {{ $.Release.Name }}
---
{{- end }}
{{- end }}
{{- end }}
proposed/istio/v1.0.1/charts/grafana/Chart.yaml 0 → 100644
apiVersion: v1
description: A Helm chart for Kubernetes
name: grafana
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
proposed/istio/v1.0.1/charts/grafana/templates/_helpers.tpl 0 → 100644
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "grafana.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "grafana.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
proposed/istio/v1.0.1/charts/grafana/templates/configmap.yaml 0 → 100644
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-grafana-custom-resources
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: grafana
data:
custom-resources.yaml: |-
{{- include "grafana-default.yaml.tpl" . | indent 4}}
run.sh: |-
{{- include "install-custom-resources.sh.tpl" . | indent 4}}
proposed/istio/v1.0.1/charts/grafana/templates/create-custom-resources-job.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-grafana-post-install-account
namespace: {{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: istio-grafana-post-install-{{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: ["authentication.istio.io"] # needed to create default authn policy
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }}
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-grafana-post-install-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-grafana-post-install-account
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: istio-grafana-post-install
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: istio-grafana
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
template:
metadata:
name: istio-grafana-post-install
labels:
app: istio-grafana
release: {{ .Release.Name }}
spec:
serviceAccountName: istio-grafana-post-install-account
containers:
- name: hyperkube
image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}"
command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ]
volumeMounts:
- mountPath: "/tmp/grafana"
name: tmp-configmap-grafana
volumes:
- name: tmp-configmap-grafana
configMap:
name: istio-grafana-custom-resources
restartPolicy: OnFailure
proposed/istio/v1.0.1/charts/grafana/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
app: grafana
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- if contains "/" .Values.image }}
image: "{{ .Values.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: {{ .Values.service.internalPort }}
readinessProbe:
httpGet:
path: /login
port: {{ .Values.service.internalPort }}
env:
- name: GRAFANA_PORT
value: {{ .Values.service.internalPort | quote }}
{{- if .Values.security.enabled }}
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
name: grafana
key: username
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: grafana
key: password
- name: GF_AUTH_BASIC_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "false"
- name: GF_AUTH_DISABLE_LOGIN_FORM
value: "false"
{{- else }}
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
{{- end }}
- name: GF_PATHS_DATA
value: /data/grafana
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /data/grafana
affinity:
{{- include "nodeaffinity" . | indent 6 }}
volumes:
- name: data
emptyDir: {}
proposed/istio/v1.0.1/charts/grafana/templates/grafana-ports-mtls.yaml 0 → 100644
{{ define "grafana-default.yaml.tpl" }}
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: grafana-ports-mtls-disabled
namespace: {{ .Release.Namespace }}
spec:
targets:
- name: grafana
ports:
- number: {{ .Values.service.externalPort }}
{{- end }}
proposed/istio/v1.0.1/charts/grafana/templates/secret.yaml 0 → 100644
{{- if .Values.security.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: grafana
labels:
app: grafana
type: Opaque
data:
username: {{ .Values.security.adminUser | b64enc | quote }}
password: {{ .Values.security.adminPassword | b64enc | quote }}
{{- end -}}
proposed/istio/v1.0.1/charts/grafana/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
labels:
app: {{ template "grafana.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: {{ .Values.service.internalPort }}
protocol: TCP
name: {{ .Values.service.name }}
selector:
app: grafana
proposed/istio/v1.0.1/charts/ingress/Chart.yaml 0 → 100644
apiVersion: v1
name: ingress
version: 1.0.1
appVersion: 1.0.1
tillerVersion: ">=2.7.2"
description: Helm chart for ingress deployment
keywords:
- istio
- ingress
sources:
- http://github.com/istio/istio
engine: gotpl
icon: https://istio.io/favicons/android-192x192.png
proposed/istio/v1.0.1/charts/ingress/templates/autoscale.yaml 0 → 100644
{{- if .Values.autoscaleMin }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
spec:
maxReplicas: {{ .Values.autoscaleMax }}
minReplicas: {{ .Values.autoscaleMin }}
scaleTargetRef:
apiVersion: apps/v1beta1
kind: Deployment
name: istio-ingress
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
{{ end }}
proposed/istio/v1.0.1/charts/ingress/templates/clusterrole.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: istio-ingress-{{ .Release.Namespace }}
rules:
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "ingresses"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["configmaps", "pods", "endpoints", "services"]
verbs: ["get", "watch", "list"]
proposed/istio/v1.0.1/charts/ingress/templates/clusterrolebinding.yaml 0 → 100644
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: istio-ingress-{{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-{{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: istio-ingress-service-account
namespace: {{ .Release.Namespace }}
proposed/istio/v1.0.1/charts/ingress/templates/deployment.yaml 0 → 100644
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
spec:
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels:
istio: ingress
annotations:
sidecar.istio.io/inject: "false"
scheduler.alpha.kubernetes.io/critical-pod: ""
spec:
serviceAccountName: istio-ingress-service-account
{{- if .Values.global.priorityClassName }}
priorityClassName: "{{ .Values.global.priorityClassName }}"
{{- end }}
containers:
- name: {{ template "istio.name" . }}
image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
ports:
- containerPort: 80
- containerPort: 443
args:
- proxy
- ingress
- -v
- "2"
- --discoveryRefreshDelay
- '1s' #discoveryRefreshDelay
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- istio-ingress
- --zipkinAddress
- zipkin:9411
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }}
{{- end }}
- --proxyAdminPort
- "15000"
{{- if .Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
- istio-pilot:15005
{{- else }}
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:8080
{{- end }}
resources:
{{- if .Values.resources }}
{{ toYaml .Values.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.global.defaultResources | indent 12 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingress-certs
mountPath: /etc/istio/ingress-certs
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingress-service-account
optional: true
- name: ingress-certs
secret:
secretName: istio-ingress-certs
optional: true
affinity:
{{- include "nodeaffinity" . | indent 6 }}
proposed/istio/v1.0.1/charts/ingress/templates/service.yaml 0 → 100644
apiVersion: v1
kind: Service
metadata:
name: istio-ingress
namespace: {{ .Release.Namespace }}
labels:
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
istio: ingress
annotations:
{{- range $key, $val := .Values.service.annotations }}
{{ $key }}: {{ $val }}
{{- end }}
spec:
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
{{- end }}
type: {{ .Values.service.type }}
selector:
istio: ingress
ports:
{{- range $key, $val := .Values.service.ports }}
-
{{- range $pkey, $pval := $val }}
{{ $pkey}}: {{ $pval }}
{{- end }}
{{- end }}
---
proposed/istio/v1.0.1/charts/ingress/templates/serviceaccount.yaml 0 → 100644
apiVersion: v1
kind: ServiceAccount
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
metadata:
name: istio-ingress-service-account
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "istio.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment